☁️ Azure Cloud Security Audit Report #
Author: Piotr Klepuszewski
Title: Cybersecurity Auditor & Red Team Specialist
Company: Cyber Sentinel Solutions Ltd.
) Period of Audit: Q2 2025
Status: Final Assessment Report
📑 Executive Summary #
This report summarizes the results of a full-spectrum security and compliance audit conducted across the client’s Microsoft Azure environment. The objective was to assess the security configuration, identity and access controls, data protection posture, network segmentation, PaaS service exposure, and compliance with global standards.
The assessment identifies critical gaps in Identity and Access Management (IAM), Network Security, and Kubernetes (AKS) configurations that require immediate remediation to align with the CIS Azure Foundations Benchmark and ISO/IEC 27001 standards.
🛠️ Audit Scope & Methodology #
The audit spanned the entire Azure tenant, covering production and non-production subscriptions, Entra ID (Azure AD), and telemetry systems.
# Tactical Audit Stack [Azure Security]
platforms:
- environment: "Azure Tenant / Subscriptions"
workloads: "AKS, PaaS, IaaS, App Services"
- monitoring: "Microsoft Defender for Cloud, Sentinel, Azure Monitor"
- assessment_tools: "Azure Policy, ScoutSuite, Azure CLI, Kube-Bench"
- compliance_frameworks: "ISO/IEC 27001:2013, NIST SP 800-53 Rev.5, CIS v1.4"
🧬 Key Security Gaps Identified #
🔑 1. Identity and Access Management (IAM) #
| Finding | Severity | Recommendation |
|---|---|---|
| MFA Not Enforced | HIGH | Enforce Conditional Access MFA for all users (8 accounts identified). |
| Shared Admin Accounts | HIGH | Enforce separate admin-only accounts; stop using daily accounts for GA tasks. |
| Legacy Service Principals | HIGH | Migrate unmonitored principals with ‘Contributor’ access to Managed Identities. |
| No PIM Implementation | MEDIUM | Enable Privileged Identity Management (PIM) for Just-In-Time (JIT) access. |
| Orphaned App Ownership | MEDIUM | Assign clear owners to Azure AD apps and rotate secrets regularly. |
🌐 2. Network Security #
| Finding | Severity | Recommendation |
|---|---|---|
| Exposed SSH (Port 22) | HIGH | Restrict access to admin IPs only or utilize Azure Bastion. |
| Missing NSGs | HIGH | Apply deny-by-default Network Security Groups (NSGs) to all subnets. |
| Egress Control Gaps | MEDIUM | Implement Azure Firewall Policy with FQDN filtering. |
| DDoS Protection Disabled | MEDIUM | Enable DDoS Protection Standard for all public-facing VNet workloads. |
| Inconsistent Flow Logs | LOW | Ensure NSG Flow Logs are enabled and streaming to Log Analytics. |
💾 3. Data & Storage Security #
| Finding | Severity | Recommendation |
|---|---|---|
| Public Storage Access | HIGH | Disable public access on identified Storage Accounts; use Private Endpoints. |
| Infinite SAS Tokens | HIGH | Rotate and set expiry dates for all Shared Access Signatures (SAS). |
| Key Vault Purge Protection | HIGH | Enable Soft Delete and Purge Protection for all production vaults. |
| CMK Underutilization | MEDIUM | Expand Customer-Managed Keys (CMK) to all sensitive storage workloads. |
| SQL ATP Disabled | MEDIUM | Enable Microsoft Defender for SQL (Advanced Threat Protection). |
☸️ 4. Kubernetes (AKS) & Containers #
| Finding | Severity | Recommendation |
|---|---|---|
| RBAC Over-privilege | HIGH | Revoke ‘cluster-admin’ from DevOps group; use scoped/time-limited roles. |
| No Pod Security Policy | MEDIUM | Enforce Azure Policy for Kubernetes to restrict privileged containers. |
| Network Policy Missing | MEDIUM | Implement Kubernetes NetworkPolicy (Calico) for pod-to-pod isolation. |
| Exposed Metrics API | LOW | Harden Kubelet API and restrict anonymous access. |
🚨 Logging, Monitoring & Detection #
- [01] SIEM Forwarding: Not all diagnostic logs are currently streaming to Sentinel. Action: Centralize all security logs.
- [02] Detection Coverage: Sentinel is missing alert rules for internal lateral movement. Action: Implement MITRE ATT&CK rules.
- [03] Data Retention: Standardize on a 365-day retention policy across all subscriptions.
- [04] IR Readiness: Azure-specific incident response playbooks (Runbooks) are not yet defined.
🛡️ Strategic Recommendations #
- Zero Trust Architecture: Implement the principle of least privilege using PIM and Conditional Access.
- Infrastructure as Code (IaC): Use Azure Blueprints and Bicep to automate the deployment of hardened environments.
- Continuous Compliance: Leverage Azure Policy for real-time remediation of non-compliant resources.
- DR Testing: Perform quarterly recovery testing of backups and disaster recovery scenarios.
- Educational Guardrails: Develop a Cloud Security Handbook for DevOps teams based on CIS & NIST benchmarks.
⭐ Auditor’s Conclusion #
This audit confirms that while the Azure environment exhibits a strong foundation, there are Critical gaps requiring immediate action—specifically regarding over-privileged access and network exposure. Implementing the recommended fixes will drastically reduce the attack surface and satisfy formal certification requirements.
# AUDIT SIGN-OFF
Signed by:
[+] Piotr Klepuszewski | Red Team Auditor & Cloud Security Consultant
Entity: Cyber Sentinel Solutions Ltd.
Location: Bristol, United Kingdom