Cloud Auditing Best Practices

Cloud Auditing Best Practices

by Shinesa Cambric, Michael Ratemo
Released January 2023
Publisher(s): Packt Publishing
ISBN: 9781803243771

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Ensure compliance across the top cloud players by diving into AWS, Azure, and GCP cloud auditing to minimize security risks

Key Features

  • Leverage best practices and emerging technologies to effectively audit a cloud environment
  • Get better at auditing and unlock career opportunities in cloud audits and compliance
  • Explore multiple assessments of various features in a cloud environment to see how it's done

Book Description

As more and more companies are moving to cloud and multi-cloud environments, being able to assess the compliance of these environments properly is becoming more important. But in this fast-moving domain, getting the most up-to-date information is a challenge—so where do you turn?

Cloud Auditing Best Practices has all the information you'll need. With an explanation of the fundamental concepts and hands-on walk-throughs of the three big cloud players, this book will get you up to speed with cloud auditing before you know it.

After a quick introduction to cloud architecture and an understanding of the importance of performing cloud control assessments, you'll quickly get to grips with navigating AWS, Azure, and GCP cloud environments. As you explore the vital role an IT auditor plays in any company's network, you'll learn how to successfully build cloud IT auditing programs, including using standard tools such as Terraform, Azure Automation, AWS Policy Sentry, and many more.

You'll also get plenty of tips and tricks for preparing an effective and advanced audit and understanding how to monitor and assess cloud environments using standard tools.

By the end of this book, you will be able to confidently apply and assess security controls for AWS, Azure, and GCP, allowing you to independently and effectively confirm compliance in the cloud.

What you will learn

  • Understand the cloud shared responsibility and role of an IT auditor
  • Explore change management and integrate it with DevSecOps processes
  • Understand the value of performing cloud control assessments
  • Learn tips and tricks to perform an advanced and effective auditing program
  • Enhance visibility by monitoring and assessing cloud environments
  • Examine IAM, network, infrastructure, and logging controls
  • Use policy and compliance automation with tools such as Terraform

Who this book is for

This book is for IT auditors looking to learn more about assessing cloud environments for compliance, as well as those looking for practical tips on how to audit them and what security controls are available to map to IT general computing controls. Other IT professionals whose job includes assessing compliance, such as DevSecOps teams, identity, and access management analysts, cloud engineers, and cloud security architects, will also find plenty of useful information in this book. Before you get started, you'll need a basic understanding of IT systems and a solid grasp of cybersecurity basics.

Table of contents

  1. Cloud Auditing Best Practices
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
    8. Download a free PDF copy of this book
  6. Part 1:
The Basics of Cloud Architecture and Navigating – Understanding Enterprise Cloud Auditing Essentials
  7. Chapter 1: Cloud Architecture and Navigation
    1. Understanding cloud auditing
      1. Shared responsibility of IT cloud controls
      2. Role of an IT auditor
    2. Cloud architecture and service models
      1. Cloud architecture
      2. Cloud services
    3. Navigating cloud provider environments
      1. Navigating Amazon AWS EC2
      2. Navigating the Microsoft Azure portal
      3. Navigating GCP
    4. Summary
  8. Chapter 2: Effective Techniques for Preparing to Audit Cloud Environments
    1. Preparing to perform a cloud assessment
    2. Effective techniques for aligning IT controls to cloud environments
      1. Auditing frameworks and governance
    3. Basic cloud auditing tools and frameworks
      1. Native tools for auditing Amazon AWS
      2. Native tools for auditing Microsoft’s Azure portal
      3. Native tools for auditing Google Cloud Platform
      4. Open-source tools
      5. Native tools versus open-source tools
    4. Leveraging policy and compliance automation
    5. Summary
  9. Part 2:Cloud Security and IT Controls
  10. Chapter 3: Identity and Access Management Controls
    1. User authentication and authorization
      1. Example IAM controls
      2. Amazon AWS IAM
      3. Microsoft Azure
      4. GCP
    2. Permissions, roles, and groups
      1. Key privileged access, roles, and policies
    3. Device management
    4. Reviewing activity logs
      1. AWS
      2. Azure
      3. GCP
    5. Summary
  11. Chapter 4: Network, Infrastructure, and Security Controls
    1. Security control centers
      1. Amazon Virtual Private Cloud
      2. Azure Virtual Network
      3. Google Cloud Platform Virtual Private Cloud
    2. Network controls
      1. Amazon Virtual Private Cloud
      2. Azure Virtual Network
      3. Google Cloud Platform Virtual Private Cloud
    3. Security policies
      1. Amazon Virtual Private Cloud
      2. Azure Virtual Network
      3. Google Cloud Platform Virtual Private Cloud
    4. Data security
    5. Summary
  12. Chapter 5: Financial Resource and Change Management Controls
    1. Example resource management controls
      1. Center for Internet Security (CIS) benchmark controls
      2. CSA Cloud Controls Matrix
    2. Policies for resource management
    3. Performing changes
    4. Change management integration and workflows
    5. Change history
    6. Financial billing and cost controls
    7. Financial resource ownership
    8. Summary
  13. Part 3:Executing an Effective Enterprise Cloud Audit Plan
  14. Chapter 6: Tips and Techniques for Advanced Auditing
    1. Common pitfalls
      1. Inability to forecast resource usage and costs
      2. The impact of shadow IT
      3. Avoiding automation
      4. Misconfiguration
      5. The inadvertent exposure of credentials
      6. Overly permissive access
    2. Tips, tricks, and techniques
      1. AWS
      2. Azure
      3. GCP
    3. Preparing for more advanced auditing
    4. Other clouds
      1. Oracle Cloud Infrastructure
      2. IBM Cloud
      3. Alibaba Cloud
    5. Summary
  15. Chapter 7: Tools for Monitoring and Assessing
    1. Basic cloud auditing tools within AWS
      1. Amazon CloudWatch
      2. Amazon Inspector
    2. Azure
      1. Azure Monitor
      2. Azure Network Watcher
    3. GCP
      1. Google Cloud Monitoring
      2. Network Intelligence Center
    4. Summary
  16. Chapter 8: Walk-Through – Assessing IAM Controls
    1. Preparing to assess cloud IAM controls
    2. Assessing authentication and authorization
      1. AWS IAM
      2. Microsoft Azure
    3. Assessing access assignment controls
      1. Microsoft Azure
      2. GCP
    4. Assessing privileged access controls
      1. AWS IAM
      2. Microsoft Azure
    5. Assessing device controls
      1. AWS IAM
      2. Microsoft Azure
    6. Summary
  17. Chapter 9: Walk-Through – Assessing Policy Settings and Resource Controls
    1. Preparing to assess network, infrastructure, and resource controls
    2. Assessing network and firewall settings
      1. Microsoft Azure
    3. Assessing resource management policies
      1. Microsoft Azure
      2. GCP
    4. Assessing data security policies
      1. AWS
      2. Microsoft Azure
    5. Summary
  18. Chapter 10: Walk-Through – Assessing Change Management, Logging, and Monitoring Policies
    1. Preparing to assess change management controls
    2. Assessing audit and logging configurations
      1. AWS
      2. Microsoft Azure
      3. GCP
    3. Assessing change management and configuration policies
      1. Azure Automation
      2. Terraform
      3. Policy Sentry
    4. Assessing monitoring and alerting policies
      1. AWS
      2. Azure
      3. GCP
    5. Summary
  19. Index
    1. Why subscribe?
  20. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Cloud Auditing Best Practices
  • Author(s): Shinesa Cambric, Michael Ratemo
  • Release date: January 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781803243771