Skip to main content

Cloud Security / AWS Security

AWS security done
by people who
know AWS.

AWS gives you enormous flexibility, and enormous opportunity to misconfigure. IAM policies that are far too permissive, S3 buckets exposed to the internet, Security Hub alerts nobody's reading, GuardDuty deployed but never tuned. Cliffside's AWS security service finds the gaps and fixes them, with deep platform knowledge and a business-context lens.

Book an AWS security review → All cloud services
69%
of S3 misconfigurations rated high or very high severity
60%
of cloud incidents trace to avoidable setup flaws
5-10
business days for a typical AWS security review

What we cover

Comprehensive AWS security services.

AWS Well-Architected review

Assessment of your AWS environment against the Security Pillar of the AWS Well-Architected Framework, with prioritised remediation guidance and risk rating.

IAM assessment & hardening

Review of IAM policies, roles, and permission boundaries, identifying over-permissioned identities, unused access, and privilege escalation paths.

S3 & data security

Bucket policy review, public access settings, encryption configuration, and logging, ensuring your data isn't inadvertently exposed.

GuardDuty & Security Hub

Configuration and tuning of AWS native security tooling, ensuring findings are meaningful, prioritised, and routed to the right people.

Network security

VPC architecture review, security group analysis, NACLs, WAF configuration, and network flow analysis, covering your AWS network attack surface.

Compliance mapping

Mapping your AWS environment to ISO 27001, APRA CPS 234, Essential Eight, and other compliance requirements, with gap analysis and remediation roadmap.

Common findings

The AWS security issues we find most often.

In nearly every AWS environment we assess, we find variations of the same core issues. These aren't unusual. They're the predictable outcome of environments that have grown organically, under time pressure, without security-first design.

  • IAM over-permissioning -- policies granting Action:* or Resource:* access, service roles with full administrator privileges, and unused access keys that have never been rotated. IAM misconfigurations are the root cause of the majority of AWS security incidents.
  • S3 bucket exposure -- public access block not enabled at the account level, bucket policies that are overly permissive, and sensitive data stored without server-side encryption. S3 misconfiguration remains the most common finding in AWS security assessments, with nearly 69% of identified S3 issues rated high or very high severity.
  • CloudTrail and logging gaps -- CloudTrail either disabled, not forwarded to a centralised location, or configured without data event logging. Without complete logging, you cannot detect, investigate, or prove the scope of a security incident.
  • Security tooling deployed but unconfigured -- GuardDuty, Security Hub, and Config rules turned on but never tuned, generating noise that gets ignored rather than actionable alerts that get investigated.
  • Network architecture gaps -- default VPCs still in use, security groups with overly broad ingress rules, and no network segmentation between workload tiers.

The good news is these are all fixable, and fixing them eliminates the majority of your cloud risk exposure.

Shared responsibility

AWS secures the cloud. You secure what's in it.

AWS operates under a shared responsibility model. AWS is responsible for the security of the cloud: physical infrastructure, hypervisor, networking, and the managed services themselves. You are responsible for security in the cloud: your IAM configuration, data encryption, network design, operating system patching, application security, and logging.

AWS holds certifications including ISO 27001, SOC 2, and IRAP PROTECTED (covering 42 to 164 services assessed at the PROTECTED level for Australian government workloads). But those certifications cover AWS's infrastructure, not your workloads. Your auditor, your regulator, and your board need assurance that your configuration meets the standard, and that's where Cliffside comes in.

We assess your side of the shared responsibility model: how your IAM policies, encryption, network controls, and detection capabilities are configured, and whether they meet the requirements of ISO 27001, APRA CPS 234, Essential Eight, or whichever framework applies to your organisation.

How it works

Our AWS security review process.

01
Scoping

We map your AWS account structure, identify the workloads in scope, and agree on the frameworks and compliance requirements that apply to your environment.

02
Automated & manual analysis

We run automated configuration checks across IAM, S3, VPC, CloudTrail, GuardDuty, and Security Hub, then layer manual analysis to identify risks that automated tools miss.

03
Architecture review

We assess your overall AWS architecture: account structure, network design, identity model, encryption approach, and detection capability against your threat model.

04
Findings & risk rating

Every finding is documented with evidence, mapped to the relevant compliance framework, and rated by business risk. We separate critical misconfigurations from low-priority hygiene items.

05
Remediation roadmap & debrief

A prioritised remediation plan with effort estimates, quick wins, and dependencies. Followed by a technical debrief with your engineering team and an executive summary for leadership.

Multi-account & enterprise

AWS Organizations, Control Tower, and landing zone security.

Enterprise AWS environments typically use AWS Organizations with multiple accounts for workload isolation, development/staging/production separation, and centralised governance. This is the right approach, but it introduces security risks that single-account environments don't face: cross-account trust relationships, permission boundary gaps, inconsistent guardrails, and logging fragmentation.

We assess your landing zone architecture, Control Tower configuration, Service Control Policies, and centralised security tooling to ensure your multi-account structure actually provides the isolation and governance it's designed to deliver. We regularly find organisations where the account structure exists but the security controls haven't kept pace with the account proliferation.

Migration security

Building security into AWS migrations.

The most expensive time to fix AWS security is after your workloads are already running. Organisations that migrate first and secure later consistently spend more on remediation than they would have spent on secure design from the start.

Cliffside embeds security architecture into your AWS migration from day one: account structure design, network architecture, identity model, encryption strategy, logging and detection, and compliance guardrails. Whether you're migrating from on-premises, moving between cloud providers, or expanding an existing AWS footprint, we ensure security decisions are made at design time, not as an afterthought.

Frequently asked questions.

What does an AWS security service include?
A comprehensive AWS security service covers IAM policy review, S3 bucket security, VPC and network architecture assessment, GuardDuty and Security Hub configuration, CloudTrail logging validation, and compliance mapping against frameworks like ISO 27001 and APRA CPS 234. We prioritise findings by business risk, not just technical severity.
How long does an AWS security review take?
A typical AWS security review takes 5 to 10 business days depending on the size and complexity of your environment. Single-account environments with fewer than 50 workloads are typically at the shorter end. Multi-account AWS Organizations setups with complex networking, multiple regions, or extensive custom IAM policies require longer. The review includes IAM analysis, network architecture assessment, security tooling evaluation, and a prioritised remediation report with a technical debrief for your engineering and leadership teams.
Do you support multi-account AWS environments?
Yes. We regularly assess AWS Organizations setups with multiple accounts, including landing zone architecture, cross-account IAM roles, centralised logging, and Control Tower configurations. Multi-account environments often have additional risks around permission boundaries, account isolation, and cross-account trust relationships that single-account setups don't face. We also assess whether your account structure aligns with AWS best practices for workload isolation, sandbox environments, and centralised security tooling.
How does AWS security relate to ISO 27001 and APRA CPS 234 compliance?
AWS provides the infrastructure, but compliance is your responsibility under the shared responsibility model. ISO 27001 Annex A controls and APRA CPS 234 requirements map directly to AWS configurations: IAM policies, encryption settings, logging, network segmentation, and incident detection. AWS holds its own certifications including ISO 27001 and IRAP PROTECTED, but these cover AWS's infrastructure, not your workloads. We map your specific AWS environment to these frameworks and identify where your configuration falls short of compliance requirements.
What is the difference between AWS security and a penetration test?
A penetration test simulates an attacker trying to exploit specific vulnerabilities. An AWS security review is broader: it assesses your entire cloud architecture, IAM design, data protection, logging, and compliance posture. We often recommend both, starting with the architecture review to fix systemic issues, followed by a penetration test to validate the controls under attack conditions.
Can you help us migrate to AWS securely?
Yes. Security architecture should be built into a cloud migration from day one, not bolted on after workloads are already running. We embed security into your AWS landing zone design: account structure, networking, identity, encryption, logging, and guardrails. This avoids the common pattern where organisations migrate quickly, accumulate security debt, and then spend more fixing misconfigurations than they would have spent designing it properly from the start.

Related services

Connected cybersecurity services.

Azure Security

Configuration review, identity hardening, and compliance mapping for Microsoft Azure and M365 environments.

Explore →
Cloud Security

The full range of Cliffside cloud security services across AWS, Azure, and M365.

Explore →
Penetration Testing

Validate your AWS security controls under real attack conditions with CREST-certified testers.

Explore →
Cybersecurity Audit

Broader security audit services covering governance, technical controls, and compliance frameworks.

Explore →

Find out where your
AWS environment is exposed.

Book a free AWS security assessment conversation. We'll scope a review appropriate for your environment and give you a clear, prioritised remediation plan.

Book a free consultation →All cloud services

Not sure where to start?

Book a free Lighthouse Assessment. Honest, transferable, no lock-in.

Book Free Assessment