Not everything done in the name of CPS 234 reduces risk. Some of it is theatre: effort that produces a tidy checkbox and a slide for the board, and changes your actual exposure by approximately nothing. After enough assessments, the same offenders show up. Here's where teams waste effort — and where to move it.
An opinionated post. Practitioner guidance, not legal or audit advice — your auditor may disagree, and that's a conversation worth having.
Theatre 1: The 300-page information security policy nobody reads
A policy framework is a CPS 234 requirement. A 300-page document that no engineer has opened is not a control — it's a liability, because it describes controls you aren't actually running. Instead: a short, accurate policy that matches reality, plus the technical enforcement (SCPs, Config rules) that makes the policy automatic. A control enforced in code beats a control described in a PDF every time.
Theatre 2: Annual penetration test as "testing control effectiveness"
One pentest a year satisfies the letter of "test control effectiveness" and tells you almost nothing about the other 51 weeks. Instead: continuous testing — Security Hub standards running constantly, Prowler in CI, Config evaluating every change. The annual pentest is still useful for depth, but it's not your effectiveness evidence. The trend line is.
Theatre 3: Encrypting everything and calling it data protection
Turning on encryption everywhere is good hygiene and an easy win — but "we encrypt at rest" is often where data-protection effort stops, while the actual exposure (a public S3 bucket, an over-permissioned role that can read the KMS-decrypted data) goes unaddressed. Encryption limits blast radius; it doesn't stop the breach. Instead: spend the marginal effort on access — least privilege and attack surface — which is where breaches actually happen.
Theatre 4: Tagging everything "compliant"
A compliance: true tag on every resource is a comforting lie. Tags are self-asserted; they prove nothing. Instead: asset classification tied to actual controls — and let Config/Security Hub assert compliance based on configuration, not a sticker you applied to yourself.
Theatre 5: A SIEM ingesting everything, alerting on nothing tuned
Shipping every log to a SIEM feels thorough and bills like it. If nothing's tuned, it's an expensive write-only store. Instead: a small number of high-signal detections (the incident-notification path on real severity) that a human actually responds to. CPS 234 wants you to detect and respond, not to retain and ignore.
Where the effort actually belongs
The unglamorous controls that move real risk:
- Least privilege and no standing admin — the single highest-leverage control.
- Attack surface — nothing internet-reachable and misconfigured.
- Evidence that's exportable on demand — the thing auditors actually test, and the thing teams most neglect.
If you're spending more on theatre than on those three, a readiness assessment will tell you where the effort's leaking — bluntly. The control mapping that separates real from theatre is in the CPS 234 → AWS Controls cheatsheet.
Primary sources: APRA CPS 234 · Security Hub FSBP standard