Cloud Security Posture Checklist: AWS, Azure, and GCP Essentials

Cloud misconfigurations are the leading cause of data breaches in cloud-hosted environments. Unlike traditional on-premises breaches that require sophisticated exploitation, cloud misconfigurations often expose data directly to the public internet — no exploitation required. An attacker simply finds the open bucket, the publicly accessible database, or the overly permissive IAM role and walks in.

The CIS (Center for Internet Security) Benchmarks are the most widely used framework for cloud security configuration. This checklist summarizes the critical controls across AWS, Azure, and GCP, with practical implementation guidance.

AWS Security Posture Essentials

Identity and Access Management (IAM)

IAM misconfigurations are the most impactful class of AWS security issues. Overly permissive roles can give an attacker unrestricted access to every service in your account.

• Eliminate root account usage: The AWS root account should have MFA enabled and should never be used for routine operations. Create individual IAM users or roles for all administrative tasks.
• Enforce MFA for all IAM users: Any IAM user with console access should require MFA. Enforce this with an IAM policy condition:

{
  "Effect": "Deny",
  "NotAction": ["iam:CreateVirtualMFADevice", "iam:EnableMFADevice"],
  "Resource": "*",
  "Condition": {
    "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
  }
}

• Eliminate long-lived access keys: Use IAM roles with temporary credentials (STS) wherever possible. If access keys exist, rotate them every 90 days and disable any keys unused for 45+ days.
• Enforce least-privilege policies: Review every IAM policy for "Action": "*" or "Resource": "*" statements. Use AWS IAM Access Analyzer to identify permissions that are granted but never used.
• Use AWS Organizations and SCPs: Service Control Policies at the organization level prevent even administrators from bypassing controls (like disabling CloudTrail).

Logging and Monitoring

• Enable CloudTrail in all regions: CloudTrail must be enabled in every AWS region, not just your primary region. Multi-region trails are mandatory. Verify log file validation is enabled (tamper detection).
• Enable AWS Config: Config provides continuous resource configuration monitoring and rule-based compliance checking. Essential for detecting configuration drift.
• Enable VPC Flow Logs: Captures network traffic metadata for all VPCs. Required for incident investigation and anomaly detection.
• Enable GuardDuty: AWS's managed threat detection service analyzes CloudTrail, VPC Flow Logs, and DNS logs for known attack patterns. $0.0016 per 500 CloudTrail events — negligible cost for the value.
• Enable S3 server access logging and object-level logging in CloudTrail: You need to know when sensitive S3 objects are accessed, by whom.

Storage (S3)

• Block all public access at the account level: In S3 Settings for the AWS account, enable all four Block Public Access settings. This prevents any bucket in the account from being made public, regardless of bucket-level settings.
• Enable default encryption: All new S3 buckets should default to SSE-S3 or SSE-KMS encryption.
• Enable MFA Delete: For buckets containing critical data, MFA Delete prevents object deletion without a second factor — protects against ransomware and insider threats.
• Review bucket policies quarterly: Bucket policies can grant public access even when Block Public Access is enabled at the account level if the policy explicitly allows "Principal": "*".

Networking

• No security groups with 0.0.0.0/0 inbound on sensitive ports: Port 22 (SSH), 3389 (RDP), 3306 (MySQL), 5432 (PostgreSQL) should never be open to the internet. Use a VPN, bastion host, or AWS Systems Manager Session Manager instead.
• Enable AWS WAF on public-facing applications: Web Application Firewall blocks common web exploits (SQL injection, XSS) before they reach your application.
• Enable Shield Standard: Automatic DDoS protection included with AWS at no additional cost. Shield Advanced ($3,000/month) is worth it only for high-traffic applications with material DDoS risk.

Automation

AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, and IAM Access Analyzer into a single view with CIS Benchmark scoring. Enable it and use the CIS AWS Foundations Benchmark standard to get a scored compliance view across your account.

---

Azure Security Posture Essentials

Identity (Microsoft Entra ID)

• Enable MFA for all users: Use Conditional Access policies to enforce MFA. Require MFA for all users, with exceptions only for break-glass accounts.
• Enable Privileged Identity Management (PIM): PIM provides just-in-time privileged access — administrators request elevated roles for a defined window rather than holding permanent admin assignments.
• Block legacy authentication: Legacy authentication protocols (SMTP AUTH, POP3, IMAP, Basic Auth) bypass MFA. Block them with Conditional Access.
• Review and limit Global Administrators: Global Admin is the most privileged role in Azure AD. Maintain 2–4 Global Admins maximum, all with registered MFA and monitored sign-in activity.

Logging and Monitoring

• Enable Microsoft Defender for Cloud (formerly Azure Security Center): Provides continuous security posture assessment, threat protection, and a Secure Score that tracks your configuration against best practices.
• Configure Diagnostic Settings on Azure AD: Audit logs and sign-in logs must be sent to a Log Analytics Workspace or Storage Account for retention. The default retention in Azure AD is only 30 days.
• Enable Activity Log alerts: Alert on critical management operations — role assignment changes, policy modifications, virtual machine deletion.
• Enable Defender for Key Vault: Key Vault is where your secrets live. Defender for Key Vault alerts on unusual access patterns and suspicious operations.

Storage and Data

• Disable public blob access at the account level: Storage account setting "Allow Blob public access" should be disabled. This prevents any container in the account from being made publicly accessible.
• Enable Azure Storage encryption: Storage service encryption is enabled by default. Verify it's using customer-managed keys (CMK) in Azure Key Vault for regulated workloads.
• Enable soft delete for blobs and file shares: Soft delete protects against accidental and malicious deletion, with a configurable retention period.

Networking

• Enable Network Security Group (NSG) flow logs: Captures network traffic metadata for forensic analysis. Store in a Storage Account and set retention to 90+ days.
• Restrict inbound SSH/RDP to management IP ranges: Use NSG rules and Azure Bastion instead of direct internet exposure.
• Enable Azure DDoS Protection Standard: For production workloads. $2,500–$3,000/month depending on resources protected.

---

GCP Security Posture Essentials

Identity and Access Management

• Enforce no service account keys: Service account keys are long-lived credentials that are difficult to manage and rotate. Use Workload Identity Federation to allow external workloads to authenticate as service accounts without keys.
• Avoid the Editor and Owner primitive roles: These roles grant broad access across all resources. Use predefined roles (specific to each GCP service) or custom roles instead.
• Enable Organization Policy constraints: Use org policies to prevent member accounts from bypassing security controls — for example, constraints/iam.disableServiceAccountKeyCreation.
• Enable BeyondCorp Enterprise / Context-Aware Access: Zero-trust access controls that evaluate device state and user context for every access request.

Logging and Monitoring

• Enable Cloud Audit Logs for all services: Data Access audit logs (Admin Activity, Data Read, Data Write) must be enabled. They're disabled by default for cost reasons — enable them for sensitive services.
• Enable Security Command Center Premium: GCP's native CSPM and threat detection. Provides vulnerability findings, misconfiguration detection, and threat intelligence.
• Enable VPC Flow Logs: Similar to AWS, captures network traffic metadata. Enable on all subnets with production workloads.
• Configure log sinks to Cloud Storage or BigQuery: Retain logs beyond the default 30-day log retention. Use an org-level sink to capture logs from all projects centrally.

Storage

• Enforce uniform bucket-level access: Disables legacy ACL system and relies exclusively on IAM. Simpler, more auditable, prevents accidental public exposure through legacy ACLs.
• Disable public access on buckets: GCP does not have an account-level public access block like AWS, but bucket-level allUsers and allAuthenticatedUsers IAM bindings should be absent except for intentionally public assets.
• Enable Object Versioning for critical buckets: Protects against accidental deletion and ransomware.

Automating Cloud Security Posture

Manual checklist reviews are insufficient for dynamic cloud environments where configuration changes constantly. Automate your posture monitoring:

• Cloud-native: AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center provide built-in posture scoring and continuous compliance monitoring.
• Third-party CSPM: Wiz, Orca Security, and Lacework provide cross-cloud visibility with more sophisticated attack path analysis. Valuable when operating across multiple cloud providers.
• Infrastructure as Code scanning: Run Checkov, tfsec, or Terrascan in your CI/CD pipeline to catch misconfigurations before they reach production — not after.

The goal is a posture score you review weekly, with alerts for critical findings that demand same-day attention. A cloud misconfiguration that goes undetected for 30 days is 30 days of exposure.