Skip to content

Cloud Security Checklist

A practical checklist for securing cloud environments across AWS, Azure, and Google Cloud Platform (GCP).

Purpose

This checklist provides a structured approach to:

  • Pre-migration security review
  • Cloud configuration baselines
  • Ongoing security monitoring
  • Compliance validation

Use this as a starting point and tailor to your organisation's specific risk profile and cloud usage.

Shared Responsibility Model

Understanding Cloud Responsibilities

Layer AWS Azure GCP Customer
Data - - - Customer
Applications - - - Customer
Access & Identity - - - Shared
Operating System Varies Varies Varies Shared
Network Controls Varies Varies Varies Shared
Compute Infrastructure Provider Provider Provider -
Physical Security Provider Provider Provider -

Key Principle: You are always responsible for your data, access controls, and proper configuration of cloud services.

Pre-Migration Security Review

Business & Compliance

  • Data Classification: Identify data sensitivity levels being migrated
  • Regulatory Requirements: Confirm cloud provider compliance (GDPR, HIPAA, PCI DSS, etc.)
  • Data Residency: Verify data storage locations meet legal requirements
  • Contractual Review: Review cloud provider SLA, DPA, and BAA (if applicable)
  • Risk Assessment: Conduct cloud-specific risk assessment
  • Shared Responsibility: Document understanding of shared responsibility model

Architecture & Design

  • Well-Architected Review: Use cloud provider's well-architected framework
  • Network Architecture: Design VPCs/VNets with proper segmentation
  • Encryption Strategy: Define encryption at rest and in transit requirements
  • Identity Strategy: Design IAM model (RBAC, least privilege)
  • Logging Strategy: Define which logs to collect and retention periods
  • Backup & DR Strategy: Define RPO/RTO and backup approach

Identity & Access Management (IAM)

General IAM Controls

  • Root Account Protection (AWS) / Global Administrator (Azure) / Owner (GCP):

    • Enable MFA on root/admin accounts
    • Do not use for day-to-day operations
    • Rotate credentials regularly
    • Monitor root account usage

  • Least Privilege:

    • No overly permissive policies (e.g., *:* on *)
    • Use role-based access control (RBAC)
    • Regularly review and remove unused permissions

  • MFA Enforcement:

    • Enforce MFA for all human users
    • Enforce MFA for privileged operations
    • Use hardware tokens for highly privileged accounts

  • Service Accounts / Service Principals:

    • Use service accounts for applications, not personal accounts
    • Rotate service account keys regularly
    • Limit service account permissions to minimum required

  • Federation & SSO:

    • Integrate with corporate identity provider (Entra ID, Okta, Google Workspace)
    • Use SAML 2.0 or OIDC federation
    • Centralise user management

  • Access Reviews:

    • Conduct quarterly access reviews
    • Remove accounts for leavers immediately
    • Audit privileged access logs

AWS-Specific

  • IAM Policies: Use managed policies over inline policies
  • IAM Roles: Use roles for EC2, Lambda, and cross-account access
  • IAM Access Analyzer: Enable and review findings
  • AWS Organizations: Use for multi-account management
  • Service Control Policies (SCPs): Restrict actions at organisation level

Azure-Specific

  • Entra ID (Azure AD): Use for all user authentication
  • Conditional Access: Implement risk-based access policies
  • Privileged Identity Management (PIM): Use for just-in-time admin access
  • Managed Identities: Use for Azure resources (instead of service principals where possible)

GCP-Specific

  • Workload Identity Federation: Use for external identity integration
  • Service Accounts: Use for application authentication
  • IAM Recommender: Review and act on recommendations
  • Organisation Policies: Use for organisation-wide constraints

Network Security

General Network Controls

  • Network Segmentation:

    • Separate environments (dev, test, prod)
    • Isolate sensitive workloads (databases, PII)
    • Use private subnets for backend resources

  • Firewall Rules / Security Groups:

    • Default deny inbound, allow outbound
    • No 0.0.0.0/0 inbound except for public web services (ports 80/443)
    • Document and review rules quarterly
    • Remove unused rules

  • Private Connectivity:

    • Use private endpoints/links for PaaS services
    • Avoid public internet exposure where possible
    • Use VPN or dedicated connections (AWS Direct Connect, Azure ExpressRoute, GCP Interconnect) for hybrid

  • DDoS Protection:

    • Enable cloud provider DDoS protection (AWS Shield, Azure DDoS Protection, GCP Cloud Armor)

  • Web Application Firewall (WAF):

    • Deploy WAF in front of public web applications
    • Enable OWASP Top 10 protections
    • Configure rate limiting

  • DNS Security:

    • Use DNSSEC where supported
    • Monitor DNS queries for data exfiltration

AWS-Specific

  • VPC Configuration:

    • Enable VPC Flow Logs
    • Use VPC endpoints for AWS services (S3, DynamoDB, etc.)
    • Use Network ACLs as additional layer

  • AWS Network Firewall: Consider for advanced network filtering

Azure-Specific

  • Network Security Groups (NSGs): Apply at subnet and NIC level
  • Azure Firewall: Use for centralised network filtering
  • Private Link: Use for PaaS services

GCP-Specific

  • VPC Firewall Rules: Use hierarchical firewall policies
  • Private Google Access: Enable for private subnet access to Google APIs
  • Cloud NAT: Use for outbound internet from private instances

Data Protection & Encryption

Encryption at Rest

  • Default Encryption: Enable default encryption for all storage services

    • AWS: S3, EBS, RDS
    • Azure: Storage Accounts, Managed Disks, SQL Database
    • GCP: Cloud Storage, Persistent Disks, Cloud SQL

  • Customer-Managed Keys (CMK):

    • Use CMK for sensitive data (vs provider-managed keys)
    • Rotate encryption keys annually
    • Use hardware security modules (HSM) for highly sensitive keys (AWS CloudHSM, Azure Key Vault HSM, GCP Cloud HSM)

  • Key Management:

    • Centralise key management (AWS KMS, Azure Key Vault, GCP Cloud KMS)
    • Restrict key access with IAM policies
    • Enable key usage logging

Encryption in Transit

  • TLS/SSL: Enforce TLS 1.2+ for all connections
  • Certificate Management: Use cloud provider certificate managers (AWS ACM, Azure Key Vault, GCP Certificate Manager)
  • API Encryption: Enforce HTTPS for all API calls

Data Classification & Handling

  • Data Discovery: Identify and classify sensitive data
  • Data Loss Prevention (DLP): Implement DLP controls (GCP DLP API, Microsoft Purview)
  • Access Logging: Enable logging for data access (S3 access logs, Azure Storage Analytics, GCP Cloud Audit Logs)
  • Public Exposure Prevention:
    • Block public access to storage buckets (S3 Block Public Access, Azure deny assignment, GCP uniform bucket-level access)
    • Scan for publicly accessible resources regularly

Logging & Monitoring

General Logging

  • Enable All Logging:

    • AWS: CloudTrail (management and data events), VPC Flow Logs, S3 access logs, ELB access logs
    • Azure: Activity Log, Diagnostic logs, NSG flow logs
    • GCP: Cloud Audit Logs (Admin, Data Access, System Event), VPC Flow Logs

  • Centralised Logging:

  • Aggregate logs to SIEM or cloud-native solution

    • AWS: CloudWatch Logs, S3 + Athena, or third-party SIEM
    • Azure: Log Analytics, Microsoft Sentinel
    • GCP: Cloud Logging, BigQuery

  • Log Retention:

    • Define retention policy per compliance requirements (typically 1-7 years)
    • Store logs in immutable storage where possible

  • Log Protection:

    • Restrict access to logs (read-only for auditors)
    • Enable log file integrity monitoring
    • Encrypt logs at rest

Monitoring & Alerting

  • Security Monitoring:

    • AWS: GuardDuty for threat detection
    • Azure: Microsoft Defender for Cloud
    • GCP: Security Command Center

  • Configuration Monitoring:

    • AWS: Config for configuration tracking
    • Azure: Azure Policy compliance
    • GCP: Asset Inventory

  • Alerting:

    • Alert on critical security events (root account usage, IAM changes, public S3 buckets, etc.)
    • Integrate with incident response workflow
    • Define escalation procedures

  • Cost Monitoring: Monitor for unusual spending (potential crypto-mining or resource abuse)

Compute Security

Virtual Machines / Instances

  • Hardened Images:

    • Use hardened AMIs/images (CIS benchmarks)
    • Disable unnecessary services
    • Remove default credentials

  • Patch Management:

    • Automate patching (AWS Systems Manager, Azure Update Management, GCP OS Patch Management)
    • Patch within 30 days of release (critical vulnerabilities within 7 days)

  • Anti-Malware:

    • Deploy endpoint protection (EDR/antivirus)
    • Integrate with cloud security tools

  • Instance Metadata Service (IMDS):

    • AWS: Use IMDSv2 (session-oriented, prevents SSRF)
    • Restrict metadata access

  • SSH/RDP Access:

    • Disable public SSH/RDP where possible
    • Use bastion hosts or jump servers
    • Require key-based authentication (no password auth)
    • Implement just-in-time (JIT) access (Azure JIT VM Access)

Containers & Kubernetes

  • Image Security:

    • Scan container images for vulnerabilities (AWS ECR scanning, Azure Container Registry scanning, GCP Artifact Registry scanning)
    • Use minimal base images (distroless, Alpine)
    • Use trusted registries only

  • Runtime Security:

    • Use Pod Security Standards/Policies (Kubernetes)
    • Restrict privileged containers
    • Use read-only root filesystems where possible

  • Network Policies: Implement Kubernetes network policies to restrict pod communication

  • Secrets Management: Use cloud secret managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) - do not hardcode secrets

Serverless (Lambda, Functions, Cloud Functions)

  • Least Privilege Execution Roles: Grant minimum required permissions
  • Environment Variables: Encrypt sensitive environment variables
  • Code Scanning: Use SAST tools to scan function code
  • Runtime Protection: Enable runtime security monitoring

Database Security

  • Network Isolation:

    • Place databases in private subnets
    • No public internet access (use bastion/VPN)

  • Encryption:

    • Enable encryption at rest
    • Enforce TLS for all connections

  • Authentication:

    • Use IAM database authentication where supported
    • Rotate database credentials regularly
    • Enforce strong password policy

  • Backups:

    • Enable automated backups
    • Encrypt backups
    • Test restoration regularly

  • Auditing:

    • Enable database audit logs
    • Monitor for suspicious queries

  • Vulnerability Patching: Keep database engines up to date

Compliance & Governance

Policy as Code

  • Infrastructure as Code (IaC) Security:

    • Scan IaC templates for misconfigurations (Terraform, CloudFormation, ARM templates)
    • Use tools like Checkov, tfsec, or cloud-native scanners

  • Policy Enforcement:

    • AWS: Service Control Policies (SCPs), Config Rules
    • Azure: Azure Policy
    • GCP: Organisation Policies

  • Automated Compliance Checks:

    • AWS: Security Hub, Config compliance packs
    • Azure: Microsoft Defender for Cloud regulatory compliance
    • GCP: Security Command Center compliance dashboards

Compliance Certifications

  • Provider Certifications: Verify cloud provider holds required certifications (ISO 27001, SOC 2, PCI DSS, HIPAA, etc.)
  • Attestations: Obtain and review SOC 2 reports, attestations, certifications
  • Data Processing Agreement (DPA): Execute DPA with cloud provider (GDPR requirement)
  • Business Associate Agreement (BAA): Execute BAA if handling PHI (HIPAA requirement)

Incident Response & Forensics

  • Incident Response Plan: Adapt IR plan for cloud-specific scenarios

  • Forensic Readiness:

    • Enable log collection (CloudTrail, Activity Log, Cloud Audit Logs)
    • Retain logs for forensic analysis (immutable storage)
    • Document snapshot and disk imaging procedures

  • Automated Response:

    • Use cloud-native automation (Lambda, Logic Apps, Cloud Functions) for auto-remediation
    • Isolate compromised instances automatically

  • Contact Information: Know how to contact cloud provider security team

Backup & Disaster Recovery

  • Backup Strategy:

    • Automated backups for all critical data
    • Encrypt backups
    • Store backups in separate region (cross-region replication)

  • Disaster Recovery:

    • Define RTO/RPO for cloud workloads
    • Use multi-region or multi-AZ deployments for critical services
    • Test DR failover annually

  • Immutable Backups: Use immutable storage or versioning to protect against ransomware

Cloud Security Posture Management (CSPM)

  • Enable Native CSPM:

    • AWS: Security Hub, Config
    • Azure: Microsoft Defender for Cloud
    • GCP: Security Command Center

  • Third-Party CSPM (optional):

    • Prisma Cloud (Palo Alto Networks)
    • Wiz
    • Orca Security
    • Lacework

  • Misconfiguration Detection:

    • Scan for common misconfigurations (public buckets, open security groups, unencrypted data)
    • Set up automated alerts
    • Remediate within SLA (critical: 24 hours)

Multi-Cloud & Hybrid Considerations

  • Consistent Security Policies: Apply consistent security baseline across all cloud providers
  • Centralised Identity: Use federated identity across clouds
  • Unified Logging: Aggregate logs from all environments to central SIEM
  • Cross-Cloud Networking: Secure interconnections between clouds
  • Hybrid Connectivity: Secure VPN or dedicated connections to on-premises

Cloud Provider-Specific Tools Summary

Category AWS Azure GCP
Threat Detection GuardDuty Defender for Cloud Security Command Center
CSPM Security Hub, Config Defender for Cloud Security Command Center
SIEM CloudWatch + 3rd party Microsoft Sentinel Chronicle (or 3rd party)
IAM IAM, Organizations Entra ID, PIM IAM, Workload Identity
Secrets Secrets Manager, SSM Key Vault Secret Manager
Encryption KMS, CloudHSM Key Vault, HSM Cloud KMS, Cloud HSM
DLP Macie Microsoft Purview DLP API
WAF AWS WAF Azure WAF Cloud Armor
DDoS Shield, Shield Advanced DDoS Protection Cloud Armor

Quick Selection Guide

Organisation Profile Priority Focus Areas
Startup migrating to cloud IAM (least privilege, MFA), encryption at rest, logging, CSPM
Enterprise hybrid cloud Federation/SSO, centralised logging, network security, compliance automation
SaaS provider Multi-tenancy isolation, DDoS protection, WAF, data residency, SOC 2 compliance
Financial services Encryption (CMK), audit logging, PCI DSS compliance, network segmentation, DLP
Healthcare HIPAA compliance, BAA with provider, encryption, access controls, PHI isolation
Regulated industry (general) Compliance certifications, data residency, logging & monitoring, policy enforcement

Common Cloud Security Mistakes

  1. Public S3 Buckets: Unintentional public exposure of sensitive data
  2. Overly Permissive IAM: Granting *:* permissions or admin access unnecessarily
  3. No MFA on Root: Root/admin accounts without MFA
  4. Unencrypted Data: Failing to enable encryption at rest
  5. No Logging: CloudTrail, Activity Log, or Audit Logs disabled
  6. Default Configurations: Using default security groups, passwords, or settings
  7. Credential Exposure: Hardcoded credentials in code or IaC templates
  8. No Network Segmentation: Flat network with no isolation
  9. Ignoring CSPM Findings: Alerts exist but not acted upon
  10. No Backup Testing: Backups exist but never tested for restoration