Free Checklist

CLOUD SECURITY BASELINE CHECKLIST

The essential security controls for AWS, Azure, and GCP environments. Use this checklist to assess your cloud posture, identify critical gaps, and build a prioritized remediation plan.

How to use this checklist

  • Assess each control as Implemented, Partial, or Not in Place.
  • Prioritize Critical and High risk items before addressing Medium-High controls.
  • Use the listed tools to automate detection and ongoing monitoring.
  • Re-run this checklist after any significant infrastructure change.
  1. 1

    Identity and Access Management

    Critical RiskIAM misconfigurations are the leading cause of cloud breaches.

    Security checks

    • Enforce least privilege — grant the minimum permissions required for each role and service account.
    • Eliminate wildcard permissions (*) in IAM policies; restrict over-permissive roles.
    • Use separate accounts or projects per environment (development, staging, production).
    • Audit unused IAM roles and permissions quarterly and remove what is no longer needed.

    Tools and evidence

    • AWS IAM Access Analyzer, Azure Policy, or GCP IAM Recommender for automated detection.
    • Role and permission matrix documentation.
    • MFA enforcement confirmation for all human IAM users.
  2. 2

    Root and Super-Admin Account Hardening

    Critical RiskRoot or owner-level compromise provides complete, unrestricted environment access.

    Security checks

    • Do not use the root or owner account for day-to-day operations.
    • Enable hardware MFA on root and owner accounts.
    • Delete or disable root access keys (AWS) and equivalent long-lived super-admin credentials.
    • Configure alerts for any root or owner account login event.

    Tools and evidence

    • AWS CloudTrail root activity alert via CloudWatch.
    • Hardware MFA enrollment confirmation.
    • Root access key deletion confirmation in IAM console.
  3. 3

    Logging and Monitoring

    High RiskWithout logging, breach detection and forensic investigation are impossible.

    Security checks

    • Enable audit logging for all API calls and management-plane activity (CloudTrail, Azure Activity Log, GCP Audit Logs).
    • Send logs to a centralized, tamper-resistant destination separate from the workload.
    • Configure alerts for high-risk events: root login, IAM policy changes, and public resource creation.
    • Retain logs for at least 90 days; 12 months recommended for incident investigation.

    Tools and evidence

    • Audit log configuration screenshots or exports.
    • Log retention policy documentation.
    • Alert rule configuration (CloudWatch, Azure Monitor, GCP Log-based Alerts).
  4. 4

    Storage and Object Security

    High RiskPublicly exposed storage buckets are among the most common sources of data breaches.

    Security checks

    • Scan all storage buckets and containers for public access; block public access unless explicitly required and documented.
    • Enable versioning and object locking for buckets containing critical or regulated data.
    • Encrypt all storage at rest using customer-managed or provider-managed keys.
    • Audit bucket ACLs and lifecycle policies on a defined regular schedule.

    Tools and evidence

    • Public access block configuration screenshots for all storage accounts.
    • Encryption setting documentation.
    • Versioning and retention policy configuration.
  5. 5

    Network Security

    High RiskDefault-open security groups and firewall rules expose unnecessary attack surface.

    Security checks

    • Audit security groups and firewall rules; remove 0.0.0.0/0 inbound rules except where explicitly documented.
    • Disable default inbound access to management ports (SSH :22, RDP :3389) from the public internet.
    • Enable VPC/VNet flow logs to monitor traffic patterns and support incident investigation.
    • Use private endpoints for managed services (databases, storage, key vaults) wherever possible.

    Tools and evidence

    • Security group and firewall rule export with justification for each open rule.
    • VPC/VNet flow log configuration documentation.
    • Private endpoint deployment inventory.
  6. 6

    Secrets and Key Management

    High RiskHardcoded credentials are consistently exploited in supply chain attacks and code repository scanning.

    Security checks

    • Never store secrets, API keys, or credentials in source code, config files, or plain-text environment variables.
    • Use a managed secrets service (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) for all credentials.
    • Rotate access keys and secrets on a defined schedule; remove credentials that are no longer used.
    • Scan code repositories for accidentally committed secrets before each deployment.

    Tools and evidence

    • Secrets manager configuration and secret inventory.
    • Key rotation policy with last-rotated dates.
    • Repository secret scanning results (GitHub Advanced Security, GitGuardian, or equivalent).
  7. 7

    Patch and Image Management

    High RiskUnpatched cloud instances are a common ransomware and exploitation entry point.

    Security checks

    • Enable automatic OS patching for managed compute instances where operationally feasible.
    • Use hardened, up-to-date base images for virtual machines and container workloads.
    • Scan running instances and container images for known vulnerabilities on a regular schedule.
    • Decommission instances that are no longer actively maintained or serving a current purpose.

    Tools and evidence

    • Patch management policy and auto-update configuration.
    • Container image scan reports (Amazon ECR, Azure Defender for Containers, GCP Artifact Analysis).
    • Instance inventory with last-patch dates.
  8. 8

    Data Encryption in Transit

    Medium-High RiskUnencrypted internal traffic is exploitable in environments with any degree of lateral movement.

    Security checks

    • Enforce TLS 1.2 or higher for all external-facing endpoints; disable TLS 1.0 and 1.1.
    • Enforce HTTPS on all load balancers, API gateways, and web applications.
    • Encrypt traffic between internal services and managed databases.
    • Automate TLS certificate management to prevent expiry-related outages.

    Tools and evidence

    • TLS configuration documentation for load balancers and API gateways.
    • Certificate inventory with renewal automation confirmation.
    • Protocol version enforcement policy.
  9. 9

    Backup and Disaster Recovery

    High RiskCloud environments are not inherently protected against ransomware or accidental deletion.

    Security checks

    • Enable automated backups for all critical databases and managed services.
    • Store backups in a separate account, region, or storage class with delete protection enabled.
    • Test backup restoration at least annually and document results.
    • Define and document Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical workloads.

    Tools and evidence

    • Backup configuration and schedule documentation.
    • Cross-account or cross-region backup setup confirmation.
    • Restoration test results with date.
  10. 10

    Continuous Security Posture Management

    Foundational RiskAutomated posture management catches configuration drift before it becomes a breach.

    Security checks

    • Enable the cloud provider's native security posture tool (AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Center).
    • Review findings at least weekly; assign owners to all non-compliant resources.
    • Establish a baseline score and track improvement over time.
    • Integrate posture findings into your vulnerability management workflow.

    Tools and evidence

    • Security Hub / Defender for Cloud / Security Command Center activation and current score.
    • Finding review cadence documentation.
    • Remediation tracking log for open findings.

Need a cloud security assessment?

Prometheus conducts cloud security assessments for AWS, Azure, and GCP environments — reviewing IAM configuration, network posture, logging, data exposure, and more. We deliver a prioritized findings report with remediation guidance.

Request a consultation