Cloud Auditing Best Practices E-Book

Cloud Auditing Best Practices

Perform Security and IT Audits across AWS, Azure, and GCP by building effective cloud auditing plans

Shinesa Cambric

Michael Ratemo

BIRMINGHAM—MUMBAI

Cloud Auditing Best Practices

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Portfolio Manager: Mohd Riyan Khan

Publishing Product Manager: Prachi Sawant

Senior Editor: Divya Vijayan

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Hemangini Bari

Production Designer: Shyam Sundar Korumilli

Marketing Coordinator: Ankita Bhonsle

Senior Marketing Coordinator: Marylou De Mello

First published: January 2023

Production reference: 1151222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-377-1

www.packt.com

To all the women in technology that continue to press forward and do hard things – you have unknowingly served as mentors, role models, and trailblazers. To Jasmine, Nia, Shawn, and Shani for constantly encouraging me to let my little light shine and being proud of me no matter what I do.

– Shinesa Cambric

To the ones who believed in my potential and planted the seed leading me to pursue the current path. To my mentees and mentors – you helped me discover my passion for educating others. To my family, professional peers, Jacky A., James S., Steve S., and others who pushed and encouraged me to write this book.

– Michael Ratemo

Contributors

About the authors

Shinesa Cambric (CCSP, CISSP, CISA, CISM, CDPSE) is a cloud security, compliance, and identity architect with expertise in the design and implementation of security architecture and controls. Her experience includes designing IAM and governance solutions, building insider threat programs, and providing subject matter expertise on the intersection of governance, risk, and compliance with IT and application security. She is a certification content advisor for CertNexus and CompTIA, her work has been included in global forums, such as RSAC and DevOps.com, and she is a contributing author to the books 97 Things Every Information Security Professional Should Know and Shifting Security Left. Shinesa volunteers, provides subject matter expertise, and mentors with several organizations, including Cloud Security Alliance, fwd:cloudsec, Women in Cyber Security(WiCys), Information Systems Security Association(ISSA), as a training lead with the Women’s Society of Cyberjutsu, and as a board member with non-profit group Cloud Girls.

I am extremely blessed to have an opportunity to follow that voice that put a dream in my heart and then provided a pathway for me to act. In my eyes, this was nothing short of miraculous.

I want to give special thanks to Prachi Sawant at Packt for connecting with me, believing in my idea, and constant support. You are amazing!

Thank you to my co-author, Michael Ratemo, for taking this journey with me. I reached out and you didn’t hesitate to come on board and make history. I know the personal sacrifices this took and it means a lot.

Huge thanks to Evan Wolfe and Mani Keerthi for your feedback and even more so for your continued friendship and support. I wish everyone were so fortunate to have people like you in their corner.

Finally, a huge thank you to my family and friends for your continued love and support!

Michael Ratemo (CISSP, CISA, CISM, GCSA, CCSK, CIA) is a cybersecurity leader and Principal Consultant at Cyber Security Simplified. He speaks security in a language businesses can understand and has built a career creating effective security strategies that are customized to protect organizations. He is skilled in elevating the effectiveness of an organization’s security programs, to help drive business value and mitigate risks across large and complex environments. In addition, Michael is the author of the LinkedIn Learning Course, Building and Auditing a Cyber Security Program. Michael holds a BS in Computer Science and engineering from the University of Texas at Arlington, and an MBA from the University of North Texas.

I want to thank Shinesa Cambric, my amazing co-author, for sharing the vision to create this book. Having an idea and turning it into reality is not as easy as it sounds. Throughout our professional experiences, we noted a gap in how cloud audits were being performed, hence we sought to create a solution to fill this need. Even though the process of writing the book was demanding, it provided a very enriching experience.

In addition, I want to thank members of the Packt team, who provided unique insight into the content of the book. Special thanks to Prachi Sawant, Publishing Product Manager at Packt, for your encouragement and guidance every step of the way.

Finally, to everyone at the Cloud Security Alliance (CSA), and specifically, Rick Blue, Global Director, and training partners at Cloud Security Alliance. I am tremendously grateful for your support and incredible inspiration.

About the reviewers

Evan Wolfe (CISSP) is a cybersecurity professional with over 10 years of experience working in information technology, with a primary focus on cloud engineering and security. Evan has been an instructor for Dallas College, where he taught courses on AWS, developing applications in the cloud, and Kubernetes. He received his bachelor’s degree in Computer Information Technology from California State University, Northridge and is currently pursuing his master’s degree in cybersecurity from Georgia Institute of Technology. Currently he is focused on leading cloud security initiatives through software engineering, data analytics, automation, and security testing.

Mani Keerthi Nagothu is a cybersecurity professional with global work experience. Her expertise is in cybersecurity strategy, incident response, risk management, security awareness, and training. She has been a speaker at various conferences including (ISC)2 Security Congress, InfoSec World, Cloud Security Alliance, and many more. She is passionate about sharing knowledge with others and spends her time in cybersecurity research and latest trends in the industry.

Table of Contents

Preface

Part 1: The Basics of Cloud Architecture and Navigating – Understanding Enterprise Cloud Auditing Essentials

1

Cloud Architecture and Navigation

Understanding cloud auditing

Shared responsibility of IT cloud controls

Role of an IT auditor

Cloud architecture and service models

Cloud architecture

Cloud services

Navigating cloud provider environments

Navigating Amazon AWS EC2

Navigating the Microsoft Azure portal

Navigating GCP

Summary

2

Effective Techniques for Preparing to Audit Cloud Environments

Preparing to perform a cloud assessment

Effective techniques for aligning IT controls to cloud environments

Auditing frameworks and governance

Basic cloud auditing tools and frameworks

Native tools for auditing Amazon AWS

Native tools for auditing Microsoft’s Azure portal

Native tools for auditing Google Cloud Platform

Open-source tools

Native tools versus open-source tools

Leveraging policy and compliance automation

Summary

Part 2: Cloud Security and IT Controls

3

Identity and Access Management Controls

User authentication and authorization

Example IAM controls

Amazon AWS IAM

Microsoft Azure

GCP

Permissions, roles, and groups

Key privileged access, roles, and policies

Device management

Reviewing activity logs

AWS

Azure

GCP

Summary

4

Network, Infrastructure, and Security Controls

Security control centers

Amazon Virtual Private Cloud

Azure Virtual Network

Google Cloud Platform Virtual Private Cloud

Network controls

Amazon Virtual Private Cloud

Azure Virtual Network

Google Cloud Platform Virtual Private Cloud

Security policies

Amazon Virtual Private Cloud

Azure Virtual Network

Google Cloud Platform Virtual Private Cloud

Data security

Summary

5

Financial Resource and Change Management Controls

Example resource management controls

Center for Internet Security (CIS) benchmark controls

CSA Cloud Controls Matrix

Policies for resource management

Performing changes

Change management integration and workflows

Change history

Financial billing and cost controls

Financial resource ownership

Summary

Part 3: Executing an Effective Enterprise Cloud Audit Plan

6

Tips and Techniques for Advanced Auditing

Common pitfalls

Inability to forecast resource usage and costs

The impact of shadow IT

Avoiding automation

Misconfiguration

The inadvertent exposure of credentials

Overly permissive access

Tips, tricks, and techniques

AWS

Azure

GCP

Preparing for more advanced auditing

Other clouds

Oracle Cloud Infrastructure

IBM Cloud

Alibaba Cloud

Summary

7

Tools for Monitoring and Assessing

Basic cloud auditing tools within AWS

Amazon CloudWatch

Amazon Inspector

Azure

Azure Monitor

Azure Network Watcher

GCP

Google Cloud Monitoring

Network Intelligence Center

Summary

8

Walk-Through – Assessing IAM Controls

Preparing to assess cloud IAM controls

Assessing authentication and authorization

AWS IAM

Microsoft Azure

Assessing access assignment controls

Microsoft Azure

GCP

Assessing privileged access controls

AWS IAM

Microsoft Azure

Assessing device controls

AWS IAM

Microsoft Azure

Summary

9

Walk-Through – Assessing Policy Settings and Resource Controls

Preparing to assess network, infrastructure, and resource controls

Assessing network and firewall settings

Microsoft Azure

Assessing resource management policies

Microsoft Azure

GCP

Assessing data security policies

AWS

Microsoft Azure

Summary

10

Walk-Through – Assessing Change Management, Logging, and Monitoring Policies

Preparing to assess change management controls

Assessing audit and logging configurations

AWS

Microsoft Azure

GCP

Assessing change management and configuration policies

Azure Automation

Terraform

Policy Sentry

Assessing monitoring and alerting policies

AWS

Azure

GCP

Summary

Index

Other Books You May Enjoy

Preface

As many companies move to the cloud and shift business operations to hybrid, single cloud, or multi-cloud environments, it’s important that enterprise IT auditors be prepared with the tools and knowledge to effectively assess risk and controls, given this a business trend that is here to stay. Using assessment procedures and frameworks based on on-premise and legacy environments doesn't fully translate to cloud environments, leaving the enterprise with potential gaps in risk control coverage. This book will guide an auditor to understand where security controls can and do exist, procedures for accessing them for review, and best practices for testing their effectiveness. By the end of the book, you will be able to build an audit plan and assess security and compliance controls for the three major enterprise cloud environments (Amazon, Google, and Microsoft).

Who this book is for

This book is primarily intended for IT and security auditors who are responsible for building audit plans and testing the effectiveness of controls within an enterprise that may be moving, or has already moved to adopting cloud services. This book provides insight for beginner to advanced IT and Security auditors looking to learn more about what exists in the cloud so that they can ask questions and leverage tools that may lead to better test coverage. Other IT professionals whose job includes assessing compliance, such as DevSecOps teams, identity, and access management analysts, cloud engineers, and cloud security architects, will also find plenty of useful information in this book. Before you get started, you’ll need a basic understanding of IT systems, cloud environments, and a solid grasp of IT general computing controls and cybersecurity basics. However, past experience configuring or performing a risk assessment on cloud environments is not required.

What this book covers

Chapter 1, Cloud Architecture and Navigation, provides a fundamental understanding of what a cloud environment is, navigating through different cloud provider environments, and roles and responsibilities between the cloud service provider and an auditor.

Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, covers the standard resources available to develop an audit plan, and align controls to a cloud environment, and the tools for policy and compliance automation.

Chapter 3, Identity and Access Management Controls, walks through configuration and control options for a digital identity, including authentication and authorization and reviewing activity logs.

Chapter 4, Network, Infrastructure, and Security Controls, looks at policies and options for defining and controlling network and infrastructure access and navigating security control centers.

Chapter 5, Financial Resource and Change Management Controls, introduces features available within each of the cloud environments for resource management, including billing and cost controls, and tracking changes within the cloud environment.

Chapter 6, Tips and Techniques for Advanced Auditing, provides guidance on common pitfalls an IT auditor should look out for, tips and techniques to leverage, and ideas for preparing for more advanced audits, including a primer on other cloud environments such as Alibaba, IBM, and Oracle.

Chapter 7, Tools for Monitoring and Assessing, gives a deeper insight on tools and options that exist for auditors to monitor cloud platforms, within each of the three major cloud providers.

Chapter 8, Walk-Through – Assessing IAM Controls, covers simple assessments for hands-on experience assessing identity and access management controls within the three major cloud providers.

Chapter 9, Walk-Through – Assessing Policy Settings and Resource Controls, provides practice opportunities for assessing security and compliance settings, and reviewing resource management controls.

Chapter 10, Walk-Through – Assessing Change Management, Logging, and Monitoring Policies, offers an opportunity to practice assessing compliance for changes made within the cloud environment, as well as how to leverage cloud native tools for performing logging and monitoring in the cloud.

To get the most out of this book

To navigate through the hands-on practice chapters of the book, it’s best to have a “sandbox” environment with some administrative privileges or set up your own personal cloud environment for Amazon Web Services, Microsoft Azure, and Google Cloud Platform. If you choose to set up your own personal cloud environment, at the time of this writing, each of the three major cloud providers has options for a setup that is free for at least the first 30 days and then moves to a “pay-as-you-go” model. Please carefully review the terms and agreements to understand the financial implications of long-term usage.

Software/hardware covered in the book

Operating system requirements

Any of the latest versions of Google Chrome or Microsoft Edge

Windows, macOS, or Linux (any)

Amazon Web Services

Windows, macOS, or Linux (any)

Microsoft Azure

Windows, macOS, or Linux (any)

Google Cloud Platform

Windows, macOS, or Linux (any)

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/Kq3mr.

Conventions used

There are a number of text conventions used throughout this book.

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “A cloud service provider (CSP) may want to provide a certification to its customers regarding its defined and operating controls through a System and Organization Controls 2 (SOC 2).”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Cloud Auditing Best Practices, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application. 

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803243771

Part 1:
The Basics of Cloud Architecture and Navigating – Understanding Enterprise Cloud Auditing Essentials

This section will cover the essential knowledge of cloud structure and design, navigating within an enterprise cloud environment, the roles and responsibilities as they relate to security controls, and preparing to audit IaaS(Infrastructure as a Service) and PaaS(Platform as a Service) service cloud models as an enterprise IT auditor.

This part comprises the following chapters:

1

Cloud Architecture and Navigation

As companies become increasingly more digital and shift to the use of cloud platforms and services to meet demands for availability, flexibility, and scalability, the toolset of an IT auditor must expand to meet this shift. For many companies, many of their critical operations are being performed either partially or entirely within cloud and even multi-cloud environments. As an auditor, it’s important to have the skills necessary to understand risks when using cloud services and assess the applicability and effectiveness of controls to protect company assets when using cloud services.

In our first chapter, we will focus on providing an overview of responsibilities when assessing risks and controls, as well as navigation within cloud environments.

In this chapter, we’ll cover the following topics:

By the end of this chapter, we will have a good understanding of how cloud shared responsibility impacts you as an IT auditor, what are the different cloud architectures and deployments you may encounter, and the fundamental navigation skills you need to interact with the three major cloud computing platforms.

Understanding cloud auditing

As companies look for ways to lower costs, increase efficiency, and enable remote and distributed workforces, the expansion and adoption of cloud subscription-based services continue to grow. Along with that growth, there’s a need to make sure the IT controls for a company have been reviewed, adapted, and adequately applied and assessed to address the criticality of cloud services used as part of the IT ecosystem.

With cloud environments, several different types of auditing exist. A cloud service provider (CSP) may want to provide a certification to its customers regarding its defined and operating controls through a System and Organization Controls 2 (SOC 2). Other companies may want to certify that their environments meet International Organization for Standardization (ISO) or National Institute of Standards and Technology (NIST) standards or implement controls according to a given compliance framework, such as Payment Card Industry (PCI) compliance. In this book, we will focus on auditing a CSP customer environment from a general IT computing perspective.

Whether you are performing as an internal or external auditor within a cloud customer (enterprise) environment, it’s important for you to understand how an IT computing control that’s traditionally been applied against an on-premise environment may still be relevant. However, it will require adjustments to your testing procedures when validating them in a cloud environment. An example of this would be PCI Data Security Standard (PCI DSS) controls requiring organizations to establish and maintain a detailed enterprise asset inventory. The dynamic nature of cloud environments and the speed and scale at which new assets can be provisioned can make this a challenge. In this instance, not only should an enterprise IT auditor be aware of whether this inventory exists and covers all enterprise assets to ensure they have effective control coverage, but they should also be aware of the processes around billing and financial management within the cloud, how change management and resource allocation are performed, and which users have administrative rights to these functions. In some cases, you may need to consider how the control has to support the effective operations of a multi-cloud environment and the ability across cloud provider platforms to satisfy a particular control. The ability to categorize and quantify risks related to the use and integration of cloud services into an organization’s business processes is quickly becoming an essential skill for auditors.

Shared responsibility of IT cloud controls

When planning and executing an audit, it is critical to understand cloud shared responsibility (and in the case of Google Cloud Platform (GCP), “shared fate”) model agreements with CSPs whose services have been integrated into the customer environment in scope to be audited. The intent of the shared responsibility model agreements is to provide clear guidance on the security, controls, and obligations to compliance that the CSP is responsible for, and what the cloud consumer/customer will need to take responsibility for. Anytime you have a cloud-based component as part of your business operations, it is important that you understand the shared responsibility model with that CSP. In general, shared responsibility simply means there are actions, tools, processes, capabilities, and controls that the CSP is responsible for and others that the cloud customer will be responsible for, and some that require joint responsibility for full control coverage. An example of this would be in the case of NIST Cybersecurity Framework control RS.CO.1: Personnel know their role and order of operations when a response is needed. In a traditional on-premise environment where the company owns and manages all parts of the infrastructure, understanding who has responsibility for this control and testing compliance of the control would likely be very straightforward. In cloud environments, and especially in multi-cloud or hybrid environments, assessing this control becomes much more complex.

Role of an IT auditor

Shared responsibility agreements help with understanding what information or test evidence may need to be obtained directly from the CSP, which areas the CSP expects the customer to have controls for, and which areas carry a joint responsibility for defining and implementing security controls and protections. In particular, the last two areas should be a primary focus for an IT auditor to understand which risks the customer (enterprise) has elected to accept or address, through security or configuration controls, and build an audit plan that assesses the effectiveness of those controls. In most cases, it will be helpful (and potentially required) for the IT auditor to obtain an assurance report from the CSP, with SOC 2 Type 2 reports being a common report from the CSP that provides a “qualified opinion”, based on an independent audit, of the effectiveness of the operating controls for which the CSP has taken responsibility. The report can be used to identify deficiencies in testing and control coverage that need to be addressed for the customer (enterprise) environment. A SOC 2 Type 2 report is based on “trust service principles” defined by the American Institute of Certified Public Accountants (AICPA). These principles cover the categories of security, privacy, confidentiality, integrity, and availability for the CSP environment. An independent assessor determines if the CSP complies with one or more of the five trust principles and issues a report attesting to the operating effectiveness of the control over a given time period (generally 12 months). Based on the business practices of the organization undergoing a SOC 2 assessment, the content of the report may vary. Each organization can design its own control(s) to adhere to one or all of the trust service principles. As an enterprise IT auditor, you will be responsible for reviewing and understanding the “qualified opinion” on the SOC report, as well as closely reviewing the scope of which trust principles have been covered and the time period of testing. Additionally, organizations undergoing a SOC 2 compliance review may elect not to perform additional procedures to mitigate any residual risks for gaps identified in the SOC report or for trust principle areas for which they have elected to not have controls. You will need to review and support your organization in discerning if there is an effective level of coverage. You should also note that SOC 2 Type 2 reports may not be acceptable for some international companies. For example, some international companies in Europe prefer ISO 27001. Your auditing procedures and review of shared responsibility need to take into account the regions for which the cloud environment has been deployed, the business usage and types of applications that will be supported, and the data protections required across the regions. Consideration also needs to be taken regarding the timing of received assurance reports. Depending upon your organization’s audit cycle, there may be a gap in the timing coverage of the CSP’s standard assurance report made available to all of its customers, and the audit period and requirements of your organization for when control is to be tested. In this case, you will need to obtain a bridge report that provides an attestation of control effectiveness during the gap period.

When operating within a multi-cloud environment, there are likely to be many similarities in the cloud shared responsibility model across cloud providers; however, each agreement should be reviewed independently and assessed as part of an end-to-end review of control coverage for every relevant process executing through the cloud environment. Additionally, the responsibilities between the CSP and cloud customer may differ depending upon the vendors, services, and deployment models used, requiring the auditor to be aware of the complete architecture of the customer’s cloud environment, the services being consumed, and how those services relate back to business and IT operations. Additional resources on shared responsibility with the three major CSPs can be found in the following list:

Now that we discussed the types of cloud auditing covered in this book and now understand the shared responsibility between cloud providers and the cloud customer to implement IT controls, we have begun to build our foundation for applying best practices in cloud auditing. To further build your cloud foundation, we will now review cloud architecture and service models and the impact they have on cloud auditing.

Cloud architecture and service models

As an IT auditor, it is important to be aware of the cloud architectural and deployment design changes that have been made and that influence operations within the IT environment being audited. Knowing how cloud services have been enabled and integrated with business operations is key to validating the scope of compliance testing and potential exposure related to risk.