CloudCheck 360°. Our 8-category audit methodology.

The framework we use for manual engagements — Manual Cloud Audit and Implementation. 8 categories of scope, mapped to industry-standard frameworks (NIST, CIS, AWS Well-Architected, GCP Architecture Framework). Customer and Cloud Upload pick which categories apply during scoping.

8 categories NIST 800-53r5 + CIS Controls v8.1 aligned Manual engagement methodology

Scope

CloudCheck 360° is one of three methodologies we use.

Different products use different methodologies. CloudCheck 360° is our framework for manual engagements where customer and Cloud Upload scope the audit together. Automated tiers and Pen Tests follow different methodologies appropriate to their depth and delivery model.

  • Automated audit pipelines

    Free Scan + $499 Full Audit Report

    Methodology: CloudTest pipeline (AWS — IAM / Network / Data / Logging / FinOps / Architecture).

    Pre-defined automated AWS scans run in our pipeline. No scoping conversation. Same scan engine at both tiers; the $499 unlocks the full inventory + evidence + CVSS scoring.

    Start a free scan →

  • Penetration testing methodology

    Pen Test (Essential $3,499 / Complete $5,499 / Custom)

    Methodology: OWASP Web Security Testing Guide (web), OWASP Mobile MASVS (mobile), OWASP API Security Top 10 (APIs), CIS Benchmarks (network).

    Manual testing by credentialed engineers. OWASP-aligned. Scope locked at checkout via 5-minute scoping form. 15-day SLA from scope-lock for Essential, 30-day for Complete.

    Pen Test scope and methodology →

  • CloudCheck 360° (this page)

    You are here

    Manual Cloud Audit (from $4,999) + Implementation (Custom)

    Methodology: 8 categories detailed in the next section.

    Senior-engineer engagement. Customer and Cloud Upload scope which of the 8 categories apply, depth of each, and timeline. Custom remediation roadmap delivered.

Three methodologies, one team, consistent framework alignment. The CloudCheck 360° framework below describes manual engagement depth — when we engage at Tier 3 or Tier 4 in either stream.

Methodology depth

8 categories. Pick what applies to your engagement.

Each category in CloudCheck 360° includes what we assess, the tools and methods we use, and a typical finding we surface. During scoping, customer and Cloud Upload select which categories apply to the engagement based on the customer’s environment, compliance need, and budget. Most Manual Cloud Audit engagements include 4-6 categories; Implementation engagements typically focus on 2-4 categories with deep remediation work.

  • 01

    Identity & Access Management

    Identity boundaries, privilege scopes, federation trust, and the audit trail of who can do what.

    What we assess

    • Root account usage + MFA enforcement
    • IAM password policy + key rotation
    • User and role privilege analysis (least privilege deviation)
    • Cross-account trust relationships
    • Federation (SSO, OIDC, SAML) configurations

    Tools and methods

    • Read-only IAM enumeration via deployed CloudFormation role
    • Privilege analysis against CIS Benchmarks IAM controls
    • IAM Access Analyzer findings review
    • Manual review of cross-account trust policies

    Typical finding

    Wildcard subject claim in OIDC trust policy allowing any GitHub Actions workflow from the org to assume the role. See our writeup Hardening GitHub Actions OIDC trust policies on AWS .

  • 02

    Network

    The boundary between your workloads and the internet, and the segmentation between workloads.

    What we assess

    • VPC architecture (subnets, route tables, peering, transit gateway)
    • Security groups + NACLs configuration
    • Public exposure of resources (S3, RDS, ELB, ECS tasks)
    • VPC Flow Logs enablement + log destination security
    • Internet-facing load balancers + open ports

    Tools and methods

    • Read-only VPC + EC2 metadata enumeration
    • Security group rule analysis against least-exposure baseline
    • Public-resource detection via Config rules + reachability analysis
    • VPC Flow Logs query for unexpected lateral traffic

    Typical finding

    Production database security group with 0.0.0.0/0 ingress on port 5432 inherited from a long-deprecated bastion pattern.

  • 03

    Data

    Storage encryption posture, public exposure, key management, and snapshot hygiene.

    What we assess

    • S3 / EBS / RDS / DynamoDB encryption at rest
    • KMS key rotation + key policy review
    • S3 bucket public access + block configuration
    • Snapshot encryption + cross-account share policies
    • Backup destination security

    Tools and methods

    • Read-only S3 + EBS + RDS + DynamoDB inventory
    • Encryption status verification per resource
    • KMS key rotation audit (last rotation timestamp)
    • S3 Block Public Access enforcement check

    Typical finding

    RDS snapshot replicated to a developer AWS account 18 months ago, never expired, currently shared with no encryption.

  • 04

    Logging & Detection

    CloudTrail configuration, audit log integrity, GuardDuty enablement, and the path from log to alert.

    What we assess

    • CloudTrail multi-region + log file integrity validation
    • AWS Config recording rules + rule coverage
    • GuardDuty enablement + finding response posture
    • Audit log retention + destination security
    • CloudWatch alarm coverage for security-critical events

    Tools and methods

    • CloudTrail trail enumeration + integrity validation
    • Config rule coverage analysis
    • GuardDuty findings review (last 90 days)
    • Alert routing trace from CloudWatch to operator

    Typical finding

    CloudTrail trail configured but log-file integrity validation disabled — auditor's first question is “how do you know the logs weren’t tampered with?”

  • 05

    FinOps

    The cost-optimization layer most security audits skip. Idle resources, oversized instances, Reserved Instance opportunities.

    What we assess

    • Idle / underutilized resources (EC2, RDS, ELB, NAT gateways)
    • Unattached EBS volumes + Elastic IPs + old snapshots
    • Reserved Instance + Savings Plan coverage gaps
    • Oversized instance recommendations (CPU/memory utilization analysis)
    • Data transfer cost anti-patterns

    Tools and methods

    • Cost Explorer + CloudWatch metrics analysis
    • Trusted Advisor checks (cost-optimization category)
    • Reserved Instance utilization + recommendation review
    • Per-account spend trend analysis (12-month look-back)

    Typical finding

    Three NAT gateways across availability zones for traffic that never crosses AZ boundaries — see our writeup Three cloud cost anti-patterns that survive every FinOps review .

  • 06

    Architecture & Resilience

    Defense-in-depth posture, secrets management, backup readiness, and cross-AZ resilience for security-critical resources.

    What we assess

    • AWS Well-Architected Security Pillar alignment
    • Secrets Manager + Parameter Store usage (vs hardcoded secrets)
    • Backup + DR posture (frequency, retention, restoration tested)
    • Cross-AZ + cross-region resilience for security-critical workloads
    • Defense-in-depth gaps (single points of failure)

    Tools and methods

    • Well-Architected review framework against Security Pillar
    • Secrets Manager + Parameter Store inventory
    • Backup vault + recovery point inventory
    • Manual review of single-AZ deployments for security-critical resources

    Typical finding

    KMS key for production database encryption located in a single region without multi-region replication; loss of region = loss of decryption capability.

  • 07

    Workload Security

    The hardening posture of the workloads themselves — EC2 instances, containers, serverless functions, and the metadata service that connects them.

    What we assess

    • IMDSv2 enforcement at account default level
    • EC2 instance hardening (SSM agent, OS patching, disabled services)
    • Container security (image signing, runtime configuration, network policy)
    • Lambda function permissions + environment variable security
    • Workload-level outbound traffic egress control

    Tools and methods

    • IMDS configuration audit account-wide
    • SSM Session Manager enablement + IAM policy review
    • ECR image scan results review
    • Lambda function role and environment audit

    Typical finding

    IMDSv2 not enforced as account default; EC2 launches without explicit hop-limit defaults expose IMDSv1 — SSRF risk. See our writeup IMDSv2 is not a migration project .

  • 08

    Incident Response Readiness

    Detection-to-response path, runbook quality, and the question of whether the team can actually execute under pressure.

    What we assess

    • IR runbook existence + quality (specific to your stack)
    • Alert routing + on-call rotation
    • Forensics readiness (CloudTrail data lake, snapshot policies, isolation playbooks)
    • Communication plan (internal + external + regulators where applicable)
    • Tabletop exercise history + lessons-learned integration

    Tools and methods

    • Runbook review against NIST 800-61r3 incident handling guide
    • Alert routing trace with synthetic events
    • Forensics-readiness review (data lake, snapshot policy, isolation procedures)
    • Tabletop facilitation (Implementation tier engagement)

    Typical finding

    CloudTrail logs available but no runbook for “engineer’s IAM credentials posted on GitHub” — discovery to containment took 4 hours during a real incident; should have been 15 minutes. See our writeup Reading CloudTrail like an incident responder .

Each category maps to NIST 800-53r5 control families and CIS Controls v8.1 implementation groups. Compliance framework mapping (SOC 2 / HIPAA / PCI DSS / ISO 27001) included in Manual Cloud Audit and Implementation deliverables.

Standards

Mapped to industry frameworks.

Every CloudCheck 360° engagement maps findings to industry-standard control frameworks. Reports include framework references in the deliverable; Manual Cloud Audit and Implementation engagements add explicit cross-framework reconciliation.

Security frameworks

  • NIST 800-53r5 — Federal security control catalog (control family per finding)
  • NIST CSF 2.0 — Cybersecurity Framework (function: identify / protect / detect / respond / recover)
  • NIST 800-61r3 — Computer security incident handling guide (IR readiness category)
  • CIS Controls v8.1 — Critical security controls (implementation group per finding)
  • CIS Benchmarks — Configuration hardening baselines (per resource type)

Cloud architecture frameworks

  • AWS Well-Architected Framework — Security Pillar — AWS architecture review
  • AWS Well-Architected Framework — Cost Optimization Pillar — FinOps category baseline
  • AWS Well-Architected Framework — Reliability Pillar — Architecture & Resilience baseline
  • GCP Architecture Framework — Security — GCP equivalent (GCP coverage Phase 2)
  • OWASP — Web/API/Mobile testing methodologies (referenced from /services/penetration-testing)

Compliance framework mapping (SOC 2 / HIPAA / PCI DSS / ISO 27001) is a separate layer added at Manual Cloud Audit and Implementation tiers. See our compliance guides for per-framework detail.

Process

Scoping → audit → roadmap → handoff.

Manual engagements (Manual Cloud Audit, Implementation) follow a 4-phase process. Customer time investment is concentrated in scoping and handoff; the audit phase is on us.

  • Step 01

    Scoping (60-90 minutes)

    60-minute scoping call to understand your environment, compliance pressure, and timeline. We propose which of the 8 categories apply, depth per category, and engagement timeline. You confirm scope; we lock the engagement. For Implementation engagements, we map findings from a prior audit (ours or another vendor’s) into a remediation backlog.

  • Step 02

    Audit (1-3 weeks for Manual Cloud Audit, scoped per engagement for Implementation)

    Senior engineer runs the agreed categories using the tools and methods documented above. Read-only access via CloudFormation role we send for deployment. We hold weekly status syncs OR async updates per your preference. Urgent findings escalated immediately, not held for delivery.

  • Step 03

    Roadmap delivery (1 week)

    Findings consolidated into a signed PDF report (40-100+ pages depending on scope). Findings prioritized by severity + remediation effort + business impact. Custom remediation roadmap matched to your stack and engineering capacity. 60-minute walkthrough call to review the roadmap with your team.

  • Step 04

    Handoff or implementation

    Manual Cloud Audit ends with a 30-day support window for follow-up questions. Implementation engagements continue from here — engineering time to execute the roadmap, retest after fixes are live. Compliance evidence package handoff to your auditor on request.

Manual engagements are scoped per project. Public pricing starts at $4,999 (Manual Cloud Audit) — see our public pricing ladder for the full tier list.

Common questions

Quick answers.

CloudCheck 360° is Cloud Upload’s audit methodology for manual engagements (Manual Cloud Audit and Implementation). It covers 8 categories — IAM, Network, Data, Logging & Detection, FinOps, Architecture & Resilience, Workload Security, and Incident Response Readiness. During scoping, customer and Cloud Upload select which categories apply based on the customer’s environment, compliance need, and budget. CloudCheck 360° aligns with NIST 800-53r5, CIS Controls v8.1, AWS Well-Architected Framework, and (Phase 2) GCP Architecture Framework.

The 8 categories cover the surface area where security and reliability findings concentrate in cloud environments. IAM and Network are the two highest-frequency finding categories in our experience; Data and Logging & Detection are the two most frequently failed at compliance audits; FinOps is the layer most security audits skip; Architecture & Resilience, Workload Security, and Incident Response Readiness are the categories most cloud security tools don’t surface. Together they’re the complete manual-engagement scope.

No. Most Manual Cloud Audit engagements include 4-6 categories; Implementation engagements typically focus on 2-4 categories with deep remediation work. Customer and Cloud Upload select the subset during scoping based on environment, compliance need, and budget. Customers with active SOC 2 audits often prioritize Logging & Detection + IAM. Customers with cost pressure prioritize FinOps + Architecture. Customers post-incident prioritize Incident Response Readiness + Workload Security.

No. Automated tiers (Free Scan, $499 Full Audit Report) use our CloudTest automated pipeline — pre-defined AWS scans, no scoping conversation. The free pipeline returns severity counts, a category breakdown across 6 AWS domains, and 8-12 representative findings; the $499 unlocks the full inventory with evidence, CVSS scoring, and CIS AWS Foundations Benchmark v1.5 mapping per finding. Pen Test follows OWASP frameworks (Web Security Testing Guide, Mobile MASVS, API Security Top 10). CloudCheck 360° is specifically the manual engagement methodology — used for Manual Cloud Audit and Implementation tiers.

CloudCheck 360° findings map to NIST 800-53r5 control families and CIS Controls v8.1 implementation groups in every report. Manual Cloud Audit and Implementation tiers add explicit compliance framework cross-references (SOC 2 Trust Services Criteria, HIPAA Security Rule, PCI DSS requirements, ISO 27001:2022 Annex A controls). Auditors drop our reports directly into compliance evidence packages. See /compliance for per-framework guides on what auditors expect from each framework.

Considering an Manual Cloud Audit engagement? Talk to the team →