A comprehensive, actionable security checklist for cloud environments. Based on CIS Benchmarks and real-world hardening experience.
Use these checklists to audit your cloud infrastructure, prepare for compliance assessments, or establish security baselines for new deployments.
| Platform | Description | Controls |
|---|---|---|
| Azure | Identity, Networking, Storage, Compute, Database, Logging, Key Vault | 46 |
| AWS | IAM, S3, EC2, RDS, CloudTrail, VPC, KMS | 45 |
| GCP | IAM, Compute, Storage, Networking, Logging, BigQuery | 34 |
| Microsoft 365 | Entra ID, Exchange Online, SharePoint, Teams, Compliance | 32 |
| Kubernetes | Pod Security, RBAC, Network, Image Security, Secrets | 28 |
| Infrastructure as Code | Terraform, Bicep/ARM, CloudFormation, CI/CD Gates | 30 |
Total: 215 security controls across 6 platforms
Most cloud breaches stem from misconfigurations, not sophisticated exploits. Overly permissive IAM roles, public storage buckets, disabled logging, missing encryption - these are the real attack surface.
This project exists because:
- CIS Benchmarks are 300+ pages - Teams need a practical, scannable format
- Checklists beat documents - A checkbox you can tick drives action; a PDF gathers dust
- Multi-cloud is reality - Most organizations run more than one cloud; security controls shouldn't live in silos
- Open source means community-reviewed - More eyes on security guidance means better guidance
Each control includes severity ratings, actionable descriptions, and references to CIS Benchmarks and vendor documentation.
- Pick your platform from the table above
- Work through controls by category (start with Critical/High severity)
- Check off completed items as you harden your environment
- Revisit quarterly - cloud services change, new controls get added
You can fork this repo to track your organization's progress, or use the checklists as a reference during audits.
| Level | Meaning |
|---|---|
Critical |
Immediate risk of breach or data exposure. Fix first. |
High |
Significant security gap. Address within days. |
Medium |
Defense-in-depth control. Plan for near-term. |
Low |
Best practice. Implement as resources allow. |
This checklist is a static starting point — a solid foundation for manual audits and security reviews. But cloud environments change constantly, and static checklists can't keep up with infrastructure drift, new deployments, or evolving compliance requirements.
SecValley's CSPM platform takes these controls much further:
- 800+ automated security controls across Azure, AWS, GCP, and Microsoft 365
- Continuous scanning — not a one-time check, but real-time misconfiguration detection
- Drift detection — get alerted the moment a secure configuration changes
- Compliance mapping — automatic mapping to SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST, and CIS frameworks
- Guided remediation — step-by-step fix instructions with CLI commands and IaC snippets
- Multi-tenant dashboard — manage security posture across multiple subscriptions and accounts from a single pane
If your team is manually working through checklists, you're already behind. See what continuous cloud security looks like →
Contributions are welcome. See CONTRIBUTING.md for guidelines on adding new controls, suggesting changes, or reporting issues.
This project is licensed under the MIT License.
Maintained by SecValley - Cloud Security Consulting & CSPM Solutions
If this checklist helps you, consider giving it a star to help others find it.