Cloud Security Checklist: Complete Network Security Guide

Security in the cloud is a shared responsibility. This comprehensive checklist covers network security controls across AWS, Azure, and GCP—from VPC isolation to encryption to compliance monitoring.

1. VPC/Virtual Network Architecture

Network Isolation

• ⚠️ Separate VPCs by environment: Production, staging, and development should be isolated in separate VPCs/VNets
• ⚠️ Use private subnets for workloads: Application servers, databases, and backend services should not have public IPs
• Public subnets only for ingress points: Load balancers, bastion hosts, NAT gateways
• Plan CIDR blocks carefully: Avoid overlaps with on-premise networks and other VPCs you might peer with
• Document IP allocations: Maintain a central IPAM (IP Address Management) record

Subnet Design

• Multi-AZ deployment: Create subnets in at least 2 Availability Zones for high availability
• Tiered architecture: Separate subnets for web tier, application tier, and data tier
• Dedicated subnets for managed services: RDS, ElastiCache, and other managed services may require dedicated subnets

Provider-Specific

2. Security Groups and Firewall Rules

Ingress Rules

• ⚠️ No 0.0.0.0/0 on sensitive ports: SSH (22), RDP (3389), databases (3306, 5432, 27017) should never be open to the internet
• ⚠️ Principle of least privilege: Only open ports that are actually needed
• Use security group references: Instead of IP ranges, reference other security groups (e.g., "allow traffic from web-tier-sg")
• Limit source ranges: When external access is needed, use the smallest CIDR possible (e.g., your office IP /32)
• Document every rule: Add descriptions explaining why each rule exists

Egress Rules

• Consider restricting egress: Default allow-all outbound may not be appropriate for high-security workloads
• Limit to known destinations: Allow outbound only to required services (APIs, package repositories)
• Use VPC endpoints for AWS services: Keeps traffic on Amazon's network, no outbound internet required

Network ACLs (AWS) / NSG Rules (Azure)

• Use as second layer: NACLs provide stateless screening at the subnet level
• ⚠️ Remember return traffic: NACLs are stateless—you must allow ephemeral port responses (1024-65535)
• Keep rules simple: Complex NACL rules are hard to maintain; prefer security groups for instance-level control

3. Access Control and IAM

Network Resource Access

• ⚠️ Limit VPC creation permissions: Only infrastructure teams should create/modify VPCs
• ⚠️ Control security group modifications: Require review/approval for security group changes
• Use IAM conditions: Restrict actions by VPC ID, region, or other conditions
• Enable MFA delete: For critical resources like route tables and internet gateways

Cross-Account Access

• Use resource sharing carefully: AWS RAM, Azure Shared Services—understand the implications
• VPC peering security: Peering connects networks bidirectionally; ensure route tables only expose necessary CIDRs
• Transit Gateway route domains: Use route tables to control which VPCs can communicate

4. Encryption

Data in Transit

• ⚠️ TLS everywhere: All external-facing endpoints should use TLS 1.2 or higher
• Internal encryption: Consider mTLS (mutual TLS) for service-to-service communication
• VPN for hybrid connectivity: IPSec or WireGuard for on-premise connections
• Private connectivity preferred: Use Direct Connect, ExpressRoute, or Cloud Interconnect instead of VPN when possible

Data at Rest

• ⚠️ Enable default encryption: EBS, S3, Azure Storage, GCS should encrypt by default
• Use customer-managed keys (CMK): For compliance-sensitive data, manage your own encryption keys
• Key rotation: Implement automatic key rotation policies

VPC Traffic Encryption

• AWS: Traffic between instances in the same VPC can be encrypted using Nitro (automatic for newer instance types)
• GCP: VM-to-VM traffic is automatically encrypted
• Azure: Consider Azure VNet encryption for sensitive workloads

5. Logging and Monitoring

Network Flow Logs

• ⚠️ Enable VPC Flow Logs: Capture metadata about traffic accepted/rejected by security groups
• Log to centralized storage: S3, CloudWatch Logs, Azure Log Analytics, GCP Cloud Logging
• Retain logs appropriately: Consider compliance requirements (PCI DSS: 1 year, HIPAA: 6 years)
• Analyze regularly: Use AWS Athena, Azure Traffic Analytics, or GCP BigQuery for analysis

DNS Logging

• Enable DNS query logging: Helps detect data exfiltration and C2 communication
• Monitor for anomalies: Unusual query patterns, high entropy domains (DGA detection)

Intrusion Detection

• AWS: GuardDuty (threat detection), Network Firewall (IDS/IPS)
• Azure: Defender for Cloud, Network Watcher
• GCP: Cloud IDS, Security Command Center
• Third-party: Palo Alto, Fortinet, Check Point cloud offerings

6. DDoS Protection

• AWS: Shield Standard (free, L3/L4), Shield Advanced (WAF, support, cost protection)
• Azure: DDoS Protection Basic (free), Standard (dedicated capacity)
• GCP: Cloud Armor (L7), network tier protection
• WAF in front of web apps: AWS WAF, Azure WAF, Cloud Armor for L7 filtering
• Rate limiting: Configure rate-based rules to block volumetric attacks
• Geographic restrictions: Block traffic from regions where you don't operate if appropriate

7. Secure Connectivity

Bastion Hosts / Jump Boxes

• ⚠️ Use managed services when possible: AWS Session Manager, Azure Bastion, GCP IAP—no exposed SSH ports
• If self-managed: Harden the bastion, enable MFA, log all sessions, auto-rotate credentials
• Limit bastion access: Restrict by source IP (e.g., corporate VPN range only)

VPN and Private Connectivity

• Use IKEv2: Prefer IKEv2 over IKEv1 for VPN connections
• Strong encryption: AES-256, SHA-256 or higher
• Redundant connections: Two VPN tunnels or multiple Direct Connect circuits
• Monitor BGP sessions: Alert on flapping or unexpected route changes

See our BGP best practices guide for detailed configuration.

8. Private Service Access

• ⚠️ Use VPC endpoints: Access AWS services (S3, DynamoDB, etc.) without internet gateway
• Private Link: AWS PrivateLink, Azure Private Link, GCP Private Service Connect for private access to services
• Service perimeter: GCP VPC Service Controls create a security boundary around services
• Endpoint policies: Restrict which resources can be accessed through endpoints

9. Secrets Management

• ⚠️ Never hardcode credentials: Use secrets managers (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager)
• Environment variables: If you must use them, ensure they're not logged or exposed
• Rotate regularly: Implement automatic rotation for database passwords, API keys
• Least privilege access: Applications should only access secrets they need

10. Compliance Considerations

Common Frameworks

• SOC 2: Security, Availability, Confidentiality controls
• PCI DSS: Network segmentation, encryption, access control for payment card data
• HIPAA: PHI protection, encryption, audit logs
• GDPR: Data residency, encryption, access controls

Automated Compliance

• AWS: Config Rules, Security Hub, Macie
• Azure: Policy, Security Center, Compliance Manager
• GCP: Security Command Center, Policy Analyzer
• Third-party: Prisma Cloud, Lacework, Orca Security

11. Regular Security Reviews

• Quarterly security group audit: Review all rules, remove unused entries
• Monthly public IP review: Identify and justify all public-facing resources
• Penetration testing: Annual or after major changes (notify cloud provider per policy)
• Incident response drills: Practice network isolation, forensics, recovery procedures

Quick Reference: Critical Controls

Key Takeaways

• Network security is foundational—get VPC architecture right first
• Defense in depth: multiple layers of controls (security groups, NACLs, WAF)
• Log everything, analyze regularly, alert on anomalies
• Prefer managed services (Session Manager, PrivateLink) over self-managed
• Automate compliance checking—manual reviews don't scale