Cloud Security Audit Services
Deep configuration reviews of AWS, Azure, and GCP environments — IAM, storage, network, and attack-path analysis.
What You Receive
- Cloud security posture report with prioritised findings
- Attack-path analysis identifying exploitable misconfiguration chains
- Infrastructure-as-Code review for Terraform, CloudFormation, Bicep
- Mapped to CIS Benchmarks, AWS Well-Architected, and Microsoft Cloud Adoption Framework
- 90-day free retest of remediated findings
Cloud security audits are configuration-driven assessments of your cloud environment against best practice baselines, attack-path analysis, and the specific threat model relevant to your business. Unlike a penetration test, which exercises specific attack paths, an audit aims to surface the complete inventory of misconfigurations and prioritise them by exploitability and business impact.
We have conducted over 120 cloud security audits across AWS, Azure, and GCP environments, ranging from single-account SME deployments to multi-account FTSE 250 and US enterprise estates. Our findings are documented in our analysis of the 7 AWS misconfigurations we find in every audit.
What We Audit
Identity and Access Management
IAM is the largest source of critical findings in cloud audits. We analyse:
- IAM policies for over-permissive Action and Resource wildcards
- Role assumption chains and cross-account trust relationships
- Service-linked roles and their effective privileges
- IAM Identity Center / Azure AD / Google Cloud Identity federation configurations
- Privileged account usage patterns and break-glass procedures
- Long-lived access keys, unused credentials, and stale roles
- Multi-factor authentication enforcement across all access paths
Network Security
- VPC, VNet, and VPC Service Controls configuration
- Security group, NSG, and firewall rule analysis for over-permissive ingress
- VPN and Direct Connect / ExpressRoute / Cloud Interconnect configurations
- Public-facing resources audit — load balancers, API gateways, exposed databases
- Network segmentation and microsegmentation patterns
- DDoS protection configuration
Data Protection
- S3 bucket / Blob storage / GCS bucket public access and encryption configuration
- Database encryption at rest and in transit (RDS, CosmosDB, Cloud SQL)
- KMS key configuration, key policies, and rotation
- Secrets Manager / Key Vault / Secret Manager usage patterns
- Backup configuration, retention, and recovery testing evidence
Logging and Monitoring
- CloudTrail / Activity Logs / Audit Logs configuration and coverage
- VPC Flow Logs and equivalent network telemetry
- SIEM integration and log retention
- GuardDuty / Defender for Cloud / Security Command Center configuration
- Custom detection rules and alerting
Infrastructure-as-Code Review
- Terraform module security review
- CloudFormation / ARM / Bicep template analysis
- Kubernetes manifest analysis using Trivy and kube-bench
- CI/CD pipeline security — secret management, OIDC federation, runner configuration
- Pre-commit and pre-deployment policy enforcement (Checkov, tfsec, OPA)
AWS, Azure, and GCP Specifics
AWS
AWS audits cover the entire account or organisation, including: IAM (users, roles, policies, Identity Center), S3, EC2 and Auto Scaling, Lambda, RDS, DynamoDB, ECS, EKS, EFS, ELB, API Gateway, CloudFront, Route 53, Cognito, KMS, Secrets Manager, Systems Manager, CloudTrail, CloudWatch, Config, Security Hub, GuardDuty, Macie. We follow the AWS Well-Architected Security Pillar and CIS AWS Foundations Benchmark.
Azure
Azure audits cover: Entra ID (formerly Azure AD), Conditional Access, PIM, Azure Subscriptions, Resource Groups, Storage Accounts, Virtual Networks, Network Security Groups, Azure Firewall, Application Gateway, Front Door, App Services, Functions, AKS, SQL Database, CosmosDB, Key Vault, Defender for Cloud, Sentinel, Activity Logs. We follow the Microsoft Cloud Adoption Framework security guidance.
Google Cloud Platform
GCP audits cover: Cloud IAM, Organization Policy, VPC and VPC Service Controls, Cloud Storage, Compute Engine, GKE, Cloud Run, Cloud Functions, Cloud SQL, Spanner, BigQuery, Cloud KMS, Secret Manager, Cloud Audit Logs, Security Command Center.
UK & USA Compliance Coverage
We map audit findings to compliance frameworks relevant to your jurisdiction:
UK & EU: UK GDPR, NIS2 (where applicable), ISO 27001, Cyber Essentials Plus, NCSC Cloud Security Principles
USA: SOC 2 Type II (CC6.1, CC6.6, CC7.1), HIPAA Security Rule, GLBA Safeguards Rule, PCI-DSS, FedRAMP Moderate baseline, NIST SP 800-53
What You Receive
- Executive summary — top 5–10 findings translated into business risk language
- Technical findings report — every misconfiguration documented with evidence, exploitability assessment, and remediation steps
- Attack-path analysis — combinations of findings that together enable a critical compromise
- Compliance mapping — findings mapped to the framework(s) in scope
- Remediation roadmap — prioritised by exploitability and effort
- Free retest within 90 days — we re-verify remediated findings at no charge
- IaC review (where in scope) — pull-request-style annotations on Terraform / CloudFormation / Bicep
Frequently Asked Questions
What clouds do you audit?
How does a cloud security audit differ from a penetration test?
Do you need write access to our cloud accounts?
What tools do you use?
Can you audit Infrastructure-as-Code before it's deployed?
How long does a cloud security audit take?
Do you support compliance evidence collection?
How is pricing structured?
Request a Cloud Security Posture Review
Tell us about your environment. We'll respond within one working day with a scoping call calendar invite and an initial price guide.