The 2026 Cloud Security Audit Checklist
A field-tested walkthrough of the controls we check first on AWS, Azure, and GCP engagements — and the misconfigurations that catch teams off guard.
RAZR Advisory
Every quarter our team runs dozens of cloud security audits across AWS, Azure, and GCP. The same handful of gaps show up on almost every engagement — not because teams are careless, but because cloud defaults quietly drift as environments grow.
This is the checklist we use to open every audit. It won't replace a full assessment, but it will surface the misconfigurations most likely to hurt you before a formal review begins.
1. Identity is still the perimeter
Over 70% of the incidents we investigated in the last twelve months traced back to an over-permissioned identity — human or machine. Start every audit here.
- Enumerate all IAM principals with wildcard actions or resources.
- Flag roles that haven't been used in 90 days.
- Verify MFA is enforced for every human identity, including break-glass accounts.
- Confirm short-lived credentials are used everywhere programmatic access is granted.
2. Network posture and public exposure
Public buckets and open management ports remain the fastest way to end up in a breach headline. Automate this check — humans miss it.
- Scan for storage buckets and blob containers with public read/write.
- Audit security groups for
0.0.0.0/0ingress on SSH, RDP, and database ports. - Verify private endpoints are used for internal service-to-service traffic.
3. Logging, monitoring, and retention
You can't respond to what you can't see. We check three things on every engagement:
- CloudTrail / Activity Log / Cloud Audit Logs are enabled in every region and every account.
- Logs are shipped to a tamper-evident destination with at least 365 days of retention.
- There are working alerts — not just dashboards — for root logins, IAM policy changes, and disabled logging.
The best time to build detection is before you need it. The second best time is today. — RAZR IR playbook
4. Data protection
- Encryption at rest is enabled for every managed data store, with customer-managed keys where policy requires.
- TLS 1.2+ is enforced end-to-end; TLS 1.0/1.1 endpoints are disabled.
- Backups are encrypted, tested, and stored in a separate account or subscription.
Where to go next
If you want to see how your environment scores against this list, our 15-minute diagnostic maps directly to the categories above and produces a prioritized 30/60/90-day action plan.