Cloud Security

The 2026 Cloud Security Audit Checklist

A field-tested walkthrough of the controls we check first on AWS, Azure, and GCP engagements — and the misconfigurations that catch teams off guard.

RAZR Advisory

8 min read

Every quarter our team runs dozens of cloud security audits across AWS, Azure, and GCP. The same handful of gaps show up on almost every engagement — not because teams are careless, but because cloud defaults quietly drift as environments grow.

This is the checklist we use to open every audit. It won't replace a full assessment, but it will surface the misconfigurations most likely to hurt you before a formal review begins.

1. Identity is still the perimeter

Over 70% of the incidents we investigated in the last twelve months traced back to an over-permissioned identity — human or machine. Start every audit here.

  • Enumerate all IAM principals with wildcard actions or resources.
  • Flag roles that haven't been used in 90 days.
  • Verify MFA is enforced for every human identity, including break-glass accounts.
  • Confirm short-lived credentials are used everywhere programmatic access is granted.

2. Network posture and public exposure

Public buckets and open management ports remain the fastest way to end up in a breach headline. Automate this check — humans miss it.

  • Scan for storage buckets and blob containers with public read/write.
  • Audit security groups for 0.0.0.0/0 ingress on SSH, RDP, and database ports.
  • Verify private endpoints are used for internal service-to-service traffic.

3. Logging, monitoring, and retention

You can't respond to what you can't see. We check three things on every engagement:

  1. CloudTrail / Activity Log / Cloud Audit Logs are enabled in every region and every account.
  2. Logs are shipped to a tamper-evident destination with at least 365 days of retention.
  3. There are working alerts — not just dashboards — for root logins, IAM policy changes, and disabled logging.

The best time to build detection is before you need it. The second best time is today. — RAZR IR playbook

4. Data protection

  • Encryption at rest is enabled for every managed data store, with customer-managed keys where policy requires.
  • TLS 1.2+ is enforced end-to-end; TLS 1.0/1.1 endpoints are disabled.
  • Backups are encrypted, tested, and stored in a separate account or subscription.

Where to go next

If you want to see how your environment scores against this list, our 15-minute diagnostic maps directly to the categories above and produces a prioritized 30/60/90-day action plan.

Share this post

Get new posts in your inbox

Field notes on cloud security, compliance, and incident response. One email when we publish. No spam.

Ready to see how your stack scores?

Take the 15-minute diagnostic and get a prioritized 30/60/90-day action plan.

Related posts

More reading based on this post's category and tags.