Checklist · AWS · Azure · GCP

Cloud Security Posture Checklist

A cloud-neutral baseline used in Dephiant cloud reviews across AWS, Azure, and Google Cloud. Aligned to CIS Benchmarks, CSA Cloud Controls Matrix, and ISO/IEC 27017 / 27018.

Identity & Access

  • Federated identity (SSO/OIDC) is the only path into cloud consoles; no long-lived local users.
  • Root / global-admin accounts have FIDO2 MFA, are alarmed on use, and never used for daily work.
  • Workload identity (IAM Roles, Managed Identities, Workload Identity Federation) replaces static access keys.
  • Privileged access is just-in-time via PIM / IAM Identity Center / GCP IAM Conditions, with approval workflows.
  • Cross-account / cross-subscription / cross-project access is least-privileged and externally restricted.

Account / Tenant / Project Hygiene

  • Multi-account or multi-subscription structure with Org / Management Group / Folder hierarchy.
  • Service Control Policies / Azure Policy / GCP Org Policy enforce guardrails (region pinning, public-resource bans).
  • New accounts/subscriptions/projects bootstrap from an opinionated baseline (IaC).
  • Service quotas reviewed and alerted; cost anomaly detection enabled.

Network

  • Default VPCs / VNets removed or hardened; environments are explicitly segmented.
  • No internet-exposed admin ports (SSH/RDP/WinRM); access via SSM / Bastion / IAP / Just-in-Time VM.
  • Egress controlled with explicit allow-lists at the perimeter (NAT + firewall / Azure Firewall / Cloud NGFW).
  • Private endpoints used for managed services (PrivateLink / Private Endpoint / PSC) where supported.
  • WAF and DDoS protection in front of every public web entry point.

Data Protection

  • Default encryption-at-rest verified; customer-managed keys (KMS / Key Vault / Cloud KMS) for sensitive data.
  • All storage and database services scanned for public exposure (S3, Blob, GCS, DBs, snapshots).
  • Key rotation enforced; key access logged and reviewed.
  • Backups exist for tier-1 data; restore tests documented; cross-region copy for critical workloads.
  • Data classification labels drive DLP / Purview / DSPM enforcement.

Workload Security

  • All container images scanned in CI and at registry; admission control blocks unsigned/critical images.
  • Runtime protection on hosts and containers (EDR, Defender for Cloud, GKE/EKS/AKS hardening).
  • Serverless functions follow least privilege; secrets pulled from secret manager, not env vars committed to repos.
  • Patching SLAs enforced for VMs and managed-service supported versions.
  • Production deploys require code review, signed commits, and provenance (SLSA-aware pipeline).

Logging, Detection & Posture

  • Org-wide audit trail enabled (CloudTrail org trail, Azure Activity + Diagnostic settings, GCP Cloud Audit Logs) to centralized account.
  • Centralized log destination is immutable / write-once, with separate access from production.
  • Cloud-native posture management on (Security Hub + Config / Defender for Cloud / Security Command Center).
  • CSPM findings tracked to closure with SLA by severity; drift detection alerts on guardrail bypass.
  • Detections include identity-attack patterns (impossible travel, MFA fatigue, key abuse).

Resilience & Governance

  • Region and availability-zone strategy documented and tested for tier-1 services.
  • Tagging policy enforced (owner, environment, data class, cost center) and used in incident response.
  • Change-management gates for production IaC; emergency-change path documented.
  • Annual cloud-incident tabletop exercise; quarterly access reviews of privileged roles.
  • Mapping to CIS Benchmark (per cloud), CSA CCM, ISO 27017/27018, and applicable regional regimes.

Want a cloud posture review with scored results?

Dephiant runs cloud security reviews across AWS, Azure, and GCP with prioritized remediation backlog, IaC fixes, and CSPM tuning.

Book a cloud reviewBack to resources