Section 1
Identity & Access Management
Implement least-privilege access across cloud providers
- Enable MFA for all IAM users, especially root/admin accounts
- Use IAM roles instead of long-lived access keys
- Implement just-in-time (JIT) access for privileged operations
- Regularly review and rotate credentials (90-day maximum)
- Use service accounts with minimal permissions for applications
- Implement cross-account access with external IDs for AWS
- Centralize identity with SSO (SAML/OIDC) where possible
Section 2
Encryption & Key Management
Protect data at rest and in transit
- Enable encryption at rest for all storage services (S3, EBS, GCS, Azure Storage)
- Use customer-managed keys (CMK) for sensitive workloads
- Enforce TLS 1.2+ for all data in transit
- Implement key rotation policies (annual at minimum)
- Use envelope encryption for application-level encryption
- Audit key usage and access in CloudTrail/Cloud Audit Logs
- Store keys in managed HSMs (AWS KMS, Azure Key Vault, Cloud KMS)
Section 3
Network Security
Secure network configurations and access controls
- Use VPCs/VNets with private subnets for backend services
- Implement security groups with explicit allow rules (deny by default)
- Enable VPC flow logs for network traffic monitoring
- Use private endpoints for managed services (S3, RDS, Azure SQL)
- Implement WAF for public-facing applications
- Restrict management ports (22, 3389) to VPN/bastion only
- Use network segmentation to isolate sensitive workloads
Section 4
Logging & Monitoring
Comprehensive visibility into cloud activities
- Enable CloudTrail (AWS), Cloud Audit Logs (GCP), Activity Log (Azure)
- Configure log retention for compliance requirements (1+ years)
- Forward logs to centralized SIEM for correlation
- Enable S3 access logging for object-level auditing
- Set up alerts for high-risk events (root login, policy changes)
- Monitor for IAM changes, especially new users and roles
- Use cloud-native threat detection (GuardDuty, Security Command Center)
Section 5
Storage Security
Secure cloud storage and prevent data exposure
- Block public access at the account/organization level
- Enable versioning and MFA delete for critical buckets
- Implement bucket policies with explicit deny for cross-account
- Use object lock for immutable backups (ransomware protection)
- Enable access logging on all storage buckets
- Scan storage for sensitive data (PII, secrets) regularly
- Implement data lifecycle policies for cost and compliance
Section 6
Compliance Frameworks
Map security controls to regulatory requirements
- Enable CIS Benchmark scanning for continuous compliance
- Map controls to SOC 2, ISO 27001, PCI-DSS requirements
- Implement automated evidence collection for audits
- Use AWS Config, Azure Policy, or GCP Organization Policy
- Document remediation procedures for common findings
- Schedule regular compliance reviews (quarterly minimum)
- Maintain an up-to-date asset inventory across all accounts