Home
/Checklists
/Cloud Security Assessment Checklist

Cloud27 items

Cloud Security Assessment Checklist

A thorough security assessment checklist for cloud environments including AWS, Azure, and GCP. Covers identity and access management, storage security, network configuration, compute workloads, and serverless architecture review.

CIS BenchmarksCSA CCMNIST SP 800-144NIST SP 800-115

Progress: 0 of 27 items

Identify cloud service providers and account IDs in scopeinfo

Document all AWS accounts, Azure subscriptions, or GCP projects included in testing.

Review cloud provider penetration testing policies

Ensure compliance with AWS, Azure, or GCP acceptable use policies for security testing.

Obtain read-only IAM credentials for configuration review

Request SecurityAudit or Reader role credentials for automated assessment tooling.

Identify shared responsibility model boundaries

Clarify which security controls are the customer's responsibility versus the provider's.

Inventory cloud services in use (compute, storage, databases, serverless)

Map all active services to determine the full attack surface.

Audit IAM policies for overly permissive permissionscritical

Check for wildcard (*) actions, resources, and policies granting excessive access.

Review root/owner account usage and MFA enforcementcritical

Verify root account has MFA enabled and is not used for daily operations.

Check for long-lived access keys and credential rotationhigh

Identify static API keys older than 90 days and service accounts without key rotation.

Assess cross-account trust relationships and role assumptionshigh

Review IAM trust policies and external ID requirements for cross-account roles.

Test for privilege escalation paths through IAM misconfigurationscritical

Use tools like Pacu or PMapper to identify IAM escalation chains.

Review service-linked roles and managed policy attachmentshigh

Check for custom policies that grant unintended access through service roles.

Check for publicly accessible storage buckets/blobscritical

Scan S3 buckets, Azure Blob containers, and GCS buckets for public read/write access.

Verify encryption at rest for all storage serviceshigh

Confirm server-side encryption is enabled with appropriate key management (KMS vs. default).

Assess database security groups and public accessibilitycritical

Check for RDS, Azure SQL, or Cloud SQL instances exposed to the internet.

Review storage bucket policies and ACLs for misconfigurationshigh

Identify overly permissive bucket policies that could allow unauthorized access.

Check for sensitive data in storage logs and backupsmedium

Review CloudTrail logs, database snapshots, and backup vaults for exposure.

Review security group and firewall rules for overly permissive inbound accesscritical

Identify rules allowing 0.0.0.0/0 on sensitive ports (SSH, RDP, databases).

Assess VPC peering, transit gateway, and network connectivityhigh

Review network architecture for unintended connectivity between environments.

Check EC2/VM instance metadata service protections (IMDSv2)high

Verify that Instance Metadata Service v2 is enforced to prevent SSRF-based credential theft.

Review serverless function configurations and permissionshigh

Check Lambda/Functions execution roles, environment variables, and timeout settings.

Test for container escape and Kubernetes misconfigurationscritical

Assess EKS/AKS/GKE clusters for privileged containers, RBAC issues, and exposed dashboards.

Verify logging and monitoring configurationsmedium

Confirm CloudTrail, VPC Flow Logs, and GuardDuty or equivalent are enabled and properly configured.

Map findings to CIS Benchmark controls

Reference specific CIS control IDs for each identified misconfiguration.

Provide Infrastructure-as-Code remediation snippets

Include Terraform, CloudFormation, or ARM template fixes for each finding.

Document cloud attack paths with privilege escalation chains

Visualize how initial access could lead to account-wide compromise.

Recommend cloud security posture management improvements

Suggest CSPM tooling, automated compliance scanning, and guardrail implementations.

Clean up any resources created during testing

Remove test IAM users, security groups, storage objects, and compute instances.

Related Vulnerabilities

Security Misconfiguration

medium

Broken Access Control

critical

Server-Side Request Forgery

high

Cryptographic Failures

high

Insecure Design

high

Industries Using This Checklist

Financial Services & Banking

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Vulnsy

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Contact

luke@vulnsy.com

Cloud Security Assessment Checklist

Pre-Engagement

IAM & Access Control Review

Storage & Data Security

Network & Compute Security

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy