DigitalOcean Security Best Practices for Startups
A practical security guide for startups running on DigitalOcean — covering Spaces, Droplets, firewalls, databases, and Kubernetes with actionable checks.
Why DigitalOcean Security Gets Overlooked
Most cloud security content targets AWS, GCP, and Azure. DigitalOcean — which powers hundreds of thousands of startups and indie projects — gets almost no coverage from security tooling vendors.
The result: teams running production workloads on DigitalOcean often have zero visibility into their security posture. No CSPM tool supports them. No compliance framework maps to their services. They’re flying blind.
This guide covers the most critical security checks for DigitalOcean, organized by service.
Spaces (Object Storage)
DigitalOcean Spaces is S3-compatible object storage. The security risks are identical to S3 — and just as commonly misconfigured.
Critical Checks
Public access: Spaces can be made public with a single setting. Verify that production Spaces containing user data, backups, or application assets are not publicly listable.
# Check if a Space is public
doctl compute cdn list # CDN-enabled Spaces are intentionally public
# For non-CDN Spaces, check the "public" setting in the control panelCORS configuration: Overly permissive CORS (allowing * origins) can expose your Spaces to cross-origin data exfiltration from malicious sites.
Access keys: Spaces uses API keys (not IAM roles). If a key is compromised, the attacker has full access to every Space in your account. Rotate keys regularly. Never commit them to git.
Encryption: DigitalOcean encrypts Spaces at rest by default (AES-256). No action needed — but verify you’re not implementing client-side encryption that bypasses this.
Droplets (VMs)
Critical Checks
SSH root login: Disable root SSH access on all Droplets. Use a non-root user with sudo.
# In /etc/ssh/sshd_config
PermitRootLogin noSSH key-only auth: Disable password authentication. Use SSH keys exclusively.
# In /etc/ssh/sshd_config
PasswordAuthentication noUnattended upgrades: Enable automatic security updates. Droplets don’t auto-update by default.
apt install unattended-upgrades
dpkg-reconfigure --priority=low unattended-upgradesMetadata service: DigitalOcean Droplets expose a metadata endpoint at http://169.254.169.254. Applications running on the Droplet can query this for information about the Droplet. Ensure your web applications can’t be SSRF’d into reading this endpoint.
Monitoring agent: Install the DigitalOcean monitoring agent for CPU, memory, and disk alerts. Security incidents often manifest as resource anomalies first.
Cloud Firewalls
DigitalOcean Cloud Firewalls are stateful, applied at the hypervisor level (not iptables). They’re the primary network security control.
Critical Checks
Default deny: Every Droplet should have a Cloud Firewall attached. Droplets without firewalls accept all inbound traffic.
SSH from anywhere: Don’t allow port 22 from 0.0.0.0/0. Restrict to your office IP, VPN, or bastion host.
Database ports exposed: PostgreSQL (5432), MySQL (3306), Redis (6379) should never be open to the internet. Use DigitalOcean Managed Databases instead, or restrict to application Droplet IPs only.
Outbound rules: Consider restricting outbound traffic for sensitive workloads. If a Droplet is compromised, egress filtering limits data exfiltration.
Managed Databases
Critical Checks
Trusted sources: DigitalOcean Managed Databases support trusted source restrictions — only allow connections from specific Droplets, Kubernetes clusters, or IP addresses.
Database Settings → Trusted Sources → Add your application DropletsPublic network access: By default, managed databases are accessible from the public internet (with credentials). Restrict to trusted sources to add network-level protection.
Connection encryption: All managed database connections use SSL/TLS by default. Verify your application connection strings include sslmode=require.
Automatic backups: Enabled by default with 7-day retention. Verify backup schedule and test restore procedures periodically.
Kubernetes (DOKS)
DigitalOcean Kubernetes Service (DOKS) runs standard Kubernetes. All general K8s security practices apply, plus DigitalOcean-specific considerations.
Critical Checks
RBAC enabled: DOKS clusters have RBAC enabled by default. Don’t create overly permissive ClusterRoleBindings.
Private API server: DOKS doesn’t currently support private API server endpoints. The Kubernetes API is accessible from the internet, protected by certificate authentication. Keep your kubeconfig secure.
Pod security: Use Pod Security Standards (or a policy engine like Kyverno) to prevent privileged containers, host network access, and root execution.
Container images: Pull images from a private registry (DigitalOcean Container Registry). Don’t run containers from Docker Hub public images in production without scanning.
Network policies: DOKS supports Cilium-based network policies. Define them to restrict pod-to-pod communication to only what’s necessary.
Team and Account Security
Critical Checks
Two-factor authentication: Enable 2FA for all team members. DigitalOcean supports TOTP authenticator apps and WebAuthn/security keys.
Team roles: Use DigitalOcean Teams to separate billing access from infrastructure access. Not everyone needs the ability to delete Droplets.
API token scoping: When creating API tokens, use read-only tokens where possible. Write tokens should be scoped to specific team members or automation systems.
Audit log: DigitalOcean provides an audit log of all API actions. Review it regularly for unexpected activity — especially around Droplet creation, firewall changes, and team membership.
Automating These Checks
Manually reviewing these settings across dozens of Droplets, Spaces, and databases doesn’t scale. This is where CSPM tooling helps.
Kloudle is one of the few CSPM tools that actually supports DigitalOcean. It runs 150+ automated checks covering everything in this guide — Spaces permissions, firewall rules, database configurations, Kubernetes security, and account settings.
What Kloudle Checks on DigitalOcean
- Spaces public access and CORS configuration
- Droplet firewall attachment and rule analysis
- SSH configuration (via metadata, not agent-based)
- Managed database trusted sources and encryption
- Kubernetes RBAC and pod security
- Account 2FA enforcement
- API token permissions and age
Scan Your DigitalOcean Account Free →
Quick-Start Checklist
- Enable 2FA for all team members
- Attach Cloud Firewalls to every Droplet
- Restrict SSH to key-only auth from specific IPs
- Set trusted sources on all managed databases
- Verify Spaces are not publicly listable (unless intentional)
- Install monitoring agent on all Droplets
- Enable unattended security upgrades
- Review API token permissions and rotate old tokens
- Define network policies in Kubernetes clusters
- Set up automated CSPM scanning
Further Reading
- What is CSPM? — Understanding cloud security posture management
- Sovereign CSPM — Run security scanning on your own infrastructure
- Kloudle for AI Agents — Programmatic security scanning via MCP
Secure Your Cloud Infrastructure
1,800+ SQL-based security checks across AWS, GCP, Azure, DigitalOcean, and Kubernetes.
Sovereign CSPM
Self-hosted multi-cloud security scanning.
GlossaryWhat is Cloud Misconfiguration?
The #1 cause of cloud breaches.
Blog5 Best Practices to Maximize Your Google Cloud Security
Learn essential best practices for securing your Google Cloud Platform environment, including proper resource hierarchy, cloud logging, centralized monitoring, and misconfiguration detection. A comprehensive guide for cloud security professionals.
BlogLatest Kloudle Release: Self-service, custom reports, new misconfiguration detections, and much more!
Discover the latest Kloudle release featuring self-service capabilities, custom reporting, enhanced misconfiguration detection, and expanded platform support. Learn how these new features help SREs better manage cloud security across AWS, Google Cloud, GitHub, Cloudflare, and MongoDB Cloud.
BlogFour Most Common Misconfigurations in AWS EC2 Instances
EC2 misconfigurations leave your cloud accounts vulnerable to attacks.