Cloud adoption in the UAE has accelerated rapidly, driven by Microsoft Azure UAE North (Dubai and Abu Dhabi regions), AWS me-south-1 (Bahrain, closest region to UAE), and local compliance requirements under UAE PDPL and CBUAE frameworks. But cloud adoption without cloud security creates a new attack surface that is often worse than the on-premises environment it replaced. This checklist covers the essential security controls for UAE businesses running workloads on AWS or Azure.
UAE Cloud Adoption Context and Regulatory Landscape
Data Residency and UAE PDPL
UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) governs personal data processing of UAE residents. Cross-border data transfers must meet adequacy standards or have appropriate safeguards. For UAE enterprises processing personal data, preferred configuration is to keep data processing within UAE-region infrastructure where possible.
- Azure UAE North: Microsoft Azure UAE North (primary: Dubai, secondary: Abu Dhabi) provides in-country data residency for regulated UAE workloads
- AWS me-central-1 (UAE): AWS UAE region (Abu Dhabi) provides in-country storage for UAE-sovereign data requirements
- AWS me-south-1 (Bahrain): Commonly used by UAE enterprises — data stored in Bahrain, not UAE. Requires cross-border transfer assessment for PDPL compliance
IAM Checklist — Identity and Access Management
IAM misconfigurations are the most common cloud security vulnerability found in UAE cloud assessments.
- Root/Global Admin account: MFA enabled — hardware token preferred. Root account never used for day-to-day operations. No access keys created for root account.
- Least privilege: All IAM users, roles, and service accounts have minimum permissions required. No wildcard (*) permissions in production. Review attached policies quarterly.
- Access key rotation: AWS IAM access keys rotated every 90 days maximum. Azure service principal credentials have expiry dates set.
- No shared accounts: Every human user has a named individual account. Service-to-service access uses IAM roles (AWS) or managed identities (Azure), not shared credentials.
- MFA for console access: All IAM users with console access have MFA enforced via AWS IAM policy or Azure Conditional Access policy.
Network Security Checklist
- VPC/VNet segmentation: Production, development, and management environments in separate VPCs or VNets. No direct peering between production and development without firewall controls.
- Security groups / NSGs: No security groups with 0.0.0.0/0 ingress on SSH (22), RDP (3389), or database ports.
- WAF deployment: AWS WAF or Azure Application Gateway with WAF deployed in front of all internet-facing web applications and APIs.
- DDoS protection: AWS Shield Standard (included) or Shield Advanced for high-value UAE services. Azure DDoS Network Protection enabled for production VNets.
- Bastion access: No direct SSH/RDP exposure to the internet. Use AWS Systems Manager Session Manager or Azure Bastion for administrative access to VMs.
Data Protection Checklist
- Encryption at rest: All EBS volumes and Azure Managed Disks encrypted. S3 server-side encryption enabled with SSE-KMS for sensitive data. Azure Storage encrypted with customer-managed keys for regulated data.
- Encryption in transit: TLS 1.2 minimum enforced for all services. TLS 1.0 and 1.1 disabled.
- S3 bucket policies: All S3 buckets have Block Public Access enabled at account level. No public buckets.
- Azure Blob access: Azure Storage accounts with public blob access disabled unless explicitly required. Shared Access Signatures have expiry limits.
- Key management: AWS KMS or Azure Key Vault used for key management. No hardcoded credentials in application code, environment variables, or configuration files.
Logging and Monitoring Checklist
- CloudTrail / Azure Monitor: AWS CloudTrail enabled in all regions with log file validation. Azure Monitor diagnostic settings enabled for all resources. Management activity, sign-in activity, and resource logs collected.
- SIEM integration: Cloud logs forwarded to SIEM for correlation and alerting. Integration with managed SOC services UAE for 24/7 monitoring. Log retention minimum 12 months.
- Alerting thresholds: Alerts configured for: root account usage, IAM policy changes, security group modifications, S3 public access changes, failed MFA attempts, console access from unknown geographies.
- GuardDuty / Microsoft Defender: AWS GuardDuty enabled in all active regions. Microsoft Defender for Cloud enabled with Standard tier for production workloads.
Top 5 Cloud Misconfigurations Found in UAE Assessments
- Publicly accessible S3 buckets or Azure Blob containers containing internal documents, application backups, or customer data — most common and highest-impact finding
- Overly permissive IAM roles with AdministratorAccess attached to EC2 instance profiles or Azure VMs — if the application is compromised, the attacker inherits admin cloud access
- No MFA on root/global admin accounts — organisations with MFA on regular user accounts but not the master account
- CloudTrail disabled in non-primary regions — leaving other regions unmonitored and potentially used by attackers
- Development environments connected to production VPCs with minimal segmentation — developers with production data access via misconfigured peering
Frequently Asked Questions
Does UAE PDPL require data to stay in UAE?
UAE PDPL does not impose an absolute data localisation requirement. It requires that cross-border transfers meet adequacy standards or have appropriate safeguards. Using Azure UAE North or AWS UAE (me-central-1) eliminates cross-border transfer concerns and simplifies PDPL compliance documentation.
How often should cloud security configuration be reviewed?
Cloud environments change rapidly. Continuous automated configuration monitoring (AWS Config, Azure Policy, Defender for Cloud) should run permanently. Manual security assessments should run at least annually and after significant architectural changes.
