Cloud Security Configuration Baseline Check Checklist [FREE PDF]

Cloud environments introduce unique configuration risks that must be systematically evaluated against established security baselines to meet regulatory obligations under frameworks such as NIST SP 800-144, ISO 27001:2022 Annex A 8.23, and PCI DSS v4.0 Requirement 6.3. Misconfigured cloud resources remain the leading cause of data breaches in public cloud deployments, making baseline configuration checks an essential control. This checklist enables Security Engineers and IT Directors to perform s

• Industry: Financial Services
• Frequency: Monthly
• Estimated Time: 45-60 minutes
• Role: Security Engineer
• Total Items: 37
• Compliance: NIST SP 800-144 (Guidelines on Security and Privacy in Public Cloud Computing), ISO 27001:2022 Annex A 8.23 (Web Filtering) and A 8.24 (Use of Cryptography), SOC 2 Trust Services Criteria CC6.1 (Logical and Physical Access Controls), PCI DSS v4.0 Requirements 6.3, 7.2, and 10.2 (Cloud Security, Access Control, Audit Logs), NIST SP 800-53 Rev 5 AC-2, AU-2, SC-28 (Account Management, Audit Events, Data at Rest)

Identity & Access Management (IAM) Controls

Verify that IAM configurations follow least-privilege principles and meet compliance requirements.

• Is multi-factor authentication (MFA) enforced for all IAM users and root/admin accounts?
• Are all IAM policies following the principle of least privilege with no wildcard (*) permissions in production?
• Have all inactive IAM user accounts (no activity in 90+ days) been disabled or removed?
• Are service account keys and access keys rotated on a schedule not exceeding 90 days?
• Is privileged access management (PAM) or just-in-time access implemented for administrative roles?
• Are cross-account trust relationships and federated identity configurations reviewed and documented?

Network Security & Segmentation

Confirm that network controls, firewall rules, and segmentation policies are properly configured.

• Are security groups and network ACLs configured to deny all inbound traffic by default with explicit allow rules only?
• Are there any security groups or firewall rules permitting unrestricted inbound access (0.0.0.0/0) on sensitive ports (22, 3389, 1433, 3306)?
• Are production workloads isolated in dedicated VPCs or virtual networks with no direct peering to development environments?
• Is a Web Application Firewall (WAF) deployed in front of all public-facing web applications?
• Are VPN or private connectivity options (e.g., AWS Direct Connect, Azure ExpressRoute) used for administrative access instead of public internet?

Data Encryption & Key Management

Verify encryption at rest and in transit is properly configured for all data stores and services.

• Is encryption at rest enabled for all cloud storage buckets, databases, and disk volumes?
• Is encryption in transit (TLS 1.2 or higher) enforced for all API endpoints and data transfer services?
• Are customer-managed encryption keys (CMEK) used for sensitive data stores rather than provider-managed keys?
• Are encryption keys stored in a dedicated key management service (KMS) with access logging enabled?
• Are publicly accessible storage buckets or blob containers blocked at the organization policy level?

Logging, Monitoring & Alerting

Confirm that comprehensive audit logging and real-time alerting are enabled across cloud services.

• Is cloud-native audit logging (e.g., AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) enabled across all accounts and regions?
• Are audit logs stored in a separate, write-protected account or storage location inaccessible to the production environment?
• Is log retention configured for a minimum of 12 months with at least 3 months immediately available for analysis?
• Are real-time alerts configured for high-risk events such as root account login, IAM policy changes, and security group modifications?
• Is a Security Information and Event Management (SIEM) solution ingesting cloud logs and generating actionable alerts?
• Is cloud security posture management (CSPM) tooling deployed to continuously scan for misconfigurations?

Vulnerability & Patch Management

Review patch management controls and vulnerability scanning practices for cloud-hosted resources.

• Is automated vulnerability scanning running against cloud-hosted compute instances on at least a weekly basis?
• Are critical and high vulnerabilities remediated within the organization's defined SLA (e.g., 30 days for critical)?
• Are cloud-native managed services (e.g., RDS, Lambda) configured to apply minor version patches automatically?
• Are container images scanned for vulnerabilities in the CI/CD pipeline before deployment to production?
• Is a software bill of materials (SBOM) maintained for all cloud-deployed applications and services?

Data Privacy & Compliance Controls

Verify that cloud configuration supports data residency, classification, and privacy compliance requirements.

• Are cloud resources restricted to approved geographic regions to meet data residency requirements?
• Is sensitive data (PII, PAN, PHI) classified and tagged appropriately within the cloud environment?
• Is Data Loss Prevention (DLP) tooling deployed to detect and prevent unauthorized exfiltration of sensitive data?
• Are cloud provider shared responsibility boundaries documented and reviewed annually?
• Has a cloud security baseline review been completed for all active cloud accounts and findings documented?

Incident Response & Business Continuity Readiness

Assess cloud-specific incident response and disaster recovery configurations.

• Is an automated backup policy configured for all critical cloud databases and storage with tested restore procedures?
• Are recovery time objectives (RTO) and recovery point objectives (RPO) defined and tested for cloud workloads?
• Are cloud account credentials and access keys included in the organization's incident response runbooks?
• Has a cloud-specific incident response tabletop exercise been conducted within the past 12 months?
• Additional notes, exceptions, or compensating controls identified during this baseline review?

Related Cybersecurity Compliance Checklists

• Annual Penetration Test Findings Remediation Tracker Checklist [FREE PDF]
• Firewall Rule and Network Segmentation Review Checklist [FREE PDF]
• Endpoint Detection & Antivirus Update Verification Checklist [FREE PDF]
• Third-Party Vendor Security Assessment Checklist [FREE PDF]
• Security Incident Response Plan Tabletop Exercise Checklist [FREE PDF]
• User Access Review & Privilege Audit Checklist [FREE PDF]
• Multi-Factor Authentication (MFA) Compliance Check Checklist [FREE PDF]
• Phishing Simulation and Training Effectiveness Checklist [FREE PDF]

Related Vulnerability Assessment Checklists

• Firewall Rule and Network Segmentation Review Checklist [FREE PDF] - FREE Download
• Endpoint Detection & Antivirus Update Verification Checklist [FREE PDF] - FREE Download
• Third-Party Vendor Security Assessment Checklist [FREE PDF] - FREE Download
• Annual Penetration Test Findings Remediation Tracker Checklist [FREE PDF] - FREE Download

Why Use This Cloud Security Configuration Baseline Check Checklist [FREE PDF]?

This cloud security configuration baseline check checklist [free pdf] helps financial services teams maintain compliance and operational excellence. Designed for security engineer professionals, this checklist covers 37 critical inspection points across 7 sections. Recommended frequency: monthly.

Ensures compliance with NIST SP 800-144 (Guidelines on Security and Privacy in Public Cloud Computing), ISO 27001:2022 Annex A 8.23 (Web Filtering) and A 8.24 (Use of Cryptography), SOC 2 Trust Services Criteria CC6.1 (Logical and Physical Access Controls), PCI DSS v4.0 Requirements 6.3, 7.2, and 10.2 (Cloud Security, Access Control, Audit Logs), NIST SP 800-53 Rev 5 AC-2, AU-2, SC-28 (Account Management, Audit Events, Data at Rest). Regulatory-aligned for audit readiness and inspection documentation.

Frequently Asked Questions

Browse More Checklists

• All Vulnerability Assessment Checklists
• Cybersecurity Compliance Checklists
• Browse 10,000+ Free Checklist Templates
• Operations Blog
• Book a Demo