Skip to main content

AWS Security

AWS Security Reviews: A Complete Guide for Australian Businesses

Learn how comprehensive AWS security reviews can identify vulnerabilities, ensure compliance, and strengthen your cloud security posture for Australian regulatory requirements.

CloudPoint

CloudPoint Team

Security in AWS is a shared responsibility between you and Amazon. While AWS secures the infrastructure, you’re responsible for securing your applications, data, and configurations. Regular security reviews ensure you’re meeting this responsibility and maintaining a strong security posture.

What is an AWS Security Review?

An AWS Security Review is a comprehensive assessment of your AWS environment that evaluates:

  • Identity and Access Management: Who can access what, and how
  • Network Security: How traffic flows and is controlled
  • Data Protection: How sensitive data is encrypted and protected
  • Compliance: Alignment with regulatory requirements
  • Logging and Monitoring: Detection and response capabilities
  • Resource Configuration: Security best practices across all services
  • Incident Response: Preparedness for security events

Why Australian Businesses Need Security Reviews

For Australian organisations, especially in regulated industries, security reviews are essential:

  • Industry regulations Compliance: Regulated entities must maintain information security capabilities commensurate with information security vulnerabilities and threats.
  • Privacy Act Requirements: Protecting personal information from unauthorized access, modification, or disclosure.
  • Notifiable Data Breaches Scheme: Being prepared to identify and respond to data breaches within required timeframes.
  • Competitive Advantage: Security credentials can differentiate you in the market.
  • Customer Trust: Demonstrating commitment to protecting customer data.

Types of Security Reviews

1. Comprehensive Security Assessment

A full review of your entire AWS environment:

  • All accounts in your organisation
  • All regions where resources are deployed
  • All services in use
  • Configuration and compliance posture

When to conduct: Annually, before major audits, or after significant changes

Duration: 2-4 weeks depending on environment size

2. Targeted Security Review

Focus on specific areas of concern:

  • New application deployment
  • Particular service or workload
  • Compliance with specific regulation
  • Response to a security incident

When to conduct: Before production deployment, after incidents, or when concerns arise

Duration: 1-2 weeks

3. Compliance-Focused Review

Specifically aligned with regulatory requirements:

  • Industry regulations
  • Privacy Act and OAIC guidelines
  • ISO 27001
  • SOC 2
  • IRAP assessment preparation

When to conduct: Quarterly or as required by regulators

Duration: Depends on scope and framework

4. Continuous Security Monitoring

Ongoing assessment using automated tools:

  • AWS Security Hub
  • AWS Config
  • Third-party tools (Prowler, ScoutSuite)

When to implement: Always - complement periodic reviews with continuous monitoring

Key Areas of an AWS Security Review

Identity and Access Management

What’s reviewed:

  • IAM users, groups, roles, and policies
  • Root account security
  • MFA usage
  • Password policies
  • Access key rotation
  • IAM Identity Center configuration
  • Cross-account access
  • Service Control Policies

Common findings:

  • Unused IAM users or access keys
  • Overly permissive policies
  • Missing MFA on privileged accounts
  • Stale credentials
  • Direct IAM users instead of federated access

Recommendations:

  • Implement IAM Identity Center
  • Enforce MFA for all users
  • Remove unused credentials
  • Apply principle of least privilege
  • Regular access reviews

Network Security

What’s reviewed:

  • VPC configuration and segmentation
  • Security groups and NACLs
  • Public vs private subnets
  • Internet gateways and NAT gateways
  • VPC peering and Transit Gateway
  • VPN and Direct Connect
  • VPC Flow Logs
  • AWS Network Firewall

Common findings:

  • Overly permissive security groups (0.0.0.0/0)
  • Missing VPC Flow Logs
  • Resources in public subnets unnecessarily
  • Inadequate network segmentation
  • Missing or misconfigured NACLs

Recommendations:

  • Implement defense-in-depth
  • Use security groups as firewalls
  • Enable VPC Flow Logs
  • Proper subnet segregation
  • Implement network monitoring

Data Protection

What’s reviewed:

  • Encryption at rest (EBS, S3, RDS, DynamoDB)
  • Encryption in transit (TLS/SSL)
  • Key management (AWS KMS)
  • S3 bucket policies and ACLs
  • Public access settings
  • Backup and recovery configurations
  • Data classification

Common findings:

  • Unencrypted volumes or buckets
  • Public S3 buckets
  • Default encryption keys instead of CMKs
  • Missing backup policies
  • Inadequate key rotation
  • Data in unintended regions

Recommendations:

  • Enable encryption everywhere
  • Use customer-managed KMS keys
  • Block S3 public access
  • Implement automated backups
  • Data lifecycle policies
  • Regular restore testing

Logging and Monitoring

What’s reviewed:

  • CloudTrail configuration
  • CloudWatch Logs retention
  • VPC Flow Logs
  • S3 access logs
  • Load balancer logs
  • Application logs
  • Monitoring and alerting
  • SIEM integration

Common findings:

  • CloudTrail not enabled in all regions
  • Logs not centralised
  • Short retention periods
  • Missing critical alerts
  • Logs not protected from modification
  • No automated response to security events

Recommendations:

  • Organization-wide CloudTrail
  • Centralised log aggregation
  • Appropriate retention policies
  • Log integrity protection
  • Real-time alerting on security events
  • Automated remediation where possible

Resource Configuration

What’s reviewed:

  • EC2 instance configuration
  • RDS security settings
  • Lambda function permissions
  • S3 bucket configurations
  • EBS snapshot settings
  • AMI sharing settings
  • CloudFront distributions
  • All service configurations against best practices

Common findings:

  • Default configurations used
  • Publicly accessible databases
  • Overly permissive Lambda roles
  • Old, unpatched AMIs
  • Public snapshots or AMIs
  • Missing tags for resource management

Recommendations:

  • Security baselines for each service
  • Regular patching and updates
  • Infrastructure as Code for consistency
  • Comprehensive tagging strategy
  • Automated compliance checks

Incident Response

What’s reviewed:

  • Incident response plan
  • Runbooks and playbooks
  • Detection capabilities
  • Response procedures
  • Communication plans
  • Forensics capabilities
  • Backup and recovery procedures

Common findings:

  • No documented incident response plan
  • Lack of clear roles and responsibilities
  • Insufficient detection capabilities
  • No practice exercises
  • Missing forensics procedures
  • Unclear escalation paths

Recommendations:

  • Develop comprehensive IR plan
  • Regular tabletop exercises
  • Automated detection and response
  • Clear communication procedures
  • Document lessons learned

Security Review Process

Phase 1: Planning and Scoping

  1. Define objectives and scope
  2. Identify stakeholders
  3. Gather credentials and access
  4. Review existing documentation
  5. Schedule interviews

Phase 2: Information Gathering

  1. Automated scanning using tools
  2. Manual configuration reviews
  3. Interviews with teams
  4. Documentation review
  5. Architecture diagram validation

Phase 3: Analysis

  1. Identify security gaps
  2. Assess risk levels
  3. Map findings to compliance frameworks
  4. Prioritize issues
  5. Develop recommendations

Phase 4: Reporting

  1. Executive summary
  2. Detailed findings
  3. Risk assessments
  4. Remediation recommendations
  5. Compliance mappings

Phase 5: Remediation

  1. Prioritized action plan
  2. Quick wins implementation
  3. Medium-term improvements
  4. Long-term strategic changes
  5. Follow-up review

Tools for AWS Security Reviews

AWS Native Tools

  • AWS Security Hub: Centralised security findings
  • AWS Config: Configuration compliance
  • AWS Inspector: Vulnerability scanning
  • AWS GuardDuty: Threat detection
  • AWS Trusted Advisor: Best practice checks -AWS IAM Access Analyzer: Identify resource sharing

Third-Party Tools

  • Prowler: Open-source security assessment
  • ScoutSuite: Multi-cloud security auditing
  • CloudMapper: Network visualization
  • Dome9/Check Point: Continuous compliance
  • Prisma Cloud/Palo Alto: Comprehensive cloud security

Manual Review

Automated tools miss context - manual review is essential for:

  • Understanding business requirements
  • Assessing risk in context
  • Identifying logic flaws
  • Evaluating compensating controls

Common Security Issues and Remediation

High-Risk Issues (Fix Immediately)

Public S3 Buckets with Sensitive Data

  • Block public access
  • Implement bucket policies
  • Enable encryption

Root Account Without MFA

  • Enable hardware MFA
  • Restrict root account usage
  • Monitor root account activity

Overly Permissive IAM Policies

  • Apply least privilege
  • Remove wildcards where possible
  • Regular policy reviews

Unencrypted Data at Rest

  • Enable encryption on all volumes
  • Use KMS customer-managed keys
  • Encrypt existing data

Medium-Risk Issues (Fix Within 30 Days)

Missing VPC Flow Logs Unused IAM Credentials Default Security Groups in Use Missing CloudTrail in All Regions No MFA on IAM Users

Low-Risk Issues (Address in 90 Days)

Inconsistent Tagging Old AMIs or Snapshots Non-Standard Resource Naming Missing Resource Descriptions Incomplete Documentation

Compliance Mapping

For Australian businesses, map findings to:

industry regulations:

  • Information security capability
  • Roles and responsibilities
  • Implementation
  • Testing and assurance
  • Incident management

Essential Eight:

  • Application control
  • Patch applications
  • Configure Microsoft Office macro settings
  • User application hardening
  • Restrict administrative privileges
  • Patch operating systems
  • Multi-factor authentication
  • Regular backups

Frequency of Reviews

  • Quarterly: High-risk or heavily regulated industries
  • Semi-Annually: Standard compliance requirements
  • Annually: Minimum for all AWS users
  • After Major Changes: New applications, mergers, incidents
  • Continuous: Automated monitoring should be always-on

Preparing for a Security Review

To maximize value:

  1. Gather Documentation: Architecture diagrams, runbooks, policies
  2. Update Inventory: Know what resources you have
  3. Involve Stakeholders: Security, DevOps, leadership
  4. Set Clear Objectives: What do you want to achieve?
  5. Allocate Time: Team availability for interviews and remediation
  6. Be Transparent: Share challenges and concerns openly

Conclusion

Regular AWS security reviews are not just a compliance checkbox - they’re an essential practice for maintaining a secure, efficient, and compliant cloud environment. For Australian businesses navigating Privacy Act, and other regulatory requirements, professional security reviews provide assurance and identify risks before they become incidents.

CloudPoint conducts comprehensive AWS security reviews tailored to Australian regulatory requirements. Our reviews combine automated tools with manual expertise to provide actionable insights and remediation guidance.

Ready to assess your AWS security posture? Contact CloudPoint for a security review consultation.

Ready for Your AWS Security Review?

CloudPoint delivers thorough security assessments that identify vulnerabilities and compliance gaps—with actionable remediation plans. Get in touch to schedule your security review.

Learn more about our Security Review service →