Back to ResourcesTemplate
Cloud Security Configuration Checklist
A baseline checklist for locking down storage, identity and access management, and network configuration across AWS, Azure, and GCP environments.
Storage
- Confirm no storage buckets or blobs are set to public read/write access unless explicitly required and documented.
- Enable versioning and access logging on all storage containing sensitive data.
- Apply encryption at rest using customer-managed keys where compliance requires it.
Identity and access management
- Review IAM roles and policies quarterly for excessive permissions granted "temporarily" that were never revoked.
- Enforce least privilege by default for all service accounts and roles.
- Require phishing-resistant MFA for all human access to the cloud console.
Network
- Confirm no management interfaces or admin consoles are reachable from the open internet.
- Restrict lateral traffic between services to only what applications actually require.
- Enable flow logs and retain them long enough to support incident investigation.
Ongoing hygiene
- Deploy continuous cloud security posture management (CSPM) rather than relying on periodic manual review.
- Include cloud environments in the scope of regular penetration testing.
- Set a recurring calendar reminder to review this checklist, configuration drift is a when, not an if.
