GASP: AICF

Search controls

Search by control ID, name or domain

INF-001 Cloud Security Configuration and Governance

Tier 2+

Description

Documented security requirements govern the acquisition, configuration, and exit of cloud services. Cloud workloads operate under an approved security baseline that covers identity, access, network, encryption, and logging settings. Configuration deviations from the baseline are detected and remediated.

Rationale

Cloud misconfigurations are among the leading causes of data breaches in SaaS environments. A governed baseline with continuous drift detection ensures the attack surface remains minimised and auditable.

Framework Mappings (6)

CSA CCM v4.1
I&S-01Infrastructure and Virtualization Security Policy and Proceduresfull
I&S-07Migration to Cloud Environmentsfull
ISO/IEC 27001:2022
5.23Information security for use of cloud servicesfull
NIST SP 800-53 Rev 5
CM-2Baseline Configurationfull
CM-6Configuration Settingsfull
SOC 2
CC6.1Logical Access Security Software, Infrastructure, and Architecturespartial

Evidence (2)

configurationautomated

Cloud provider security baseline configuration export showing governance settings applied across all production accounts, covering identity, network, encryption, and logging.

Example: AWS Config Rules compliance report or GCP Security Command Center findings export for production accounts, filtered to CIS Benchmark Level 1/2 or equivalent organisational baseline

Test: Run cloud config compliance tool (AWS Config, GCP SCC, Azure Policy, or equivalent). Verify: (1) a documented security baseline exists and is version-controlled; (2) all production accounts/projects are in scope; (3) non-compliant resources are at or below the organisation's defined remediation threshold; (4) each non-compliant finding has an assigned owner and remediation due date.

policymanual

Cloud security governance policy or standard that defines acquisition, configuration, and exit requirements for cloud services, including baseline scope and exception handling.

Example: Cloud Security Policy or Cloud Governance Standard (version-controlled document, approved by CISO or equivalent, dated within the last 12 months)

Test: Request the Cloud Security Policy. Verify: (1) the document is approved by an accountable owner and reviewed within the last 12 months; (2) it specifies baseline requirements covering identity, network, encryption, and logging; (3) it includes a process for approving and tracking deviations.

Questions (2)

boolean

Does your organisation maintain a documented security baseline governing the configuration of all production cloud services, covering identity, access, network, encryption, and logging settings?

The baseline should be version-controlled, formally approved, and reference a named standard such as CIS Benchmarks or your cloud provider's security foundations.

select

How are configuration deviations from the cloud security baseline detected and remediated?

Automated detection via CSPM tool (e.g. Wiz, Orca, AWS Security Hub, GCP SCC) with tracked remediationPolicy-as-code / IaC drift detection (e.g. Terraform Cloud, AWS Config Rules) with tracked remediationPeriodic manual audit (at least quarterly) with tracked findingsAd hoc — no structured deviation detection process

Automated CSPM or policy-as-code enforcement provides continuous detection; manual audits are acceptable only if run quarterly or more frequently with documented findings and owners.