Cloud Security & CDN (expanded)59 items
Cloud Security & CDN (expanded)59 items
Cloud Security (AWS) → Storage Public Access
Question: Are object/blob buckets private with org-level blocks and justified exceptions?
Applicable Requirements:
- NIST 800-53: AC-3, SC-7
- CIS Benchmark: Cloud Storage
Applicability: Object/blob storage
Expected Result: Public access blocks; no public ACLs; access via signed URLs or IAM only.
Why It Matters: Misconfig drives many breaches.
Technical Breakdown:
- Enable account-level blocks; Config/Policy scans; alert on drift.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (AWS) → Network Segmentation
Question: Are VPC/VNet/VCN segmented by env with default-deny SG/NSG?
Applicable Requirements:
- NIST 800-53: SC-7, AC-4
Applicability: All networks
Expected Result: Prod/non-prod separated; least-privilege rules; restricted egress; flow logs.
Why It Matters: Limits lateral movement.
Technical Breakdown:
- Per-tier SGs; analyze flow logs; remove unused rules.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (AWS) → IAM Guardrails
Question: Are org-level guardrails (SCP/Org Policy/Tenancy Quotas) preventing risky actions?
Applicable Requirements:
- NIST 800-53: CM-7, AC-1
Applicability: Org/tenant level
Expected Result: Deny public storage, root use, wildcard policies, key deletions.
Why It Matters: Stops drift and escalation paths.
Technical Breakdown:
- Blueprints/Landing Zones; unit-test guardrails.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
- NIST SP 800-63B (Digital Identity Guidelines)
- AWS IAM Identity Center (SSO)
- Azure Entra Conditional Access
- Google Cloud IAM best practices
- SCIM Protocol
Cloud Security (AWS) → Secret Management
Question: Are secrets stored in native secret managers with rotation and access logging?
Applicable Requirements:
- NIST 800-53: IA-5, SC-12
Applicability: Apps/Functions/VMs
Expected Result: Use Secrets Manager/Key Vault/Secret Manager/OCI Vault; rotate ≤90d.
Why It Matters: Protects against key theft.
Technical Breakdown:
- No secrets in AMIs/images; inject at deploy; audit access.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (AWS) → Logging & Metrics
Question: Are cloud audit logs enabled org-wide with centralized export and retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
Applicability: All accounts/projects
Expected Result: Enable/force retention; export to SIEM/lake; restricted access.
Why It Matters: Forensics and compliance require full logs.
Technical Breakdown:
- Route to immutable storage; alert on logging disabled.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (Azure) → Storage Public Access
Question: Are object/blob buckets private with org-level blocks and justified exceptions?
Applicable Requirements:
- NIST 800-53: AC-3, SC-7
- CIS Benchmark: Cloud Storage
Applicability: Object/blob storage
Expected Result: Public access blocks; no public ACLs; access via signed URLs or IAM only.
Why It Matters: Misconfig drives many breaches.
Technical Breakdown:
- Enable account-level blocks; Config/Policy scans; alert on drift.
Cloud Security (Azure) → Network Segmentation
Question: Are VPC/VNet/VCN segmented by env with default-deny SG/NSG?
Applicable Requirements:
- NIST 800-53: SC-7, AC-4
Applicability: All networks
Expected Result: Prod/non-prod separated; least-privilege rules; restricted egress; flow logs.
Why It Matters: Limits lateral movement.
Technical Breakdown:
- Per-tier SGs; analyze flow logs; remove unused rules.
Cloud Security (Azure) → IAM Guardrails
Question: Are org-level guardrails (SCP/Org Policy/Tenancy Quotas) preventing risky actions?
Applicable Requirements:
- NIST 800-53: CM-7, AC-1
Applicability: Org/tenant level
Expected Result: Deny public storage, root use, wildcard policies, key deletions.
Why It Matters: Stops drift and escalation paths.
Technical Breakdown:
- Blueprints/Landing Zones; unit-test guardrails.
Cloud Security (Azure) → Secret Management
Question: Are secrets stored in native secret managers with rotation and access logging?
Applicable Requirements:
- NIST 800-53: IA-5, SC-12
Applicability: Apps/Functions/VMs
Expected Result: Use Secrets Manager/Key Vault/Secret Manager/OCI Vault; rotate ≤90d.
Why It Matters: Protects against key theft.
Technical Breakdown:
- No secrets in AMIs/images; inject at deploy; audit access.
Cloud Security (Azure) → Logging & Metrics
Question: Are cloud audit logs enabled org-wide with centralized export and retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
Applicability: All accounts/projects
Expected Result: Enable/force retention; export to SIEM/lake; restricted access.
Why It Matters: Forensics and compliance require full logs.
Technical Breakdown:
- Route to immutable storage; alert on logging disabled.
Cloud Security (GCP) → Storage Public Access
Question: Are object/blob buckets private with org-level blocks and justified exceptions?
Applicable Requirements:
- NIST 800-53: AC-3, SC-7
- CIS Benchmark: Cloud Storage
Applicability: Object/blob storage
Expected Result: Public access blocks; no public ACLs; access via signed URLs or IAM only.
Why It Matters: Misconfig drives many breaches.
Technical Breakdown:
- Enable account-level blocks; Config/Policy scans; alert on drift.
Cloud Security (GCP) → Network Segmentation
Question: Are VPC/VNet/VCN segmented by env with default-deny SG/NSG?
Applicable Requirements:
- NIST 800-53: SC-7, AC-4
Applicability: All networks
Expected Result: Prod/non-prod separated; least-privilege rules; restricted egress; flow logs.
Why It Matters: Limits lateral movement.
Technical Breakdown:
- Per-tier SGs; analyze flow logs; remove unused rules.
Cloud Security (GCP) → IAM Guardrails
Question: Are org-level guardrails (SCP/Org Policy/Tenancy Quotas) preventing risky actions?
Applicable Requirements:
- NIST 800-53: CM-7, AC-1
Applicability: Org/tenant level
Expected Result: Deny public storage, root use, wildcard policies, key deletions.
Why It Matters: Stops drift and escalation paths.
Technical Breakdown:
- Blueprints/Landing Zones; unit-test guardrails.
Cloud Security (GCP) → Secret Management
Question: Are secrets stored in native secret managers with rotation and access logging?
Applicable Requirements:
- NIST 800-53: IA-5, SC-12
Applicability: Apps/Functions/VMs
Expected Result: Use Secrets Manager/Key Vault/Secret Manager/OCI Vault; rotate ≤90d.
Why It Matters: Protects against key theft.
Technical Breakdown:
- No secrets in AMIs/images; inject at deploy; audit access.
Cloud Security (GCP) → Logging & Metrics
Question: Are cloud audit logs enabled org-wide with centralized export and retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
Applicability: All accounts/projects
Expected Result: Enable/force retention; export to SIEM/lake; restricted access.
Why It Matters: Forensics and compliance require full logs.
Technical Breakdown:
- Route to immutable storage; alert on logging disabled.
Cloud Security (OCI) → Storage Public Access
Question: Are object/blob buckets private with org-level blocks and justified exceptions?
Applicable Requirements:
- NIST 800-53: AC-3, SC-7
- CIS Benchmark: Cloud Storage
Applicability: Object/blob storage
Expected Result: Public access blocks; no public ACLs; access via signed URLs or IAM only.
Why It Matters: Misconfig drives many breaches.
Technical Breakdown:
- Enable account-level blocks; Config/Policy scans; alert on drift.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security (OCI) → Network Segmentation
Question: Are VPC/VNet/VCN segmented by env with default-deny SG/NSG?
Applicable Requirements:
- NIST 800-53: SC-7, AC-4
Applicability: All networks
Expected Result: Prod/non-prod separated; least-privilege rules; restricted egress; flow logs.
Why It Matters: Limits lateral movement.
Technical Breakdown:
- Per-tier SGs; analyze flow logs; remove unused rules.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security (OCI) → IAM Guardrails
Question: Are org-level guardrails (SCP/Org Policy/Tenancy Quotas) preventing risky actions?
Applicable Requirements:
- NIST 800-53: CM-7, AC-1
Applicability: Org/tenant level
Expected Result: Deny public storage, root use, wildcard policies, key deletions.
Why It Matters: Stops drift and escalation paths.
Technical Breakdown:
- Blueprints/Landing Zones; unit-test guardrails.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
- NIST SP 800-63B (Digital Identity Guidelines)
- AWS IAM Identity Center (SSO)
- Azure Entra Conditional Access
- Google Cloud IAM best practices
- SCIM Protocol
Cloud Security (OCI) → Secret Management
Question: Are secrets stored in native secret managers with rotation and access logging?
Applicable Requirements:
- NIST 800-53: IA-5, SC-12
Applicability: Apps/Functions/VMs
Expected Result: Use Secrets Manager/Key Vault/Secret Manager/OCI Vault; rotate ≤90d.
Why It Matters: Protects against key theft.
Technical Breakdown:
- No secrets in AMIs/images; inject at deploy; audit access.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security (OCI) → Logging & Metrics
Question: Are cloud audit logs enabled org-wide with centralized export and retention?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
Applicability: All accounts/projects
Expected Result: Enable/force retention; export to SIEM/lake; restricted access.
Why It Matters: Forensics and compliance require full logs.
Technical Breakdown:
- Route to immutable storage; alert on logging disabled.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
CDN/Edge → Cloudflare WAF & Bot
Question: Is WAF in block mode with OWASP rules and bot mitigation on auth flows?
Applicable Requirements:
- NIST 800-53: SI-4, SI-10
- ISO 27001: A.12.6.1
- SOC 2: CC7.1
Applicability: Internet-facing apps
Expected Result: High/critical rules blocking; protect /login; JS challenges; logs to SIEM.
Why It Matters: Stops commodity attacks and credential stuffing.
Technical Breakdown:
- Tune false positives; API Shield/mTLS for API endpoints.
Deep Dive
- Cloudflare: Enable WAF Managed Rules and Bot Management; for APIs enable API Shield mTLS (Dashboard → Security → WAF / API Shield).
- Cloudflare WAF Managed Rules
- Cloudflare Bot Management
- Cloudflare mTLS / API Shield
- Akamai App & API Protector
- Fastly WAF (Signal Sciences)
CDN/Edge → TLS to Origin
Question: Is end-to-end TLS (edge↔origin) enforced with TLS1.2+ and HSTS?
Applicable Requirements:
- NIST 800-53: SC-8, SC-23
Applicability: CDN/edge-proxied apps
Expected Result: No HTTP origin pulls; HSTS max-age≥6m; redirect 80→443.
Why It Matters: Prevents downgrade/MITM.
Technical Breakdown:
- Enable Always HTTPS; add HSTS at edge and origin.
Cloud Security (AWS) → Server-Side Encryption
Question: Is server-side encryption enforced with CMKs and bucket-level policies?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (AWS) → Client-Side Encryption
Question: Are clients encrypting sensitive objects before upload with envelope DEKs?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (AWS) → TLS Mutual Auth to Storage
Question: Are service agents using mTLS/private endpoints to reach storage?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
Cloud Security (Azure) → Server-Side Encryption
Question: Is server-side encryption enforced with CMKs and bucket-level policies?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (Azure) → Client-Side Encryption
Question: Are clients encrypting sensitive objects before upload with envelope DEKs?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (Azure) → TLS Mutual Auth to Storage
Question: Are service agents using mTLS/private endpoints to reach storage?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (GCP) → Server-Side Encryption
Question: Is server-side encryption enforced with CMKs and bucket-level policies?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (GCP) → Client-Side Encryption
Question: Are clients encrypting sensitive objects before upload with envelope DEKs?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (GCP) → TLS Mutual Auth to Storage
Question: Are service agents using mTLS/private endpoints to reach storage?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Cloud Security (OCI) → Server-Side Encryption
Question: Is server-side encryption enforced with CMKs and bucket-level policies?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security (OCI) → Client-Side Encryption
Question: Are clients encrypting sensitive objects before upload with envelope DEKs?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security (OCI) → TLS Mutual Auth to Storage
Question: Are service agents using mTLS/private endpoints to reach storage?
Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2
Applicability: Object/blob and file storage.
Expected Result: Encryption defaults on; CMKs monitored; TLS enforced; keys rotated.
Why It Matters: Protects data confidentiality and integrity.
Technical Breakdown:
- Baseline policies; audit key grants; monitor for unencrypted writes.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
Cloud Security → Platform Controls: Compute AMI/Image Hardening
Question: Is the following control enforced: Compute AMI/Image Hardening?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: VM images/templates
Expected Result: CIS-hardened images; no default creds; agent baseline
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Serverless Least Privilege
Question: Is the following control enforced: Serverless Least Privilege?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Functions/Lambdas
Expected Result: Per-function IAM roles; no wildcard actions; short timeouts
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Database Encryption & TLS
Question: Is the following control enforced: Database Encryption & TLS?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Managed DBs
Expected Result: At-rest encryption; TLS required; auth via IAM tokens
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Parameter Store Hygiene
Question: Is the following control enforced: Parameter Store Hygiene?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Param/SSM/Config
Expected Result: No secrets in plain params; RBAC; versioning; rotation
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Message Queue Policies
Question: Is the following control enforced: Message Queue Policies?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: SQS/Service Bus/PubSub/OCI Queue
Expected Result: Private endpoints; authZ on send/receive; DLQs
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Event Bus Filtering
Question: Is the following control enforced: Event Bus Filtering?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: EventBridge/Event Grid/PubSub
Expected Result: Least-privilege subscriptions; filter by detail-type
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Backup Immutability
Question: Is the following control enforced: Backup Immutability?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Backups/snapshots
Expected Result: WORM/immutability; separate keys; restore drills
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Compute Patch Orchestration
Question: Is the following control enforced: Compute Patch Orchestration?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: VM scale sets/ASGs
Expected Result: Rolling patch windows; health checks; canarying
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: Private Endpoints
Question: Is the following control enforced: Private Endpoints?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: PaaS services
Expected Result: PrivateLink/Private Endpoint enforced; no public exposure
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Platform Controls: CSPM Coverage
Question: Is the following control enforced: CSPM Coverage?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Cloud posture tools
Expected Result: Org-wide scanning; block high-risk; ticket integration
Why It Matters: Hardens cloud compute/data plane and closes misconfig gaps.
Technical Breakdown:
- Baseline IaC; pre-commit checks; deny on critical drift.
Cloud Security → Advanced Platform Controls: VM Disk Encryption by Default
Question: Is the following control enforced: VM Disk Encryption by Default?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Compute/VMs
Expected Result: All disks encrypted with CMKs; no plaintext snapshots
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Snapshot Sharing Controls
Question: Is the following control enforced: Snapshot Sharing Controls?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Snapshots
Expected Result: Snapshots private; sharing audited/blocked
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: EIP/Public IP Governance
Question: Is the following control enforced: EIP/Public IP Governance?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Public IPs
Expected Result: Approved requests only; DDoS/WAF in front
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Security Group Minimization
Question: Is the following control enforced: Security Group Minimization?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: SG/NSG rules
Expected Result: No 0.0.0.0/0 on admin ports; least-privilege
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Bastion Host Decommission
Question: Is the following control enforced: Bastion Host Decommission?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Access model
Expected Result: Replace bastions with SSM/Session Manager/ZTNA
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Serverless Secrets
Question: Is the following control enforced: Serverless Secrets?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Functions
Expected Result: Secrets via KMS/KeyVault/Secrets Manager; no env plaintext
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Container Registry Access
Question: Is the following control enforced: Container Registry Access?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Registries
Expected Result: Private endpoints; signed images; RBAC
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: ACM/Cert Manager Hygiene
Question: Is the following control enforced: ACM/Cert Manager Hygiene?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Certificates
Expected Result: Auto-renew; track expiry; alert pre-expiry
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Cloud-Native DLP
Question: Is the following control enforced: Cloud-Native DLP?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Storage
Expected Result: Automatic PII detection; quarantine public objects
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: IaC Security
Question: Is the following control enforced: IaC Security?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Terraform/ARM/CloudFormation
Expected Result: Policy-as-code checks pre-merge; deny critical
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Dedicated Hosts/Nodes
Question: Is the following control enforced: Dedicated Hosts/Nodes?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Compliance regions
Expected Result: Use dedicated hosts for isolation where required
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: BYOIP Governance
Question: Is the following control enforced: BYOIP Governance?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Networking
Expected Result: BYOIP vetted and monitored for abuse
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: Peering/Transit Gateways
Question: Is the following control enforced: Peering/Transit Gateways?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Network topology
Expected Result: Least-privilege routing; no transitive trust
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Cloud Security → Advanced Platform Controls: S3/Blob Access Analyzer Findings
Question: Is the following control enforced: S3/Blob Access Analyzer Findings?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: Storage
Expected Result: Findings triaged and remediated quickly
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
- AWS S3: Default encryption (SSE-KMS)
- AWS S3: Block Public Access
- Azure Storage: Configure blob public access
- Azure Storage: Private Endpoints
- GCP Cloud Storage: Uniform bucket-level access
- GCP: Prevent public access
- OCI Object Storage: Pre-Authenticated Requests
- OCI: Encrypting data at rest
Cloud Security → Advanced Platform Controls: Cost Anomaly Security Signals
Question: Is the following control enforced: Cost Anomaly Security Signals?
Applicable Requirements:
- NIST 800-53: CM-6, SC-7, SC-28
- SOC 2: CC6.6, CC7.2
Applicability: FinOps
Expected Result: Investigate spikes as potential security signals
Why It Matters: Targets drift, exposure, and hidden weak spots in cloud estates.
Technical Breakdown:
- Pre-commit IaC checks; org-wide policy; continuous CSPM coverage.