Table of contents

Assessing The Security Posture Of An Existing Cloud Project For The First Time

Relevant users

User Role Can Access
Technical Team member
DevOps Team member
Security Analyst
Security Engineer
Compliance Manager
Project Manager
Security Team Management


  • My company recently became responsible for an existing cloud project, I want to ensure that it is secure and best practice compliant.
  • Our AWS project has grown to a size that makes it difficult to ensure its security posture manually hence I want a more scalable solution.

Cloud Conformity Solution

Part 1 - Creating a report to assess your current security posture

Part 2 - Creating a remediation plan based on your report

Before you start

Prioritize the account or group of accounts to assess, for example, a production account.

Part 1 - Creating a report to assess your current security posture

Step 1. Select the account or group of accounts to assess your security posture and generate an All checks report.

Step 2. Filter the 'All Checks' report by failed checks.

Step 3. Create a report by filtering failed checks further to narrow down results based on your organization's priority, for example, you can filter by Well-Architected Framework category, resource tags, resource titles, and risk level or severity of failed checks.

For example, applying the following filters will result in a basic security report, which is easier to focus and remediate as compared to multiple failures at once.

  1. Category > Security
  2. Tags > "public"
  3. Standards and Frameworks > AWS Well-Architected Framework

Optional: generate and download a PDF or CSV failed checks report to share with your stakeholders.

Part 2 - Creating a remediation plan based on your report

Step 1. Analyze the report to estimate the effort and availability of team members to resolve failures for different rules.

Step 2. Divide failures into different groups for prioritization.

For example, when grouping failures, you can prioritize the lowest effort rules, the highest severity rules, and rules by a particular service or category. This will help you segregate and resolve failures based on your priorities.

We recommend prioritizing high impact services, EC2, RDS, S3, IAM, VPC, and Load Balancers and then continue on to other Extreme or Very High failed checks.

Example remediation scenario:

  1. The first security scan for an AWS project resulted in 23,732 checks.
  2. Based on our organization's priority and risk acceptance policy, we want to resolve security issues first that pose a high risk to our security posture.
  3. We applied the following filters to generate a report on security risks :
    • AWS Well-Architected Framework Category - 'Security'
    • AWS Service - 'S3'
    • The risk level of the failed checks - 'Extreme' and 'Very high'
  4. Applying filters displayed results for the 20 Security failed checks that needed immediate attention being at Extreme and High Risk.
  5. Enabling S3 bucket default encryption resolved 13 of the 20 failed checks and completely resolved the Extreme level findings.
  6. We used an incremental approach by rotating remediation focus between services. This will help improve the organization's compliance score shortly as we focus on resolving the highest severity failures first.

Step 3. Use filters to generate reports for each group of failures and share them with your team members. Each member can follow remediation steps for each rule failure sent as a part of the report.

Optional: You can create a recurring report to keep stakeholders updated with the effort and progress.

Use communications channels, for example, Slack, Jira, SMS, and Microsoft Teams to notify failures to relevant team members in your organization.