The Cloud Misconfiguration Checklist

Rafia Rizwan

April 10, 2026

A practical cloud misconfiguration checklist mapped to ISO 27017 controls, helping SaaS teams fix audit findings and secure AWS and Azure environments.

Misconfiguration Checklist • ISO 27017 Intent • Auditor-Focused

The Cloud Misconfiguration Checklist

ISO 27017 controls that catch the mistakes auditors see most in AWS, Azure, and SaaS environments

Cloud misconfigurations rarely look dramatic. They usually look like small defaults that quietly become audit findings, procurement friction, or real incidents. This is why auditors keep flagging the same issues over and over: exposed storage, overly broad admin roles, logging with no review evidence, temporary rules that never expire, weak secrets handling, and vendor access nobody can explain.

ISO 27017 is useful because it forces clarity around shared responsibility and cloud control expectations without turning cloud security into an endless tool discussion. This checklist is designed to help teams verify that cloud controls are not only configured, but also operating and provable.

How to use this checklist fast

For every checklist item, use the same three-part test. If the answer fails any part, treat it as not ready.

✅ Configured

The control exists in the cloud environment.

✅ Operating

It is applied consistently, not just turned on once.

✅ Provable

You can show evidence in about two minutes.

Simple rule:
if it is not provable, count it as not ready.

1. Identity and admin access

This is usually the number one audit focus because weak cloud identity controls create the fastest path to major incidents.

Control	What auditors see most	What to check	Evidence
MFA enforced for privileged roles	MFA is enabled for some admins, not all.	Require MFA for cloud console admins, CI/CD admins, key vault admins, and identity admins. Control and monitor break-glass accounts.	MFA enforcement export and admin role membership with review sign-off.
Least privilege for cloud roles	Too many Global Admin or Owner accounts.	Use role-based access by function, approval for elevated access, and quarterly privileged access reviews.	Role assignment export, access review record, and stale admin removal tickets.
No shared admin accounts	Shared admin@company accounts or poorly governed root access.	Use named admin accounts, lock down root accounts, and document any unavoidable shared access through vault plus approval.	Root account control summary and any shared-account exception with expiry.

2. Network exposure

This is where the classic open-port audit findings come from, especially when teams leave troubleshooting rules behind for months.

Security groups or NSGs are not internet-open by default

No 0.0.0.0/0 exposure on admin ports, databases, or management planes. Use allowlists, bastions, VPNs, or jump hosts where needed.

Temporary rules must expire

Every temporary rule should have a justification, owner, expiry date, and closure verification.

Segmentation between prod and non-prod

Use separate subscriptions, accounts, or resource groups plus restricted connectivity and distinct IAM roles.

Evidence examples:
sampled security group or NSG exports, quarterly review sign-offs, rule change tickets, environment separation proof, and exception records with expiry.

3. Storage misconfigurations

Public storage and overly shareable files are among the fastest ways to lose buyer trust. These findings are often simple but expensive.

Control	What to verify	Evidence
Public object storage is intentionally controlled	Enforce public access block where possible, tie storage to identities or roles, eliminate anonymous access to sensitive storage, and review settings periodically.	Public access block settings, storage policy screenshots, and periodic review records.
File sharing links are governed	Restrict anonymous sharing for confidential data, require specific-person links, and use expiry on external sharing.	Sharing configuration export and quarterly external sharing review record.

Fastest cloud audit win

If you fix admin MFA consistency, open port exposure, public storage controls, and log review evidence first, you usually remove a large percentage of the audit pain auditors surface in cloud assessments.

Turn this into a working cadence

4. Logging and monitoring

Logs existing is not the same as the control operating. This is one of the most common evidence traps in cloud audits.

Cloud audit logs are enabled for all key accounts and regions.

Retention is defined and enforced beyond default settings.

Monthly log reviews are signed off, even if lightweight.

Alerts generate tickets with response and closure evidence.

Privileged events like new admins or MFA disablement are monitored.

Incident triage severity and escalation paths exist.

Evidence examples:
CloudTrail or Azure Activity Log settings, retention screenshots, monthly sign-off records, and 2 to 3 alert-to-ticket samples per quarter.

5. Encryption, keys, and secrets

These are quiet gaps that often sit unnoticed until an audit or incident forces attention.

Control	What to verify	Evidence
Encryption at rest	Enable encryption for databases, storage, and backups in scope. Document encryption requirements in standards.	Service configuration proof and policy reference.
Key management discipline	Store keys in KMS, Key Vault, or HSM where appropriate, limit key-admin roles, and define rotation plus break-glass procedures.	Key vault role export, access review, and rotation records where implemented.
Secrets are not in code or pipelines	Use a secrets manager, enable secret scanning, rotate high-risk tokens, and apply least privilege to CI/CD variables.	Secret scanning settings and a remediation ticket example.

6. Cloud change control

This is where auditors ask the painful question: who approved this change, and how do you know it stayed consistent afterwards?

Infrastructure changes are traceable

Prefer IaC where possible, require PR approvals, retain deployment logs, and document plus review emergency changes.

Config drift is detected or reviewed

Use drift tooling if possible, or at minimum perform monthly or quarterly configuration reviews with sign-offs and remediation tickets.

Evidence examples:
3 to 5 sampled changes per quarter showing ticket or PR, approvals, deployment log, validation proof, and any drift review records.

7. Vendor and third-party access

Shared responsibility becomes real here. Poorly governed vendor access is one of the most common audit and incident triggers in cloud environments.

Control	What to verify	Evidence
Vendor access is time-bound and approved	Approval required, expiry date required, permissions scoped, session logging used where feasible, and quarterly access review performed.	Vendor approval records, review sign-offs, and sanitized session logs where available.
Subprocessors are documented and reviewed	Critical vendors are tiered, annual reviews occur, renewal dates are tracked, and missing assurance becomes an exception with expiry.	Vendor register export, review notes, and exception records.

8. Backup and recovery

Auditors do not just want to hear that backups exist. They want restore proof with validation.

Backup scope is defined

Maintain backup inventory by system, with frequency and retention documented clearly.

Restore tests are recorded

Test restores quarterly or semi-annually for critical systems, validate results, and track actions when failures occur.

Evidence examples:
backup inventory snapshot, job summaries, restore test record with validation proof, and corrective action record if a restore failed.

The auditor-ready evidence pack to build each quarter

If you want audits to move faster, build one quarterly cloud evidence pack containing the proof auditors ask for most often.

admin role export and access review sign-off
sample security group or NSG review including temporary rules and expiries
storage public access settings proof
logging retention settings and log review sign-offs
3 to 5 cloud change samples with approvals
key vault role review and secrets scanning proof
vendor access approvals and vendor review decisions
backup inventory and restore test record

The 7 misconfigurations auditors flag most

No consistent MFA for admins

Overly broad admin roles

Internet-open admin or database ports

Public or overly shareable storage

Logs enabled but never reviewed

Secrets and keys unmanaged

Backups exist but restore proof is missing

Fix those first and you will usually remove a huge amount of audit pain.

If you want these controls operationalized and provable, not just configured once

The best next step is turning this checklist into a recurring cadence with evidence packs, approvals, and sampling so misconfigurations stop reappearing between audits.

vCISO support

ISMS SharePoint solution

ISO 27017 and ISO 27001 support

Contact us

Final thought

Cloud audit findings often come from small defaults that no one revisited, not from dramatic design failures. That is why the best cloud security programs are not one-time configuration projects. They are operating systems with review cadence, evidence, and ownership.

When the controls in this checklist are configured, operating, and provable, cloud audits become faster and much easier to control.

Follow Canadian Cyber

Practical cybersecurity and compliance guidance:

Website
LinkedIn
YouTube
Instagram
TikTok

2026

Apr

Data Residency for Canadian SaaS

A practical guide to data residency for Canadian SaaS using ISO 27018 to answer privacy questions, reduce procurement delays, and close enterprise deals faster.

Rafia Rizwan