April 4, 2026 · Tim Fraser, Cloud Operations Lead

APRA CPS 234 Compliance on AWS — What You Need to Monitor

If you're a FinTech operating in Australia under an APRA-regulated licence (or providing services to someone who is), CPS 234 is the prudential standard that governs your information security. It's not optional, and it applies to your cloud infrastructure just as much as your on-premises systems.

CPS 234 came into effect in July 2019, but many organisations still struggle with it — not because the requirements are unreasonable, but because translating regulatory language into specific AWS configurations and monitoring practices takes work. Here's a practical breakdown of what the standard requires and what that means for your AWS environment.

What CPS 234 actually requires

The standard has five core obligations:

Clearly defined information security roles and responsibilities — someone must own the security of your AWS environment, and that ownership must be documented.
Information security capability commensurate with the size and extent of threats — your security controls must match the sensitivity of what you're protecting. A payments platform needs stronger controls than a marketing website.
Information asset identification — you must know what assets you have, where they are, and how sensitive they are.
Implementation of controls to protect information assets — encryption, access controls, network segmentation, and logging must be in place.
Testing the effectiveness of controls — you must regularly verify that your controls actually work, not just that they exist.

There's also a mandatory requirement to notify APRA within 72 hours of a material information security incident, and within 10 business days if you become aware that your controls have a material weakness.

Mapping CPS 234 to AWS

Information asset identification: You need a current inventory of your AWS resources — EC2 instances, RDS databases, S3 buckets, Lambda functions, IAM roles — and you need to know what data each one holds. AWS Config provides resource inventory, but it only helps if you're reviewing it. This isn't a one-time exercise; your environment changes constantly. Access controls: CPS 234 requires access restricted to authorised personnel based on business need. On AWS: IAM policies following least privilege, MFA enforced for all console access, regular access reviews, and no long-lived access keys where temporary credentials are feasible. Auditors will check for overly permissive policies — s3: on will attract questions. Encryption and data protection: Encryption at rest (S3, RDS, EBS, with KMS key policies restricting who can decrypt) and in transit (TLS on all load balancers and API endpoints). Network segmentation: Databases in private subnets only. Security groups allowing only the specific ports and source addresses required. Logging and incident management: CloudTrail enabled in all regions, logging to a protected S3 bucket. You need to demonstrate that you can detect, investigate, and respond to security events.

What auditors actually look for

Auditors focus on practical evidence rather than documentation alone:

Can you produce a current inventory of your cloud resources? Not a spreadsheet from six months ago.
Can you show that access is restricted and reviewed? They want IAM policies and evidence of periodic access reviews.
Can you demonstrate that controls are tested? Results from security assessments, not just a statement that you do them.
Can you provide evidence over time? Auditors prefer a pattern of ongoing compliance — weekly or monthly records showing your security posture was consistently maintained.

Continuous monitoring vs annual assessments

CPS 234 requires a "systematic testing program" — not a once-a-year penetration test followed by 11 months of inattention. Between audits, configurations drift, new resources get created without proper controls, and access permissions accumulate.

How plainfra supports CPS 234 compliance

plainfra's weekly health reports provide the continuous monitoring that CPS 234 requires. Each week, plainfra reviews your AWS environment and reports on:

Resource inventory changes — new or removed assets
Security group configurations — open ports, overly permissive rules
IAM findings — unused credentials, missing MFA, overly broad policies
Encryption status — unencrypted storage, certificate expiry
Public exposure — S3 buckets, load balancers, or instances accessible from the internet

Each report is dated and archived, creating a timestamped record of your security posture that serves as audit evidence. When the auditor asks "how do you test your controls?", you hand them 52 weekly reports covering the past year.

Ask plainfra directly:

> "Review our AWS environment against CPS 234 requirements — check IAM policies, encryption, network segmentation, and logging."

You get a gap analysis in plain English, with specific resources flagged and actionable recommendations.

Try plainfra free → 50K tokens, 7 days, no charge. Or see the interactive demo →.