Cloud Infrastructure Security Checklist
Cloud Infrastructure Security Checklist
A Baseline for Securing Your Cloud Environment
Many organizations are moving to cloud infrastructures for agility, scaling, efficiency, and cost. But the reality is that cloud infrastructure security isn’t inherently better. We often see the implementation of cloud environments with default configurations still in place, opening the door for security concerns. This checklist will help provide a better baseline for your cloud infrastructure security.
Cloud Checklist
Download this checklist to help set a floor of data safegaurds for your organization.
DOWNLOAD CHECKLISTCloud Infrastructure Security Configuration through CIS Benchmarks
The Center for Internet Security (CIS) is a nationally recognized leader in cloud infrastructure security standards. Using their benchmarks as a guide, FRSecure reviews cloud configuration from a security lens. Typically, this is done through an assessment where we give each configuration a status and then prioritize remediation for incomplete configurations based on their risk rating.
This checklist is a simplified version—meant to distill the most universally important configurations into one handy guide so your organization can ensure those are in place.
How to Use this Checklist
This checklist will help you understand where your cloud infrastructure security is at today and prioritize improvement efforts. Ultimately, this will better safeguard data. Download the document to use, or check the boxes on this page and print it off!
Table of Contents
Cloud Infrastructure Security Configuration Best Practice Checklist
Identity and Access Management (IAM)
Identity and Access Management (IAM) controls the access level of users have to resources in your environment.
- Use least privilege access for all users, roles, and services
- Enable Multi-Factor Authentication (MFA) for all accounts
- Regularly review and rotate credentials (API keys, passwords, etc.)
- Use role-based access control (RBAC) instead of individual permissions
- Monitor and audit IAM activity log
Email and Collaboration Security
Reduce risk from common email-based threats, such as email spoofing, phishing, and fraud.
- Ensure Safe Links is enabled for email and cloud apps, where applicable
- Ensure Safe Attachments policy is enabled
- Ensure Safe Attachments for SharePoint, OneDrive, and Microsoft Teams are enabled
- Ensure that SPF records are published for all Exchange domains
- Ensure that DKIM is enabled for all Exchange Online domains
- Ensure DMARC records for all Exchange Online domains are published
- Ensure the Common Attachment Types filter is enabled
- Ensure ‘AuditBypassEnabled’ is not enabled on mailboxes
- Ensure developer access is removed before implementation into production
- Ensure all forms of mail forwarding are blocked and/or disabled
- Ensure that users are unable to install add-ins
- Ensure modern authentication for email applications is enabled
- Ensure MailTips are enabled for end users
- Ensure SMTP AUTH is disabled
Network Security
The technology, controls, processes, policies, and people that are implemented to protect your infrastructure.
- Use Virtual Private Clouds (VPCs) or equivalent to isolate resources
- Restrict inbound and outbound traffic using security groups and firewalls
- Use private endpoints for internal services
- Enable DDoS protection and Web Application Firewalls (WAF)
- Encrypt traffic using TLS/SS
Data Protection
Policies, procedures, and best practices for ensuring good data hygiene.
- Encrypt data at rest and in transit
- Use managed key services (e.g., AWS KMS, Azure Key Vault)
- Classify and label sensitive data using tools such as Purview or similar
- Implement data loss prevention (DLP) policies
- Regularly back up data and test recovery procedures
- Rotate encryption keys regularly
Configuration Management
Track and control the setup and changes to hardware, software, and other components, ensuring systems remain consistent and perform.
- Use infrastructure as code (IaC) tools (e.g., Terraform, CloudFormation)
- Scan Infrastructure as Code (IaC) templates for misconfigurations
- Maintain version control and change management practices
- Use configuration management tools (e.g., Ansible, Puppet) for consistency
Monitoring and Logging
Logging allows teams to see a snapshot of what events are occurring in the environment, and monitoring those logs informs about the potentially problematic events.
- Enable cloud-native logging (e.g., CloudTrail, Azure Monitor, GCP Cloud Audit Logs)
- Enable logging for AI service usage and access
- Centralize logs for analysis and retention
- Set up alerts for suspicious activity or policy violations
- Use SIEM tools for threat detection and response
Vulnerability Management
Vulnerability management is a systematic process and proactive approach to identifying, assessing, prioritizing, and mitigating vulnerabilities in a system or network before they can be exploited.
- Regularly scan cloud resources and applications for vulnerabilities
- Apply security patches and updates promptly
- Use container security tools if using Docker/Kubernetes
- Conduct penetration testing and red team exercise
Compliance and Governance
Understand what obligations your organizations are required to adhere to, and the accountability of individuals in the organization, ensuring those obligations are met.
- Align with relevant standards (e.g., CIS Benchmarks, NIST, ISO 27001)
- Use cloud provider compliance tools (e.g., AWS Config, Azure Policy)
- Maintain audit trails for all critical operations
Application Services
The measures, policies, and technologies used to protect cloud-based applications and the data they handle from various security threats.
- Ensure HTTPS only is configured
- Ensure web applications are using TLS 1.2 encryption or higher
- Ensure Basic Authentication is disabled