Back to BlogSecurity12 min read
Cloud Security Checklist: Complete Guide for AWS, Azure, and GCP
D
DevSecure TeamIntroduction
Cloud security is different from traditional infrastructure security. The shared responsibility model means you are responsible for securing what you deploy in the cloud, while the cloud provider secures the underlying infrastructure.
This comprehensive checklist covers security best practices across AWS, Azure, and GCP—three major cloud providers. Use it to assess your current security posture and identify gaps.
Understanding Shared Responsibility
| Responsibility | You | Cloud Provider | |---------------|-----|----------------| | Physical security | Provider | ✅ | | Network infrastructure | Provider | ✅ | | Hypervisor/host security | Provider | ✅ | | Instance configuration | ✅ | Provider | | Data encryption | ✅ | Provider | | Access management | ✅ | Provider | | Application security | ✅ | Provider |
Identity and Access Management
AWS IAM
- [ ] Enable MFA for all root account users
- [ ] Create IAM users instead of using root for daily tasks
- [ ] Implement least-privilege IAM policies
- [ ] Use IAM roles for EC2 instances, not access keys
- [ ] Enable password policies (min 12 chars, complexity)
- [ ] Disable root account API keys
- [ ] Use AWS Organizations for multi-account setup
- [ ] Enable CloudTrail in all regions
- [ ] Review IAM Access Analyzer findings regularly
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"Bool": {"aws:MultiFactorAuthPresent": "true"}
}
}]
}
Azure Active Directory
- [ ] Enable Conditional Access policies
- [ ] Require MFA for all privileged users
- [ ] Implement Privileged Identity Management (PIM)
- [ ] Use managed identities instead of service principals
- [ ] Configure session timeouts
- [ ] Enable Azure AD Connect secure settings
- [ ] Monitor sign-in logs for anomalies
- [ ] Implement identity protection policies
GCP IAM
- [ ] Enable 2SV for all users
- [ ] Use service accounts with minimal permissions
- [ ] Implement resource hierarchy (organizations, folders)
- [ ] Use VPC Service Controls for sensitive data
- [ ] Enable Audit Logs for all services
- [ ] Use Workload Identity for GKE
- [ ] ImplementBinary Authorization for containers
Network Security
VPC Configuration
- [ ] Create separate VPCs for different environments
- [ ] Use subnets with appropriate CIDR ranges
- [ ] Enable VPC Flow Logs for monitoring
- [ ] Implement private subnets for sensitive workloads
- [ ] Use NAT Gateway for private subnet outbound
- [ ] Configure Transit Gateway for VPC peering
- [ ] Disable default VPCs in all regions
Security Groups
- [ ] Default deny all inbound, allow outbound
- [ ] Use named security groups with descriptions
- [ ] Audit security group rules monthly
- [ ] Remove overly permissive rules (0.0.0.0/0)
- [ ] Use security group references for internal communication
- [ ] Implement security group changes in CI/CD
# Terraform example - restrictive security group
resource "aws_security_group" "app" {
name = "app-server-sg"
description = "Security group for app servers"
ingress {
description = "HTTPS from ALB"
from_port = 443
to_port = 443
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
egress {
description = "Outbound to RDS"
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.rds.id]
}
}
Load Balancers
- [ ] Use Application Load Balancer for HTTP/HTTPS
- [ ] Enable TLS termination
- [ ] Configure health checks
- [ ] Enable access logging
- [ ] Use WAF in front of public ALBs
- [ ] Configure connection draining
CDN and DDoS Protection
- [ ] Use CloudFront with origin access identity
- [ ] Enable AWS Shield (Standard is free)
- [ ] Configure rate limiting
- [ ] Use Route 53 health checks
- [ ] Implement geographic restrictions
Compute Security
EC2 / Virtual Machines
- [ ] Use custom AMIs, not default ones
- [ ] Disable password-based SSH
- [ ] Use SSH key pairs
- [ ] Enable detailed monitoring
- [ ] Patch operating systems regularly
- [ ] Use Systems Manager for patch management
- [ ] Enable VPC endpoints for AWS services
- [ ] Disable unnecessary services
Container Security
- [ ] Scan images for vulnerabilities
- [ ] Use private container registries
- [ ] Implement image signing
- [ ] Use non-root users in containers
- [ ] Enable runtime security monitoring
- [ ] Implement network policies
- [ ] Use secrets management (not environment variables)
# Kubernetes network policy example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: app-network-policy
spec:
podSelector:
matchLabels:
app: api
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
Serverless Security
- [ ] Set appropriate timeout values
- [ ] Use environment variables for secrets (encrypted)
- [ ] Implement custom resource policies
- [ ] Enable X-Ray for tracing
- [ ] Configure reserved concurrency
- [ ] Review cloudwatch logs
Data Protection
Encryption at Rest
- [ ] Enable encryption for all storage services
- [ ] Use customer-managed keys (CMK)
- [ ] Rotate keys annually
- [ ] Implement envelope encryption for large data
- [ ] Use AWS KMS, Azure Key Vault, or GCP Cloud KMS
// AWS KMS encryption example
const AWS = require('aws-sdk');
const kms = new AWS.KMS();
async function encryptData(data, keyId) {
const params = {
KeyId: keyId,
Plaintext: Buffer.from(JSON.stringify(data))
};
const result = await kms.encrypt(params).promise();
return result.CiphertextBlob;
}
Encryption in Transit
- [ ] Use TLS 1.2+ everywhere
- [ ] Configure security headers (HSTS, CSP)
- [ ] Use certificate managers
- [ ] Enable perfect forward secrecy
- [ ] Implement certificate pinning for mobile apps
Data Classification
- [ ] Identify sensitive data (PII, credentials)
- [ ] Tag resources with classification
- [ ] Implement data loss prevention
- [ ] Configure lifecycle policies
- [ ] Enable versioning on S3/buckets
- [ ] Implement object lock for compliance
Backup and Recovery
- [ ] Enable point-in-time recovery for databases
- [ ] Test backup restoration quarterly
- [ ] Cross-region backup replication
- [ ] Document recovery procedures
- [ ] Test disaster recovery annually
Monitoring and Logging
CloudTrail / Azure Monitor / Cloud Logging
- [ ] Enable CloudTrail in all regions
- [ ] Use dedicated trail for security logging
- [ ] Send logs to encrypted S3 bucket
- [ ] Enable log file integrity validation
- [ ] Integrate with SIEM
GuardDuty / Microsoft Defender / Security Command Center
- [ ] Enable all native threat detection services
- [ ] Configure alerts for critical findings
- [ ] Enable RDS protection
- [ ] Enable EKS/Container protection
- [ ] Review findings weekly
Centralized Logging
- [ ] Aggregate logs to central account
- [ ] Implement log retention policies (1 year minimum)
- [ ] Use structured JSON logging
- [ ] Enable log correlation
- [ ] Create dashboards for security metrics
Alerting
- [ ] Alert on failed login attempts (5+ in 10 min)
- [ ] Alert on privilege escalation
- [ ] Alert on sensitive data access
- [ ] Alert on unusual API activity
- [ ] Test alerts quarterly
Application Security
API Security
- [ ] Implement API Gateway authentication
- [ ] Use OAuth 2.0 / JWT validation
- [ ] Enable request validation
- [ ] Implement rate limiting per client
- [ ] Enable access logging
- [ ] Use API keys for machine-to-machine
Web Application Firewall (WAF)
- [ ] Deploy WAF in front of public endpoints
- [ ] Implement OWASP Top 10 rules
- [ ] Configure IP reputation lists
- [ ] Enable geo-blocking where appropriate
- [ ] Monitor and tune rules
CDN Security
- [ ] Use signed URLs for private content
- [ ] Configure origin access restrictions
- [ ] Enable HTTPS only
- [ ] Implement field-level encryption
- [ ] Use real-time log integration
Database Security
RDS / Cloud SQL / Azure SQL
- [ ] Enable encryption at rest
- [ ] Use private subnets
- [ ] Enable auto-backups
- [ ] Configure parameter groups
- [ ] Enable performance insights
- [ ] Use connection pooling
NoSQL Databases (DynamoDB / Firestore / Cosmos)
- [ ] Enable point-in-time recovery
- [ ] Use fine-grained access control
- [ ] Enable at-rest encryption
- [ ] Implement TTL for data expiration
- [ ] Configure read/write capacity limits
Secrets Management
- [ ] Use AWS Secrets Manager / Azure Key Vault / GCP Secret Manager
- [ ] Rotate secrets automatically
- [ ] Implement least-privilege access
- [ ] Enable audit logging
- [ ] Never commit secrets to git
Compliance and Governance
Resource Tagging
- [ ] Implement tagging policy
- [ ] Tag by environment (prod, staging, dev)
- [ ] Tag by cost center
- [ ] Tag by owner
- [ ] Enforce tags with SCPs/policies
Policy as Code
- [ ] Use AWS Config Rules / Azure Policy / Organization Policies
- [ ] Implement guardrails
- [ ] Enable preventive controls
- [ ] Use Open Policy Agent (OPA)
- [ ] Integrate with CI/CD
Audit Readiness
- [ ] Document all security controls
- [ ] Maintain evidence of compliance
- [ ] Enable detailed logging
- [ ] Implement change management
- [ ] Regular access reviews (quarterly)
Incident Response
Preparation
- [ ] Document runbooks for common incidents
- [ ] Establish escalation procedures
- [ ] Configure forensic preservation
- [ ] Test backup restoration
- [ ] Maintain emergency contacts
Detection
- [ ] Enable GuardDuty / Defender
- [ ] Configure CloudWatch alerts
- [ ] Enable flow log analysis
- [ ] Implement honeypots
Response
- [ ] Isolate affected systems
- [ ] Preserve evidence
- [ ] Communicate to stakeholders
- [ ] Document timeline
- [ ] Conduct post-mortem
Quick Reference: Cloud Provider Security Services
AWS
| Service | Purpose | |---------|---------| | IAM | Identity & Access Management | | KMS | Key Management | | CloudTrail | API Logging | | GuardDuty | Threat Detection | | Config | Configuration Assessment | | Security Hub | Centralized Security | | WAF | Web Application Firewall | | Shield | DDoS Protection | | Inspector | Vulnerability Scanning | | Secrets Manager | Secret Management |
Azure
| Service | Purpose | |---------|---------| | Azure AD | Identity & Access | | Azure Policy | Governance | | Azure Defender | Threat Protection | | Azure Sentinel | SIEM | | Key Vault | Secret Management | | Azure Firewall | Network Security | | NSG | Network Security Groups | | Security Center | Security Posture |
GCP
| Service | Purpose | |---------|---------| | IAM | Identity & Access | | Cloud KMS | Key Management | | Cloud Logging | Audit Logging | | Security Command Center | Threat Detection | | Web Security Scanner | Vulnerability Scanning | | VPC Service Controls | Data Protection | | Binary Authorization | Container Security | | Secret Manager | Secret Management |
Implementation Roadmap
Phase 1: Foundation (Week 1-2)
- [ ] Enable MFA for root accounts
- [ ] Configure CloudTrail / Azure Monitor
- [ ] Review and fix security groups
- [ ] Enable encryption on storage
Phase 2: Identity (Week 3-4)
- [ ] Implement least-privilege IAM
- [ ] Enable MFA for all users
- [ ] Configure conditional access
- [ ] Review access keys
Phase 3: Network (Week 5-6)
- [ ] Deploy WAF rules
- [ ] Configure VPC isolation
- [ ] Enable flow logs
- [ ] Implement DDoS protection
Phase 4: Data (Week 7-8)
- [ ] Implement data classification
- [ ] Enable key rotation
- [ ] Configure backup policies
- [ ] Test recovery procedures
Phase 5: Monitoring (Week 9-10)
- [ ] Configure alerting rules
- [ ] Enable threat detection
- [ ] Implement centralized logging
- [ ] Create security dashboards
Phase 6: Compliance (Week 11-12)
- [ ] Document controls
- [ ] Implement policy as code
- [ ] Conduct access review
- [ ] Prepare for audit
Conclusion
Cloud security is a continuous process, not a one-time implementation. Use this checklist as a starting point and regularly revisit it as your infrastructure evolves.
Key takeaways:
- Start with identity - Most breaches involve compromised credentials
- Defense in depth - Layer your security controls
- Automate everything - Use infrastructure as code
- Monitor continuously - You can't protect what you can't see
- Test regularly - Assume breach and practice response
Need help assessing your cloud security?
Need help securing your systems?
Our expert security team can help you identify and fix vulnerabilities before attackers exploit them.
D
DevSecure Team
Security expert at DevSecure. Passionate about cybersecurity and helping organizations protect their digital assets.