Cloud Governance Checklist: 50 Controls for Audit-Ready Cloud Environments

Why: MFA blocks 99.9% of automated credential attacks

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: Native IAM

Why: Over-privileged accounts are the primary vector for lateral movement

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: CIEM, IAM Access Analyzer

Why: Root accounts bypass all policies and cannot be scoped

Frameworks: SOC 2, ISO, PCI

Difficulty: Easy

Tooling: Native IAM

Why: Static service account keys are the most common credential exposure

Frameworks: SOC 2, ISO, PCI

Difficulty: Medium

Tooling: Secrets manager, CIEM

Why: Standing access to production is unnecessary 95% of the time

Frameworks: SOC 2, ISO, HIPAA

Difficulty: Hard

Tooling: CIEM, PAM platforms

Why: Centralized identity reduces offboarding risk from hours to seconds

Frameworks: SOC 2, ISO, HIPAA

Difficulty: Medium

Tooling: Okta, Azure AD, Google Workspace

Why: Permission creep is inevitable without periodic review

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: CIEM, GRC platforms

Why: Cross-account access without MFA is a privilege escalation path

Frameworks: SOC 2, ISO

Difficulty: Easy

Tooling: SCPs, Azure Policy

Why: Privilege escalation is the first step in most attack chains

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: CSPM, SIEM

Why: You cannot secure identities you do not know about

Frameworks: SOC 2, ISO

Difficulty: Easy

Tooling: CIEM, asset inventory

Why: Untagged resources cannot be allocated, scoped, or governed

Frameworks: SOC 2, ISO

Difficulty: Medium

Tooling: Tag policies, Azure Policy, Org Policy

Why: Consistent naming enables automated operations and reduces human error

Frameworks: SOC 2

Difficulty: Easy

Tooling: Policy-as-code

Why: Retroactive tagging has under 60% compliance; preventive enforcement is the only reliable path

Frameworks: SOC 2

Difficulty: Medium

Tooling: SCPs, Azure Policy deny

Why: Tag drift is continuous; monitoring catches automation gaps

Frameworks: SOC 2

Difficulty: Easy

Tooling: AWS Config, Azure Policy compliance

Why: Orphaned resources waste money and expand attack surface

Frameworks: SOC 2

Difficulty: Medium

Tooling: CSPM, custom automation

Why: Foundational for incident response, compliance scoping, and cost attribution

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: Cloud Asset Inventory, CSPM

Why: Environment classification drives security policy and compliance scope

Frameworks: SOC 2, ISO, PCI

Difficulty: Easy

Tooling: Tag policies

Why: Cost attribution requires owner metadata on every resource

Frameworks: SOC 2

Difficulty: Medium

Tooling: Tag policies, FinOps platforms

Why: Misconfiguration is the leading cause of cloud breaches

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: Security Hub, Defender, SCC, Wiz, Orca

Why: Unencrypted data at rest is a compliance failure and breach risk

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: SCPs, Azure Policy, CSPM

Why: Unencrypted network traffic exposes data to interception

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: SCPs, Azure Policy

Why: Public storage is the most common source of large-scale data exposure

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: S3 Block Public Access, Azure storage firewall

Why: Network traffic visibility is essential for incident investigation

Frameworks: SOC 2, ISO, PCI

Difficulty: Easy

Tooling: Native networking

Why: Flat networks allow lateral movement from any compromised resource

Frameworks: ISO, PCI

Difficulty: Hard

Tooling: VPC, NSG, VPC Service Controls

Why: Known vulnerabilities are the easiest attack vector to exploit

Frameworks: SOC 2, ISO, PCI

Difficulty: Medium

Tooling: CSPM, Inspector, Defender

Why: Manual changes to IaC-managed resources create security gaps

Frameworks: SOC 2, ISO

Difficulty: Medium

Tooling: Terraform state drift, CSPM

Why: Catch misconfigurations before deployment, not after

Frameworks: SOC 2, ISO

Difficulty: Medium

Tooling: Checkov, Terrascan, tfsec

Why: Without SLAs, findings accumulate and lose urgency

Frameworks: SOC 2, ISO, PCI

Difficulty: Easy

Tooling: CSPM, ticketing integration

Why: Container images with known CVEs should never reach production

Frameworks: SOC 2, ISO

Difficulty: Hard

Tooling: Container scanning, admission controllers

Why: Threat detection catches active exploitation that CSPM misses

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: GuardDuty, Defender, SCC

Why: Budget alerts catch cost anomalies and prevent bill shock

Frameworks: SOC 2

Difficulty: Easy

Tooling: AWS Budgets, Azure Cost Alerts

Why: Oversized instances are the single largest source of cloud waste

Frameworks: SOC 2

Difficulty: Medium

Tooling: Cost Explorer, Azure Advisor, Spot.io

Why: On-demand pricing is 40-60% more expensive than committed

Frameworks: SOC 2

Difficulty: Medium

Tooling: RI management tools, FinOps platforms

Why: Idle resources (dev instances on weekends, unused load balancers) waste 10-15% of spend

Frameworks: SOC 2

Difficulty: Medium

Tooling: Custom automation, Spot.io

Why: Teams that see their cloud costs make better resource decisions

Frameworks: SOC 2

Difficulty: Medium

Tooling: FinOps platforms, custom dashboards

Why: Automated anomaly detection catches crypto mining and misconfigurations faster than humans

Frameworks: SOC 2

Difficulty: Easy

Tooling: AWS Cost Anomaly, Azure alerts

Why: Guardrails prevent accidental expensive deployments

Frameworks: SOC 2

Difficulty: Medium

Tooling: SCPs, Azure Policy

Why: Unused reservations are pure waste

Frameworks: SOC 2

Difficulty: Easy

Tooling: RI utilization reports

Why: Audit logs are the foundation of every compliance framework

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: CloudTrail, Activity Log, Audit Log

Why: Logs must be tamper-proof for audit evidence

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: S3 Object Lock, immutable storage

Why: SOC 2 requires 1 year, PCI requires 1 year, HIPAA requires 6 years

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: Native log lifecycle

Why: Manual evidence collection costs $20k-$40k per audit cycle

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: Vanta, Drata, Tugboat Logic

Why: A unified control map reduces duplicate effort across frameworks

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: GRC platforms, compliance automation

Why: Point-in-time audits miss drift between assessment periods

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: Compliance automation, CSPM

Why: Enterprise customers send 20-50 questionnaires per year

Frameworks: SOC 2

Difficulty: Medium

Tooling: Vanta, Drata, SafeBase

Why: Auditors review policy history to verify governance over time

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Easy

Tooling: Git, GRC platforms

Why: Exceptions without expiry become permanent security gaps

Frameworks: SOC 2, ISO

Difficulty: Medium

Tooling: GRC platforms, ticketing

Why: Risk assessment is required by every major compliance framework

Frameworks: SOC 2, ISO, HIPAA, PCI

Difficulty: Medium

Tooling: GRC platforms, consulting

Why: Data classification drives encryption, access, and retention requirements

Frameworks: ISO, HIPAA, PCI

Difficulty: Medium

Tooling: DLP tools, CSPM data scanning

Why: HIPAA and GDPR have specific notification timelines (72 hours)

Frameworks: HIPAA, PCI

Difficulty: Hard

Tooling: Incident response platforms