Skip to main content

Pro audit program · v1.0.0

Cloud Security Maturity

Find gaps in your cloud security posture.

  • Cloud Security Maturity target area
  • framework
  • 20 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

A 20-question check across the controls that actually matter for AWS / Azure / GCP / SaaS environments. After each answer, expand the “Auditor’s view” for how to test the control, what evidence to collect, and the ideal response.

Controls (20)

  1. Are root / global-admin accounts protected with hardware MFA and reserved for break-glass only?

    Medium

    Are root / global-admin accounts protected with hardware MFA and reserved for break-glass only?

    How to test + evidence

    Risk: Root is the most-attacked credential. Hardware MFA + sealed credentials make it both unusable by attackers and auditable.

    Testing procedure: Inspect root account configuration. Verify hardware MFA registered, no API keys, alerting on every use, and sealed-vault storage of credentials.

    Evidence to collect: Root MFA status (hardware token registered) Last-used timestamp + alert log Credential storage location (sealed vault) Break-glass procedure document

  2. Are all human identities federated through SSO (no local IAM users)?

    Medium

    Are all human identities federated through SSO (no local IAM users)?

    How to test + evidence

    Risk: Federated identity centralises lifecycle (joiner/mover/leaver) and MFA. Local IAM users drift and outlive the people they were created for.

    Testing procedure: List all IAM users in each cloud account. Verify only break-glass + service accounts exist; humans federate through SSO.

    Evidence to collect: IAM user inventory per account SSO config (IAM Identity Center / Entra ID / Workload Identity) Justification for any local IAM user Quarterly access review of remaining local users

  3. Do you enforce least privilege for cloud roles (no wildcard / *:* policies)?

    Medium

    Do you enforce least privilege for cloud roles (no wildcard / *:* policies)?

    How to test + evidence

    Risk: Wildcard IAM is the most common cloud finding. Automated analysis flags drift fast; JIT eliminates standing over-privilege.

    Testing procedure: Run IAM Access Analyzer / Azure Privileged Identity Management report. Flag any wildcard (*:*) policies and any unused permissions.

    Evidence to collect: IAM Access Analyzer findings Sample policies showing scoped permissions JIT elevation tooling configuration + logs Last review of role policies + reviewer

  4. How do you manage long-lived access keys / service account credentials?

    Medium

    How do you manage long-lived access keys / service account credentials?

    How to test + evidence

    Risk: Leaked long-lived keys are the #2 cloud breach root cause. IAM roles + short-lived tokens make leakage inert.

    Testing procedure: Inspect long-lived credentials inventory. Check rotation cadence and storage. Run secret scanning across code repos for leaked credentials.

    Evidence to collect: Credential inventory with last-rotation date Vault / KMS access logs Secret scanning report on repos IAM role usage replacing keys

  5. Do you run continuous cloud posture management (CSPM) — Wiz, Lacework, Defender for Cloud, native Security Hub, etc.?

    Medium

    Do you run continuous cloud posture management (CSPM) — Wiz, Lacework, Defender for Cloud, native Security Hub, etc.?

    How to test + evidence

    Risk: Cloud configurations drift hourly. Without CSPM you can't see misconfigurations as they happen — and findings sit unactioned without auto-remediation.

    Testing procedure: Inspect CSPM tooling output. Verify coverage of all accounts/subscriptions. Sample 10 high-severity findings + remediation timestamps.

    Evidence to collect: CSPM dashboard with secure-score Coverage map (accounts / subscriptions / projects) Auto-remediation policy + recent actions Findings register with severity + status

  6. Is cloud infrastructure managed via IaC (Terraform, CloudFormation, Bicep, Pulumi)?

    Medium

    Is cloud infrastructure managed via IaC (Terraform, CloudFormation, Bicep, Pulumi)?

    How to test + evidence

    Risk: IaC + PR review enforces controls in tooling rather than trust. Click-ops produces undocumented changes that drift over months.

    Testing procedure: Sample 10 production cloud resources. For each, verify it can be reconciled to an IaC definition. Check drift detection tooling output.

    Evidence to collect: IaC repository + state files Drift detection tool output PR review process for IaC changes Runbook for emergency click-ops + retroactive IaC

  7. Do you measure against a recognised baseline (CIS Benchmarks, AWS Foundational Security, Azure Security Benchmark)?

    Medium

    Do you measure against a recognised baseline (CIS Benchmarks, AWS Foundational Security, Azure Security Benchmark)?

    How to test + evidence

    Risk: Baselines give a measurable target. Auditors increasingly expect CIS-aligned configurations; gaps without justification are findings.

    Testing procedure: Inspect CSPM report against CIS / vendor baseline. Verify compliance percentage and that exceptions have business justification.

    Evidence to collect: CSPM report against baseline Compliance percentage trend Exception register with justification + review Remediation plan for non-compliance

  8. Is workload network access restricted (private endpoints, no public S3/Storage by default, no 0.0.0.0/0 SSH/RDP)?

    Medium

    Is workload network access restricted (private endpoints, no public S3/Storage by default, no 0.0.0.0/0 SSH/RDP)?

    How to test + evidence

    Risk: Internet-exposed services are the most common initial access vector. Default-deny with documented exceptions is the only scalable model.

    Testing procedure: Run a CSPM check for "0.0.0.0/0 on port 22/3389/3306/etc.". Verify block-public-access on storage. Sample exceptions for justification.

    Evidence to collect: CSPM findings for open ports Block-public-access account-level settings Exception register with expiry dates Network architecture using private endpoints

  9. Is data at rest encrypted with customer-managed keys where possible?

    Medium

    Is data at rest encrypted with customer-managed keys where possible?

    How to test + evidence

    Risk: CMK gives you the cryptographic boundary. Provider-managed keys are encrypted but you can't demonstrate control or revoke access.

    Testing procedure: Sample storage / database / volume resources. Verify encryption enabled with CMK + rotation. Check KMS access logs.

    Evidence to collect: Encryption status report per service KMS key inventory + rotation schedule Sample KMS access logs CMK policy enforcement (e.g. SCP)

  10. How are secrets (API keys, DB passwords) stored and accessed?

    Medium

    How are secrets (API keys, DB passwords) stored and accessed?

    How to test + evidence

    Risk: Secrets in code or env files leak. Centralised secret management with auditing makes the loss containable and observable.

    Testing procedure: Inspect secret manager usage. Run secret scanning across repos for leaked credentials.

    Evidence to collect: Secret manager inventory Access audit log Secret scanning report (GitHub / GitLab native or Trufflehog) Rotation policy + recent rotations

  11. Do you know where your sensitive data lives across cloud services (DSPM / data discovery)?

    Medium

    Do you know where your sensitive data lives across cloud services (DSPM / data discovery)?

    How to test + evidence

    Risk: Cloud data sprawls into unintended places. DSPM finds sensitive data in unexpected buckets, dev environments, and shadow accounts.

    Testing procedure: Inspect DSPM tooling output (Wiz, Cyera, Varonis) or manual data inventory. Verify classification labels are applied + reviewed.

    Evidence to collect: DSPM scan report Sensitive data inventory Classification policy + applied labels Records of processing for GDPR if applicable

  12. Are cloud workload backups isolated from the production account/credentials?

    Medium

    Are cloud workload backups isolated from the production account/credentials?

    How to test + evidence

    Risk: A compromised production account can delete in-account backups. Cross-account + immutable defeats this.

    Testing procedure: Inspect backup architecture. Verify cross-account / cross-tenant separation, immutability, and last successful restore test.

    Evidence to collect: Backup architecture diagram Cross-account replication policy Object lock / immutability config Restore test report

  13. Are control-plane logs (CloudTrail, Activity Log, Audit Log) enabled, centralised, and monitored?

    Medium

    Are control-plane logs (CloudTrail, Activity Log, Audit Log) enabled, centralised, and monitored?

    How to test + evidence

    Risk: Control-plane logs are forensic gold during a cloud incident. Without centralisation, an attacker who deletes them is invisible.

    Testing procedure: Inspect CloudTrail / Activity Log status across all accounts. Verify centralised log destination + tuned detection content.

    Evidence to collect: CloudTrail / Activity Log status per account Central log archive (separate account) SIEM detection rules for cloud events Sample alerts triaged in the period

  14. Are workload-level logs (VPC flow, container, app) sent to your SIEM?

    Medium

    Are workload-level logs (VPC flow, container, app) sent to your SIEM?

    How to test + evidence

    Risk: Control-plane logs alone miss runtime threats. VPC flow + container logs catch lateral movement and exfiltration.

    Testing procedure: Sample workloads. Verify VPC flow logs + container logs are forwarded with sufficient retention.

    Evidence to collect: VPC flow log configuration Container log forwarding (FluentBit / similar) Detection rules for cloud-specific TTPs

  15. Do you have runtime cloud workload protection (CWPP / agent or eBPF) detecting active threats?

    Medium

    Do you have runtime cloud workload protection (CWPP / agent or eBPF) detecting active threats?

    How to test + evidence

    Risk: Runtime threats (cryptojacking, lateral movement, container escapes) are invisible without CWPP. Coverage gaps are where attackers hide.

    Testing procedure: Inspect CWPP coverage report (Wiz Runtime, Sysdig, Falco, Aqua, etc.). Verify production workloads have agent + alerting.

    Evidence to collect: CWPP coverage report Sample runtime alerts triaged Auto-response policy for high severity

  16. When a critical cloud alert fires (e.g. credential exposure), how is it triaged?

    Medium

    When a critical cloud alert fires (e.g. credential exposure), how is it triaged?

    How to test + evidence

    Risk: A great alert that nobody acts on is worse than no alert. 24/7 with runbooks closes the loop.

    Testing procedure: Inspect alert routing + on-call rota. Sample 5 high-severity alerts in the period and verify investigation timestamps.

    Evidence to collect: Alert routing policy On-call schedule Sample triage records with timestamps Mean-time-to-acknowledge metric

  17. Is security testing integrated into CI/CD (SAST, dependency scanning, IaC scanning, secret scanning)?

    Medium

    Is security testing integrated into CI/CD (SAST, dependency scanning, IaC scanning, secret scanning)?

    How to test + evidence

    Risk: Shifting left catches issues at $0.10 instead of $10,000. Advisory-only scanning gets ignored.

    Testing procedure: Inspect CI/CD pipeline definition. Verify SAST + SCA + IaC scan + secret scan are required for merge with blocking on critical findings.

    Evidence to collect: Pipeline config showing security gates Sample PRs with findings + resolution Tool reports for SAST + SCA + IaC scanning Block-on-critical policy enforcement

  18. Are container images scanned, signed, and pulled from a controlled registry?

    Medium

    Are container images scanned, signed, and pulled from a controlled registry?

    How to test + evidence

    Risk: Unsigned images from public registries are supply-chain risk. Signing + scanning + admission control gives end-to-end provenance.

    Testing procedure: Inspect registry config + cluster admission control. Verify only signed images can be pulled and scanning is required.

    Evidence to collect: Registry scan policy Image signing config (cosign / Notary) Cluster admission policy (Kyverno / OPA Gatekeeper) Sample blocked-image events

  19. Are workloads ephemeral and frequently rebuilt (vs long-lived snowflakes)?

    Medium

    Are workloads ephemeral and frequently rebuilt (vs long-lived snowflakes)?

    How to test + evidence

    Risk: Immutable infrastructure means attackers can't establish persistence — every rebuild wipes them. Snowflakes accumulate state and exposure.

    Testing procedure: Sample workloads. Verify image age (uptime) and deployment cadence. Long-lived servers without recent rebuilds are flagged.

    Evidence to collect: Workload uptime distribution Deployment cadence per service Patch / config drift evidence on long-lived hosts

  20. Are cloud configuration changes peer-reviewed and traceable to a ticket?

    Medium

    Are cloud configuration changes peer-reviewed and traceable to a ticket?

    How to test + evidence

    Risk: Reviewed PR-driven changes give an audit trail and a second pair of eyes. Console changes hide and bypass the control.

    Testing procedure: Sample 10 cloud changes. Verify each has IaC PR + reviewer + ticket reference. Click-ops changes should be flagged for retroactive IaC.

    Evidence to collect: Sample PRs with reviewer + ticket reference CloudTrail audit showing change source (IaC vs console) Process for emergency click-ops + retroactive IaC