Compliance and Asset Management

Does CSP provide access to their audit results, certifications and assessment reports - PCI DSS, ISO 27001?
Does CSP provide 3rd party audited reports for physical security of assests?
Is there a capability to identify all cloud resources - existing and deleted?
Is resource configuration auidatble against compliance rules? Ex. Not allowing provisioning of VMs in USA.
Is there a regulatory approval for locality of data (including HA, DR) and service w.r.t:-
Location of Cloud Provider, Location of servers
Authentication and Authorization
Is access to management plane/consle secured for both Web and API?
Is root/owner access secured with MFA and dual-authority?
Is there an IAM capability, with support for RBAC, built-in to manage cloud users, groups and roles?
Does the solution provide federated access using corporate AD for Authentication utilizing framework such as
OAuth or SAML?
Is MFA enabled with federation for authentication?
Is service entitlement matirx available? i.e which group or user has access to which cloud service.
Is MFA enabled for all privileged users?
Network and Compute Security
Is network isloation provided using Firewalls and Network access controls?
Is all network traffic between cloud services encrypted?
Is the solution built using dedicated WAN or VPN for hybrid connectivity?
Is DDos and IPS security in-built?
Is WAF capability built in for web services?
Does CSP allow conducting PEN testing?
Is the solution using custom, security hardened images for provisioning VMs?
Is access to machine images secured using IAM?
Data Security
Does the solution provide monitoring cloud usage and data migrations to cloud or supports integrating CASB
solutiuon?
Does it provide data access controls i.e FGAC
Is data at rest encrypted?
Does solution has KeyManager with capability for Customer managed Keys?
Is KeyMager admin role separate from Storage admin role?
Does it have HSM service?
Is data retention compliance adhered?
Monitoring and Alerting
Is solution built with log aggregation , monitoring and alerting for compliance rules ex. Number of invalid
access attempts?
Are API access logs, network logs, previlge user access logs , application logs shipped and stored in isolated
and secured environment?
Are API access logs, network logs, previlge user access logs , application logs shipped to corporate SIEM?
Does it provide capability of detecting configuration changes Ex moving resources to non-compliant regions or
deleting resources?
Does it allow custom logging solution where in-cloud solution is not available? Ex. Packet capture.
Incident Response and Investigation
Is incident response systems tetsed with CSP? Are escalations, roles, responsibilities verified?
Does it allow taking snapshot of VMs for investigation i.e prior to deleting the infected VMs can these be
preserved for investigation?
Provide event driven security mechanism for non-compliant resources?
Integration with corporate security tools (If lacking in-built capability)
Is integration with CASB verified/feasible?
Is integration with DLP, WAF, IDP corporate solution verified/feasible?
Is intefration with email security verified/feasible?
Does solution allow VA and End point protection for cloud assets & apps?