AWS, Azure, and GCP Cloud Security Controls Checklist

A reusable provider-by-provider checklist for reviewing AWS, Azure, and Google Cloud security controls before launches, audits, and changes.

Cloud teams rarely struggle because they lack security features. They struggle because controls are scattered across services, ownership is unclear, and each provider uses slightly different terms, defaults, and workflows. This checklist is designed to be a practical reference for AWS, Azure, and Google Cloud teams that need a reusable way to review cloud security controls before launches, audits, and architecture changes. It focuses on shared responsibility, provider-by-provider checkpoints, and the controls most likely to affect cloud compliance, audit readiness, and day-to-day security operations.

Overview

If you manage workloads across one or more cloud providers, a useful cloud security controls checklist should do three things: identify the baseline controls you expect in every environment, show where the provider-specific implementation differs, and make it easier to collect evidence for cybersecurity compliance work.

This article is not a list of every feature offered by AWS, Azure, or Google Cloud. Instead, it is a working checklist organized around the controls that matter most for cloud hardening, audit preparation, and operational consistency. You can use it whether you are building a first cloud environment, tightening an existing one, or comparing multi cloud security controls across platforms.

A practical way to use this checklist is to review each control area and answer four questions:

What is the minimum standard we require in every cloud account, subscription, or project?
Which team owns the control: platform, security, engineering, or a shared function?
How is the control implemented differently in AWS, Azure, and Google Cloud?
What evidence would we keep for a security audit checklist, customer questionnaire, SOC 2 review, or internal control testing?

Before getting into provider-specific checks, keep the shared responsibility model cloud principle in view. The provider secures the underlying cloud infrastructure, but your team is still responsible for how identities are configured, how data is stored, which network paths are exposed, how logs are retained, and whether workloads follow your policy baseline. If your team needs a deeper breakdown, see Cloud Shared Responsibility Model Explained by Service Type.

Use the checklist below as a baseline, then map it to your framework obligations. For example, a team aligning to NIST CSF controls may emphasize detection and recovery coverage, while a SaaS company preparing for an audit may care more about repeatable evidence, access reviews, and configuration enforcement. Related guidance is covered in NIST CSF 2.0 Implementation Guide for Cloud Environments, SOC 2 Compliance Checklist for Cloud and SaaS Teams, and ISO 27001 Controls Checklist for Startups and Mid-Market Cloud Companies.

Checklist by scenario

This section gives you a reusable cloud security controls checklist by control area, with notes for AWS, Azure, and Google Cloud. The goal is not to force identical tooling across clouds, but to make sure equivalent outcomes are in place.

1. Identity and privileged access baseline

Start here. Weak identity controls create downstream problems in logging, networking, data protection, and incident response.

AWS: Review IAM users, roles, federation, root account protection, MFA enforcement, and use of service control policies where applicable.
Azure: Review Microsoft Entra ID tenant settings, role assignments, privileged role management, conditional access, and break-glass access design.
Google Cloud: Review Cloud Identity or Google Workspace integration, IAM role bindings, organization policies, service account usage, and MFA coverage.

Checklist:

Require MFA for all privileged administrators.
Limit standing administrative access and prefer role-based assignments.
Separate human administrator accounts from workload identities and automation accounts.
Disable or tightly control long-lived access keys.
Review service accounts, managed identities, and workload roles for over-permissioning.
Define a periodic access review process and keep evidence of approvals and removals.
Document emergency access procedures and test them.

2. Account, subscription, and project structure

Many control failures start with poor top-level organization. A clear hierarchy makes policy inheritance, billing accountability, and audit scoping easier.

AWS: Review organization structure, account segmentation, organizational units, and central policy enforcement.
Azure: Review management groups, subscriptions, resource groups, and inherited policy assignments.
Google Cloud: Review organization, folders, projects, and organization policy constraints.

Checklist:

Separate production, staging, development, and sandbox environments.
Separate regulated or sensitive workloads from lower-risk environments where practical.
Apply baseline policies at the highest level that still fits operational needs.
Document naming, tagging, and ownership standards for all resources.
Require clear business ownership for each account, subscription, or project.

3. Logging, monitoring, and audit trails

You cannot defend or audit what you cannot see. Logging needs both breadth and retention discipline.

AWS: Review management event logging, service-specific logging, centralization, and alerting paths.
Azure: Review activity logs, diagnostic settings, platform logs, and workspace-based collection.
Google Cloud: Review audit logs, log routing, retention decisions, and monitoring alert policies.

Checklist:

Enable administrative and control-plane logging across all environments.
Collect network, identity, and key service logs required for investigations.
Route logs to a centralized location with restricted write access.
Define retention periods aligned to legal, privacy, and audit needs.
Alert on privilege changes, disabled logging, unusual authentication events, and internet exposure changes.
Test whether alerts reach the right team and result in tracked action.

4. Network security and exposure management

The core question is simple: what is reachable, by whom, and under what controls?

AWS: Review VPC design, security groups, network ACLs, load balancer exposure, and private connectivity patterns.
Azure: Review virtual networks, network security groups, routing, firewall usage, and private endpoints.
Google Cloud: Review VPC networks, firewall rules, ingress and egress restrictions, and private service connectivity.

Checklist:

Default to private access for internal services and administrative interfaces.
Review every internet-facing endpoint and confirm business justification.
Restrict management access by source, identity, and time where possible.
Segment workloads by trust level and business function.
Inspect egress paths for uncontrolled outbound traffic.
Document approved remote access patterns and decommission legacy paths.

5. Data protection and encryption controls

Encryption is necessary, but governance around keys, backups, and exposure is what makes the control effective.

AWS: Review encryption settings for object storage, block volumes, databases, secrets, and key management services.
Azure: Review encryption at rest defaults, key vault usage, managed keys versus customer-managed keys, and backup protection.
Google Cloud: Review storage and database encryption settings, secret handling, and key management options.

Checklist:

Encrypt sensitive data at rest and in transit.
Define when customer-managed keys are required versus provider-managed defaults.
Restrict key administration and keep key usage logs.
Review public bucket or object exposure risks.
Validate backup encryption, restore procedures, and retention settings.
Map data classes to storage locations and cloud services.

Where personal data is involved, align cloud control reviews with privacy operations. Teams handling regulated data may also need to pair this with a GDPR compliance checklist or data inventory work, such as GDPR Compliance Checklist for Cloud and SaaS Teams.

6. Workload hardening and configuration management

Cloud security is often lost in the gap between good platform controls and inconsistent workload settings.

AWS: Review compute, container, and serverless configurations against your baseline.
Azure: Review VM, container, app platform, and managed service security settings.
Google Cloud: Review instance templates, container platforms, serverless services, and managed runtimes.

Checklist:

Use hardened images or approved base configurations.
Patch operating systems, runtimes, and dependencies on a defined schedule.
Block unnecessary ports, packages, and services.
Scan infrastructure as code and deployment templates before release.
Apply configuration policies consistently across environments.
Track drift from approved baselines and require remediation or exception approval.

7. Vulnerability management and posture review

This is where many teams discover that “we enabled the tool” is not the same as “we run the process.”

AWS: Review posture findings, vulnerability visibility, and remediation ownership.
Azure: Review secure configuration recommendations, exposure findings, and workflow integration.
Google Cloud: Review security posture findings, vulnerability signals, and ticketing handoff.

Checklist:

Define severity-based remediation timelines.
Differentiate exploitable exposure from informational findings.
Assign each finding category to an accountable owner.
Track exceptions formally and require periodic review.
Include containers, images, code pipelines, and managed services in scope where applicable.

8. Backup, resilience, and incident response readiness

Security controls should still work when a region is unavailable, an account is compromised, or a ransomware event affects operations.

AWS: Review backup orchestration, snapshot protections, cross-account resilience, and response access paths.
Azure: Review recovery service configuration, vault protections, and segregation of backup administration.
Google Cloud: Review backup design, recovery options, and isolation of recovery resources.

Checklist:

Protect backups from routine administrative tampering.
Test restoration, not just backup job completion.
Keep incident response runbooks cloud-specific where workflows differ.
Ensure responders can access logs, snapshots, and network controls during an incident.
Document decision paths for containment, credential rotation, and legal escalation.

If you need to tie these controls to formal documentation, pair this section with your incident response policy template and evidence process.

9. Compliance evidence and control mapping

For many teams, this is the difference between a cloud hardening checklist and a cloud compliance controls program.

Checklist:

Map each technical control to your internal policy statements.
Keep screenshots, exports, configuration files, approvals, and review records in a controlled evidence repository.
Record who reviewed each control and when.
Separate one-time setup evidence from recurring operational evidence.
Identify controls inherited from the provider versus controls operated by your team.

This becomes especially useful when answering customer security questionnaire answers, preparing a compliance gap analysis, or collecting audit evidence examples for SOC 2, ISO 27001, HIPAA, or PCI-related reviews. For cloud-hosted healthcare and payment systems, see HIPAA Compliance Checklist for Cloud-Based Healthcare Apps and PCI DSS 4.0 Requirements Checklist for Cloud-Hosted Payment Systems.

What to double-check

Once the baseline checklist is complete, spend time on the areas most likely to look compliant on paper while failing in practice.

Default settings versus enforced settings: A service may support secure defaults, but that does not mean every deployment uses them.
Central policy inheritance: Verify that policies attached at organization or tenant level actually cover all active accounts, subscriptions, and projects.
Shadow resources: Look for test accounts, abandoned subscriptions, temporary projects, and unmanaged storage locations.
Machine identities: Service accounts, application roles, and automation credentials often accumulate more privilege than human users.
Logging blind spots: Confirm that log collection includes the services your teams actually use, not just the easiest ones to onboard.
Exceptions: Make sure risk acceptances have owners, expiration dates, and compensating controls.
Evidence quality: Screenshots without dates, approvals without scope, and exports without context are weak evidence during audits.

If you operate in multiple clouds, also double-check for false equivalence. A control with the same general purpose may behave differently across providers. For example, identity inheritance, policy precedence, logging granularity, and service-level exposure settings often differ in ways that affect risk and evidence collection.

Common mistakes

Most cloud security issues do not come from a total absence of controls. They come from partial rollout, weak ownership, or assumptions that one provider's pattern translates directly to another.

Treating multi-cloud as one giant environment: Standardize outcomes, not every implementation detail.
Over-focusing on perimeter controls: Identity, configuration drift, and data exposure create just as much risk as open ports.
Ignoring service sprawl: Teams often review compute and storage carefully but miss managed services, serverless components, analytics tools, and temporary deployments.
Collecting evidence only when an audit starts: Evidence is easier to maintain when it is built into recurring reviews.
Assuming provider tooling equals completed governance: Native tools help, but they still require policy decisions, ownership, and remediation workflow.
Leaving privacy and security disconnected: If data location, retention, DSAR response, or processor responsibilities matter, your cloud control checklist should reflect that.
Failing to test operational controls: Backup restores, incident access, alert routing, and access recertification should be practiced, not merely documented.

When to revisit

The most useful checklist is one your team returns to on a schedule, not one created once and forgotten. Revisit this cloud security controls checklist at the following points:

Before quarterly or seasonal planning cycles, especially when new services or regions may be adopted.
When your workflows or tools change, including CI/CD, identity providers, logging pipelines, or posture management tools.
Before a security audit, customer due diligence review, or framework readiness assessment.
After acquisitions, re-organizations, or major engineering team changes.
After a security incident, near miss, or material policy exception.
When launching a regulated workload or entering a new compliance scope.

A practical review cadence for most teams is to maintain a short monthly review for exceptions and high-risk findings, a quarterly control validation for identity, logging, exposure, and backups, and a deeper annual refresh of architecture assumptions, evidence mapping, and shared responsibility boundaries.

To make this actionable, end each review with five outputs:

An updated list of required controls by provider.
A current owner for each control family.
A remediation list with deadlines and business justification.
An evidence folder or control register updated with review dates.
A decision on whether any policy, training, or automation changes are needed.

That approach turns a cloud hardening checklist into a durable operating practice. It also gives your team something more valuable than a static document: a repeatable process for cloud compliance, internal control testing, and platform security improvement as AWS, Azure, and Google Cloud continue to evolve.