We want a security baseline but aren't sure if Config, Defender or SCC is enough
AWS Config + Security Hub, Microsoft Defender for Cloud and GCP Security Command Center are the cloud-native baselines. For SMB, the standard tier usually suffices, advanced is for compliance-heavy cases.
Try this first
- 1AWS: Security Hub on, Foundational Security Best Practices standard plus CIS AWS standard. Config rules for continuous compliance.
- 2Azure: Defender for Cloud free tier (CSPM basics) is free and gives a lot of insight. Defender Plans (per resource type) are paid and only needed for higher risk profiles.
- 3GCP: Security Command Center Standard is free with basic findings. Premium for advanced (Container Threat Detection, VM Manager).
- 4Forward all findings to a central place (Security Hub aggregator, Sentinel, or a Slack channel). Spread across 5 consoles doesn't work.
- 5Set an SLA on findings: critical inside 24h, high inside 7d. Findings nobody looks at are noise with extra steps.
When to bring us in
If ISO 27001 or NIS2 enters scope, a baseline mapping (Foundational Best Practices vs ISO controls) is worth a one-time consult.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.