Cloud27 items

Cloud Security Assessment Checklist

A thorough security assessment checklist for cloud environments including AWS, Azure, and GCP. Covers identity and access management, storage security, network configuration, compute workloads, and serverless architecture review.

CIS BenchmarksCSA CCMNIST SP 800-144NIST SP 800-115

Progress: 0 of 27 items

Identify cloud service providers and account IDs in scopeinfo

Document all AWS accounts, Azure subscriptions, or GCP projects included in testing.

Review cloud provider penetration testing policies

Ensure compliance with AWS, Azure, or GCP acceptable use policies for security testing.

Obtain read-only IAM credentials for configuration review

Request SecurityAudit or Reader role credentials for automated assessment tooling.

Identify shared responsibility model boundaries

Clarify which security controls are the customer's responsibility versus the provider's.

Inventory cloud services in use (compute, storage, databases, serverless)

Map all active services to determine the full attack surface.

Audit IAM policies for overly permissive permissionscritical

Check for wildcard (*) actions, resources, and policies granting excessive access.

Commands

prowler aws --severity critical high

scoutsuite aws

aws iam list-policies --scope Local --query "Policies[*].[PolicyName,Arn]"

References

Review root/owner account usage and MFA enforcementcritical

Verify root account has MFA enabled and is not used for daily operations.

Commands

aws iam get-account-summary

aws iam generate-credential-report && aws iam get-credential-report --output text --query Content | base64 -d

Check for long-lived access keys and credential rotationhigh

Identify static API keys older than 90 days and service accounts without key rotation.

Commands

aws iam list-users --query "Users[*].UserName" | xargs -I {} aws iam list-access-keys --user-name {}

Assess cross-account trust relationships and role assumptionshigh

Review IAM trust policies and external ID requirements for cross-account roles.

Commands

aws iam list-roles --query "Roles[*].[RoleName,AssumeRolePolicyDocument]"

Test for privilege escalation paths through IAM misconfigurationscritical

Use tools like Pacu or PMapper to identify IAM escalation chains.

Commands

pacu

pmapper graph create && pmapper query "preset privesc *"

Evidence to capture

PMapper or Pacu output showing the escalation chain (starting principal → final privilege) plus AWS CLI proof of executing one of the escalated actions.

References

Review service-linked roles and managed policy attachmentshigh

Check for custom policies that grant unintended access through service roles.

Check for publicly accessible storage buckets/blobscritical

Scan S3 buckets, Azure Blob containers, and GCS buckets for public read/write access.

Commands

aws s3api list-buckets --query "Buckets[*].Name" --output text | xargs -I {} aws s3api get-bucket-acl --bucket {}

aws s3api get-public-access-block --bucket <bucket>

Evidence to capture

curl response from the unauthenticated public URL of a bucket object containing sensitive data, plus the bucket ACL showing public-read or public-write.

References

AWS S3 - Blocking public access

Verify encryption at rest for all storage serviceshigh

Confirm server-side encryption is enabled with appropriate key management (KMS vs. default).

Commands

aws s3api get-bucket-encryption --bucket <bucket>

aws rds describe-db-instances --query "DBInstances[*].[DBInstanceIdentifier,StorageEncrypted]"

Assess database security groups and public accessibilitycritical

Check for RDS, Azure SQL, or Cloud SQL instances exposed to the internet.

Commands

aws rds describe-db-instances --query "DBInstances[?PubliclyAccessible=='true'].[DBInstanceIdentifier,Endpoint.Address]"

Review storage bucket policies and ACLs for misconfigurationshigh

Identify overly permissive bucket policies that could allow unauthorized access.

Commands

aws s3api get-bucket-policy --bucket <bucket>

Check for sensitive data in storage logs and backupsmedium

Review CloudTrail logs, database snapshots, and backup vaults for exposure.

Review security group and firewall rules for overly permissive inbound accesscritical

Identify rules allowing 0.0.0.0/0 on sensitive ports (SSH, RDP, databases).

Commands

aws ec2 describe-security-groups --query "SecurityGroups[*].IpPermissions[?IpRanges[?CidrIp=='0.0.0.0/0']]"

Evidence to capture

security group export showing 0.0.0.0/0 on a sensitive port (e.g. 22, 3389, 3306) plus an Nmap scan from an external host confirming the port is reachable.

Assess VPC peering, transit gateway, and network connectivityhigh

Review network architecture for unintended connectivity between environments.

Check EC2/VM instance metadata service protections (IMDSv2)high

Verify that Instance Metadata Service v2 is enforced to prevent SSRF-based credential theft.

Commands

aws ec2 describe-instances --query "Reservations[*].Instances[?MetadataOptions.HttpTokens=='optional'].[InstanceId]"

References