When Should You Really Do a Cloud Security Review?

Most people really think about cloud security reviews right after they get shocked by a bill for resources they didn't even know existed or just before a compliance audit they forgot about. Not many during the quieter months when there’s actually time to fix things.

You should frequently check your security portal and compare your settings with benchmarks like the CIS standards. All three major cloud providers have tools for that with automatic checks included. You typically don't need an external review. If you're up for it, you can integrate these checks into your CI/CD pipeline to ensure quality and adherence to security standards. Short answer: you should always be reviewing your security setup.

For us, it's typically compliance-related or whenever something feels off with our setup. Nowadays, we keep GuardDuty running to catch any obvious issues without needing a complete review every time. Security Hub's great for having everything in one place too. What about your situation?

We run Prowler on a schedule in our Jenkins instance. It's a good way to keep things in check.

I do regular cloud security reviews as part of a broader assessment that includes costs and efficiency within AWS. Here's what I've found:
1. If you've got a business worth protecting, it makes sense to do a review. Startups often lack the time and resources to address security recommendations, though.
2. Once you’re gaining traction, a cloud review can help with more than just security; it can optimize costs and infrastructure for growth.
3. Compliance certifications and penetration tests alone don't often catch critical security issues. I've worked with companies that were heavily certified yet still faced incidents due to overlooked recommendations. I usually end up identifying 3-4 key security improvements every time.

In addition to security reviews, don’t forget about cost audits! We discovered a lot of waste that was silently draining our budget. After using a cloud visibility tool, we managed to cut our infrastructure spending by 55%! Security incidents grab attention, but unnoticed costs can eat away at your resources every month. When’s the last time you checked your cloud bill for unnecessary expenses?