Free Tool · 5-Minute Self-Assessment

Cloud Audit Readiness Checklist
for Indian Organisations

Twenty practitioner-grade questions to test whether your AWS, Azure, or GCP environment is ready for an audit — or whether you will get a 200-page PDF you cannot act on. No email gate.

Questions
20
Time
5 min
Output
Score band
Email gate
None
Start the Checklist Read the Full Guide

20 questions · 5 minutes · Score band on completion

Your readiness
0 / 20
The Checklist

Answer Honestly. No One Is Watching.

Five sections, twenty yes/no questions. Click Yes only if you can produce the configuration, the policy, or the log evidence today. Score reveals at the bottom when you complete all twenty.

01

Cloud Inventory & Scope

You cannot audit what you have not enumerated. Build a single source of truth before scoping.

1
We have a complete inventory of every cloud account, subscription, and project across all providers (AWS, Azure, GCP) and environments (prod, staging, dev).
2
We have decided which audit dimensions are in scope: IAM, network, data, compute, container/Kubernetes, serverless, and SaaS posture.
3
We have mapped which workloads handle personal data, regulated data, or production payment flows — and tagged them as crown-jewels.
4
We have documented data-residency requirements (DPDP §16, RBI cloud guidelines, MeitY localisation) and verified current placement against them.
02

Identity & Access Foundation

Misconfigured IAM is the single largest source of cloud incidents. Audit readiness starts here.

5
Root or owner accounts have hardware MFA enforced and are not used for day-to-day operations.
6
Federated identity (SSO) is enforced for human access; static IAM users with long-lived access keys are eliminated or rotated quarterly.
7
We have provisioned a dedicated read-only audit role per cloud account, scoped to the audit dimensions only — not full SecurityAudit equivalents.
8
We have a documented IAM baseline (least privilege, role-based, no permissive wildcard *:* policies) with evidence of quarterly access review.
03

Logging, Monitoring & Detection

No logs means no audit trail, no breach evidence, and no CERT-In compliance.

9
CloudTrail (AWS) / Activity Logs (Azure) / Audit Logs (GCP) are enabled in every account, every region, with log-file integrity validation and centralised aggregation.
10
Log retention meets the higher of CERT-In 6-month requirement, sectoral regulator mandates (RBI 10 years), and DPDP evidentiary needs.
11
We have detection rules (GuardDuty, Defender for Cloud, Security Command Center, or equivalent) covering credential abuse, unusual API patterns, and resource creation in unexpected regions.
12
Alerts route to a triage channel with named on-call and a 1-hour acknowledgement SLA for high-severity events.
04

Data, Network & Workload Hygiene

These are the categories where audits find immediate critical issues. Get ahead of them.

13
No object storage bucket (S3, Blob, GCS) is publicly readable or writeable unless a documented business case exists, and we have programmatic guardrails preventing accidental public exposure.
14
All data is encrypted at rest (provider-managed or BYOK customer-managed keys) and in transit (TLS 1.2+ minimum, TLS 1.3 preferred).
15
Network architecture follows least-exposure: no security group permits 0.0.0.0/0 to admin ports, all management access traverses a bastion or zero-trust gateway, internal subnets are private by default.
16
Container and Kubernetes workloads have admission control (image scanning, signed-image policy, network policy) and we patch base images on a defined cadence.
05

Audit Procurement & Remediation

A cloud audit you cannot procure cleanly or act on is a wasted line item.

17
We have IaC (Terraform, CloudFormation, Bicep, Pulumi) under version control covering at least 70% of production infrastructure — so findings can be remediated as PRs, not console clicks.
18
We have reviewed at least 2 sanitised sample reports from the prospective vendor and confirmed they include IaC remediation snippets, attack-path narratives, and IAM blast-radius analysis — not just CIS-benchmark CSV dumps.
19
We have verified consultant credentials are current and provider-specific (AWS Security Specialty, Azure AZ-500, GCP PCSE, CCSP, CKS for Kubernetes scope).
20
We have allocated dev and platform-engineering capacity for 4 to 8 weeks following report delivery, and we have a CSPM tool budgeted for continuous monitoring after the point-in-time audit.
What "Ready" Looks Like

Three Bands. Three Plays.

0–7
Critical exposure

Procuring an audit now will produce a flood of low-context findings you cannot triage. Spend 4 to 8 weeks fixing IAM hygiene, enabling logging across all regions, and building a usable cloud asset inventory first.

8–14
At risk

You can audit, but the report will surface known gaps you have not had bandwidth to close. Run a focused 30-day cleanup on public exposure, root account MFA, and IAM blast-radius before kick-off — your audit value triples.

15–20
Audit-ready

Go to RFP. Demand IAM blast-radius analysis, IaC remediation snippets, and attack-path narratives in the SOW. Scope multi-account governance, container, and serverless dimensions explicitly — not as add-ons.

FAQ

Common Questions

How much does a cloud security audit cost in India? +

For a single AWS or Azure account with a typical mid-market service mix in 2026, expect ₹2,00,000 to ₹5,00,000 from a competent specialist firm. Multi-account multi-cloud audits scale to ₹8,00,000 to ₹15,00,000. Below ₹1,00,000 you are getting a CSPM tool report rebadged as an audit. Above ₹20,00,000 you are paying Big-4 overhead.

How is a cloud audit different from a CSPM tool? +

CSPM (Wiz, Orca, Lacework, Defender for Cloud, AWS Security Hub) gives you continuous misconfiguration detection. A cloud audit adds: business-context risk scoring, IAM blast-radius analysis, attack-path narratives, IaC remediation snippets, and compliance mapping (DPDP, RBI, ISO 27017, SOC 2). You need both — the tool for ongoing visibility, the audit annually for depth.

What credentials should the consultants hold? +

For AWS work: AWS Security Specialty plus OSCP or CCSP. For Azure: AZ-500 plus CCSP. For GCP: Professional Cloud Security Engineer plus CCSP. For Kubernetes scope: CKS. Vendor-issued internal certifications and generic "certified cloud auditor" titles are not credible signals.

How often should we audit? +

A point-in-time audit annually plus continuous CSPM monitoring is the baseline for non-regulated environments. RBI-regulated entities, Significant Data Fiduciaries under DPDP, and PCI-DSS environments should plan quarterly reviews of high-risk workloads. After any major architecture change, run a targeted re-audit before go-live.

What is the difference between this checklist and the buyer's guide? +

This checklist diagnoses readiness in 5 minutes. The 50-page buyer's guide explains the why behind every line, walks through scoping multi-cloud and Kubernetes environments, day-rate benchmarks, vendor scorecards, IaC-driven remediation patterns, sample SOWs, and CSPM tool comparison. Use the checklist to triage; use the guide to procure.

Ready to procure?

Skip the CSPM Re-Skin. Get a Real Cloud Audit.

A 30-minute consultation. Walk away with a scoped audit outline, fair INR price band for your environment, and three vendor evaluation criteria specific to your cloud footprint.

Book Free Consultation Read the Full Guide

No sales pitch. Responds within 24 hours.