Ask yourself the following questions, answer honestly, and make it a priority to resolve any questions where the answer is no:

1. Do you have Business Support or greater enabled on all production accounts?
2. Do you use IAM users or federated users instead of the root user login for routine access to your account?
3. Do you have IAM users or some sort of user federation in place?
4. Have you enabled Multi-Factor Authentication (MFA) on the root account?
5. Have you enabled AWS CloudTrail on all accounts and in all regions?
6. Are you storing all CloudTrail logs in a separate administrative domain (a separate AWS account or equivalent)?
7. Is the CloudTrail log storage tamper-resistant?
8. Have you enabled MFA on all interactive IAM accounts?

9. Are you rotating all IAM user credentials regularly?
10. Have you configured a strong password policy for your users?
11. Does each user have their own dedicated IAM or federated user account?
12. Are IAM policies for users and applications scoped down to the least privilege?
13. Do you have any hardcoded credentials?
14. Are all stored credentials encrypted at rest?
15. Are you regularly backing up your data?
16. Are you testing data recovery on a regular schedule, and after any significant application changes?
17. Do you have a Recovery Point Objective (RPO) and Recovery Time Objective (RTO) defined for your services?
18. Is your RTO less than 1 day for all critical services?
19. Is your Disaster Recovery (DR) plan tested regularly, and after all significant application changes?
20. If any of your S3 buckets have public access, has this access been reviewed to make sure it is necessary, and are controls in place to limit access to data that should not be public?
21. Are your buckets that should not be public configured correctly to prevent public access?
22. Do you have monitoring in place to alert you if a bucket is made public?
23. If you require access to customer accounts, do you use cross-account roles instead of IAM users?

Did you answer no to any of those questions? If so, you could be placing your business and your customers at risk.