Luiz - Fotolia


What should be on your cloud audit checklist?

Although strenuous, audits are a critical part of a cloud compliance strategy. Learn about the different types of cloud audits to better prepare for your next review.

As your company expands its cloud usage, it will need to collate and report information about its infrastructure and processes.

Whether your customers expect compliance with formal security policies or potential investors need a thorough inspection of an entire application, cloud audits cannot be avoided. However, you can relieve some of the stress related to this typically painful process if you efficiently gather information about your company's technical stack.

Explore this cloud audit checklist to gain a better understanding of the types of information you'll need for audits that pertain to security, application integrity and privacy. Use the checklist as an outline for what you can expect from each type of audit. Then, review the sets of sample questions that you may be asked during a compliance audit so you're better prepared for the audit process.


Security is a top priority for all organizations. In a world where data breaches number in the thousands, it should come as no surprise that security compliance can be the difference between growth and failure. You need to know what to expect from a security audit because, in some circumstances, the viability of the company can depend it.

Access management

As you pull together your cloud audit checklist, you need to understand who can access your cloud services and how much access each person has. While a physical audit may be concerned with who can enter a building and what rooms their keycard allows them into, a cloud audit is concerned with what services and data a user can access.

Because the cloud isn't a physical location, it's important to log the actions that users take at all times, which can help with incident response in the future.

Questions to consider

  • How many individuals have access to production data?
  • How is account access provisioned and deprovisioned?
  • Where are user audit logs stored?
  • What role-based access controls are in place?

Metrics and alerting

You also have to consider the data you collect and the alarms you have in place to identify security incidents before or as they happen. These types of metrics include the number of failed user authorizations over a fixed amount of time or the amount of traffic an API is processing compared to the same time the week before.

And, beyond the context of user auditing, the success of your application depends on how well you understand how the individual infrastructure components interact and how you define alarms to notify your team when those parameters are outside of their expected bounds.

Questions to consider

  • What application and infrastructure metrics do you gather?
  • What is your log retention strategy?
  • What alerts do you have in place?

Protection and intrusion

For this type of audit, you need to know how you currently protect your infrastructure and how you test and improve upon that protection. While firewalls, patching policies and vulnerability scanners are all great tools to have, you don't really know how effective these tools are unless you are continually testing your security.

Formal penetration tests (pen test) and bug bounty programs are both great ways to test the validity of your security infrastructure. These types of tests are also often inquired about in most security audits. If you've performed a formal penetration test, expect to be asked to provide the researcher's report.

Questions to consider

  • When was your last pen test?
  • Do you participate in a bug bounty program?
  • How large was your most recent bug bounty payout?


Although security is often a major component of cloud audits, it isn't the only one that can crop up. For example, investors and customers will want to know about the integrity of your application and the infrastructure you have built. This information can also provide added context to security audits. To fully grasp an application's integrity, customers might want to know how stable it is, how accurate the data processing is or how well the application performs under pressure and with large amounts of data.


How you build your application matters. Customers might not care about how code reviews are performed or whether you have a comprehensive test suite, but other stakeholders surely will. If you can clearly articulate the best practices your team follows while developing, testing and deploying applications, you can get ahead of some of the more challenging questions that may pop up in an audit.

Questions to consider

  • What percent of written code is covered by automated tests?
  • Do you enforce a particular coding standard?
  • Are code reviews performed? By whom?
  • What version control system branching strategy do you use?


In addition to questions about your processes and practices, you'll also encounter questions about your application's architectural design and hosting strategy. If you don't have a high-level architecture diagram, now is a good time to put one together.

When determining how resilient your application is, it is beneficial for users to understand how your apps deal with things like scale and unexpected load. You should also be able to answer questions about the technologies you use and why. There are a wide variety of tools and technologies out there, and while "we made the best choice at the time" may be a valid answer, a more articulate one can be helpful.

Questions to consider

  • Can you provide an architecture diagram?
  • What technologies does your application rely on?
  • How do you deal with unexpected scale?


While a working application built with a reliable process provides an excellent foundation of integrity, the reliability of that application is just as important in your cloud audit checklist. Every organization should have a disaster recovery (DR) plan in place in the event of a critical application failure. If that plan involves multiregion or even multi-cloud support, you -- and your auditors -- will have peace of mind if you can convey what that plan is and how you intend to ensure your service is reliable.

Questions to consider

  • What is your DR plan?
  • What region(s) is your infrastructure provisioned in?
  • What is your uptime service-level agreement?
  • Do you have any infrastructure redundancies in place?


Auditors will inevitably ask how you maintain your customers' privacy. Whether you are concerned with compliance with the EU's GDPR or protections against the potentially harsh consequences of a data breach, you need to understand how, why and where you store private data.

Data retention

Understand the customer data you collect and how long you keep it. While identifying the overall scope of the data is important, the focus here is personally identifiable information, such as emails, names, addresses, etc. Due to regulations like GDPR, it's important to understand what you collect and where you store it because you might be asked to remove it in the future.

Questions to consider

  • How long do you retain the data for inactive users?
  • What personally identifiable user information do you store?
  • Do you have a data removal process in place?


Some data might not be personally identifiable, but it is still sensitive information. Passwords, API keys and other private information would be devastating if they were to be released publicly. Know what information you encrypt, as well as how, so you can properly answer questions in this category.

Questions to consider

  • What sensitive user data is encrypted at rest?
  • What encryption algorithm do you use?
  • What password hashing algorithm do you use?

Dig Deeper on Cloud infrastructure design and management

Data Center