Cloud Security Checklist

Pull the Entra ID / Okta MFA registration report and reconcile against the HR active-employee list. Flag any account without phishing-resistant MFA (FIDO2, Windows Hello for Business, or number-matching Authenticator); SMS and voice should be retired. Confirm break-glass accounts are excluded but stored in a sealed vault with monitoring on use.

Confirm Conditional Access policies block IMAP, POP, SMTP AUTH, and other basic-auth endpoints org-wide. Attackers password-spray these endpoints to bypass MFA entirely — the most common cloud account compromise pattern. Review the Sign-in logs filtered to legacy auth for the last 30 days before flipping the block.

Export all Global Admin, Privileged Role Admin, AWS root, and GCP Organization Admin assignments. Every standing assignment must justify itself; convert to PIM / just-in-time elevation where possible. Flag any service account holding tenant-level admin.

Verify Okta / Entra ID SCIM connectors to downstream SaaS apps are syncing without errors. Broken SCIM is the most common reason offboarded users retain access to Salesforce, GitHub, or Slack 90 days after departure.

Disable any account inactive 60+ days. Cross-reference against HR's terminations list to catch accounts the offboarding workflow missed. Document each disable in the ticketing system for the audit trail.

Run AWS Config, Azure Policy, or GCP Security Command Center to confirm S3, EBS, RDS, Azure Storage, and Cloud Storage buckets are encrypted with customer-managed keys (CMK) where required. Default service-managed keys are acceptable for non-regulated workloads; PHI, PCI cardholder data, and CUI require CMK with rotation.

Scan public load balancers and API gateways with SSL Labs or testssl.sh. TLS 1.0/1.1 must be disabled; weak ciphers (RC4, 3DES, CBC modes) removed. Confirm certificates are managed via ACM / Key Vault with auto-renewal — expired certs erode security culture when users are trained to bypass warnings.

Backup-success-green for 18 months means nothing if restore fails. Pick one production database and one file share, restore into a sandbox account, validate row counts and file integrity. Confirm immutable copy (S3 Object Lock, Azure immutable blob) survives a simulated ransomware scenario.

Open a P1 ticket capturing root cause, scope of affected workloads, interim mitigation, and a target fix date. Loop in the backup vendor's TAM and the workload owner. Restore must be re-tested before this checklist run can close.

Review Microsoft Purview / Google DLP / AWS Macie rules covering PII, PHI, and PCI patterns. Test with a synthetic credit-card number in a OneDrive doc — if the alert doesn't fire, the policy isn't deployed where you think it is.

Run AWS Config rule restricted-ssh, Azure Network Watcher, or Prisma Cloud query for any security group / NSG allowing 22, 3389, 1433, 3306, or 5432 from the public internet. Document business justification for each finding or close the rule.

Confirm production, non-production, and shared-services VPCs are isolated by Transit Gateway / Virtual WAN policy, not flat-peered. PCI workloads must sit in a dedicated VPC with explicit egress controls.

Apply pending firmware to FortiGate, Palo Alto, Meraki, and any cloud-deployed NVAs. Cloud-managed services (App Gateway, ALB, Cloud Armor) usually auto-patch but verify the maintenance schedule. Coordinate any reboot through the change advisory board.

Pull AWS WAF / Azure Front Door / Cloudflare WAF metrics for the last quarter. Tune rules generating high false-positive volume; confirm OWASP Top 10 managed rule sets are in block mode (not count) for production.

GuardDuty, Defender for Cloud, and Chronicle findings should route to Sentinel / Splunk / QRadar with severity-based triage. Review last quarter's noisiest detection and either tune or suppress with documented rationale.

Confirm CloudTrail (all regions, management + data events for sensitive S3 buckets), Azure Activity Log + diagnostic settings, and GCP Cloud Audit Logs are flowing to the SIEM with at least 12 months retention. Gaps in audit logs are the first thing a forensics investigator asks about and the most common SOC 2 finding.

Pick a realistic scenario — exposed access key on GitHub, compromised admin via session-token theft, ransomware in a backup account. Walk the IR team through detection, containment, eradication, and customer notification. Capture lessons learned in the IR plan.

Each gap gets a ticket in Jira / ServiceNow with a named owner, target date, and link to the tabletop after-action report. Critical gaps require CISO sign-off on the remediation plan before this checklist closes.

Validate PagerDuty / Opsgenie schedules for the security on-call. Page a test alert end-to-end. Confirm the legal and PR escalation contacts are current — most IR plans go stale when org charts change.

Update the control mapping for SOC 2, HIPAA, PCI DSS, or CMMC as applicable. AWS Audit Manager, Azure Compliance Manager, and Vanta / Drata can pre-populate evidence. Note any control marked 'not applicable' with the scoping rationale.

Pull current findings from Wiz, Prisma Cloud, Defender for Cloud, or Security Command Center. Triage criticals to a 7-day SLA, highs to 30 days. Track exception requests with documented compensating controls.

Pull license reports from M365 admin center, AWS Cost Explorer, and SaaS management (Torii, Zylo). Flag unlicensed VMs and unused per-user licenses. Vendor true-ups (Microsoft, Oracle, VMware) become six-figure surprises when this slips.

The IT director or CISO reviews the completed checklist, outstanding remediation tickets, and CSPM trend. Sign-off goes to the audit folder for SOC 2 / ISO evidence.