Back to ResourcesTemplate

Cloud Security Configuration Checklist

A baseline checklist for locking down storage, identity and access management, and network configuration across AWS, Azure, and GCP environments.

Storage

  • Confirm no storage buckets or blobs are set to public read/write access unless explicitly required and documented.
  • Enable versioning and access logging on all storage containing sensitive data.
  • Apply encryption at rest using customer-managed keys where compliance requires it.

Identity and access management

  • Review IAM roles and policies quarterly for excessive permissions granted "temporarily" that were never revoked.
  • Enforce least privilege by default for all service accounts and roles.
  • Require phishing-resistant MFA for all human access to the cloud console.

Network

  • Confirm no management interfaces or admin consoles are reachable from the open internet.
  • Restrict lateral traffic between services to only what applications actually require.
  • Enable flow logs and retain them long enough to support incident investigation.

Ongoing hygiene

  • Deploy continuous cloud security posture management (CSPM) rather than relying on periodic manual review.
  • Include cloud environments in the scope of regular penetration testing.
  • Set a recurring calendar reminder to review this checklist, configuration drift is a when, not an if.