Skip to main content

Cloud Network Security Review Checklist

A network security audit for cloud environments covering topology mapping, internet exposure, least-privilege access, segmentation, private endpoints, WAF/DDoS, and centralized flow logs.

Estimated Time
1 day
Type
security audit
Category
Cloud
Steps
12

When to Use This Checklist

Use this to audit the network security of a cloud environment on AWS, Azure, or GCP, whether after a migration, before a launch, or as periodic hygiene. Network design is one of the strongest levers on blast radius: good segmentation and tight access controls mean a single compromised workload does not become a full breach.

Run it whenever the network topology changes meaningfully, since new peering and exposure can quietly undo prior controls.

How to Use This Checklist

Start by mapping the actual topology and inventorying every internet-facing resource; you cannot secure exposure you have not enumerated. Justify each public endpoint or close it. Then tighten access: least-privilege security groups, environment segmentation, and private endpoints for managed services.

The quick, high-value checks are management-port exposure and open storage; these are common breach vectors. Enable flow logs so you have evidence during an incident. Prioritize remediation by exposure: internet-facing gaps first.

What Good Looks Like

A secure cloud network has a known topology, a justified and minimal set of internet-facing resources, and least-privilege security groups. Production is segmented from non-production, managed services are reached over private endpoints, and public applications sit behind a WAF and DDoS protection. No management ports are exposed to the internet, traffic is encrypted in transit, and flow logs are centralized. DNS is reviewed for dangling-record risk.

Common Pitfalls

The most common and most serious pitfall is SSH or RDP open to the world, often a default left in place. Overly broad security groups (0.0.0.0/0 on many ports) are nearly as bad. Flat networks with no prod/non-prod segmentation let a single foothold reach everything. Reaching managed services over public endpoints widens exposure unnecessarily. Disabled flow logs leave investigators blind, and dangling DNS records invite subdomain takeover.

Related Resources

Ground the review in zero-trust architecture and the principle of least privilege, with CIS Controls v8 for concrete benchmarks. Structured logging supports the flow-log analysis, and ISO 27001 controls map the findings to a recognized framework.