A cloud security audit systematically compares an organisation's cloud posture against a standard (CIS Benchmark, NIST CSF, ISO 27001) to identify gaps. This article describes the audit process, evidence collection methods, and remediation tracking.
Sign in to mark this article as read and track your progress.
A cloud security audit has a different character from a traditional IT audit. Traditional audits examine documentation, interview staff, and sample configurations manually. Cloud audits can (and should) interrogate the cloud provider's API directly — every configuration is queryable, and the audit trail is in CloudTrail.
An audit may be:
Define:
Cloud audit evidence is collected from APIs, not interviews:
| Evidence Source | What It Proves | How to Collect |
|---|---|---|
| AWS IAM Credential Report | MFA status, access key age, password age for all IAM users | aws iam generate-credential-report |
| CloudTrail — last 90 days | Root account usage, IAM changes, S3 policy changes | Athena query on the CloudTrail S3 bucket |
| AWS Config Rules — compliance snapshot | Continuous compliance status at point-in-time | Config → Compliance Dashboard → Export |
| Security Hub — consolidated findings | Aggregated findings from GuardDuty, Macie, Inspector | Security Hub → Findings export (CSV/JSON) |
| VPC Flow Logs | Network-level evidence of traffic patterns | S3 query or Athena |
| S3 Bucket ACL export | Public access status of all buckets | aws s3api get-bucket-acl for each bucket |
A useful audit automation script collects all of the above and packages them into a ZIP archive with a hash manifest for evidence integrity.
Compare collected evidence against the chosen standard. The output is a gap table:
| Control | Standard Requirement | Current State | Status | Risk |
|---|---|---|---|---|
| CIS 1.5 | MFA on root account | MFA not enabled on root | FAIL | Critical |
| CIS 3.1 | CloudTrail in all regions | Trail exists for ap-south-1 only | FAIL | High |
| CIS 3.9 | VPC Flow Logs enabled | All production VPCs have flow logs | PASS | — |
| CIS 1.14 | Access keys rotated < 90 days | 3 of 7 users have keys > 90 days old | FAIL | Medium |
For each gap, the audit report must include:
AWS Config is a continuous compliance service that evaluates resources against defined rules (managed or custom):
| Rule | What It Checks |
|---|---|
root-account-mfa-enabled | MFA enabled on root account |
cloudtrail-enabled | CloudTrail active in all regions |
s3-bucket-public-read-prohibited | No S3 bucket allows public read |
vpc-flow-logs-enabled | Flow logs enabled on all VPCs |
iam-user-no-policies-check | No IAM users have directly attached policies |
encrypted-volumes | All EBS volumes are encrypted |
Config runs these rules continuously. Non-compliant resources appear in the Config dashboard in near-real-time. This transforms audit from a point-in-time event into a continuous process.
Under CERT-In 2022 Directions, organisations owning/operating ICT infrastructure are required to:
CERT-In maintains a list of empanelled IS auditing organisations on their website. For cloud environments, the auditor should specifically assess:
Audit evidence from cloud APIs is only valid if the auditor can demonstrate it has not been tampered with after collection. Best practices:
aws cloudtrail validate-logs)