Cloud Security Baseline 2026: What Every Account Should Have

Why a Security Baseline Matters

Every cloud account, subscription, project, or tenancy starts in an insecure default state. Logging is often disabled, security monitoring is not configured, root accounts have no MFA, network access is unrestricted, and encryption is not enforced. The security baseline is the minimum set of controls that every cloud environment should have enabled from day one, before any workloads are deployed. These controls do not make your environment fully secure — that requires workload-specific security measures — but they establish the foundation that prevents the most common and most damaging security failures.

This article defines a practical security baseline for 2026 across AWS, Azure, GCP, and OCI. Each control is categorized by priority (critical, high, medium), effort (minutes, hours, days), and ongoing cost. The critical controls should be implemented on day one. The high-priority controls should be implemented within the first week. The medium-priority controls should be completed within the first month. Skip none of them — each control addresses a specific, demonstrated attack vector.

Identity and Access (Critical)

Secure your root and administrative accounts first. On AWS, enable MFA on the root account using a hardware security key, create an admin IAM user or use IAM Identity Center for daily operations, and never use the root account for routine tasks. Set up an EventBridge rule to alert on any root account authentication. On Azure, protect the Global Administrator account with MFA and Conditional Access policies, and create dedicated admin accounts for daily use. On GCP, protect the Organization Admin account with 2-Step Verification and use a dedicated admin project for organization-level management. On OCI, protect the tenancy administrator with MFA and create dedicated admin users in an Administrators group.

Implement single sign-on (SSO) for human access to cloud consoles and CLIs. On AWS, use IAM Identity Center (formerly AWS SSO) connected to your identity provider (Azure AD, Okta, Google Workspace). On Azure, use Microsoft Entra ID with Conditional Access. On GCP, use Cloud Identity or Google Workspace with BeyondCorp. On OCI, configure Identity Domains with your corporate identity provider. SSO provides centralized authentication, automatic provisioning and deprovisioning, and consistent MFA enforcement across all cloud environments.

Enforce MFA for all human users — no exceptions. Users who access the cloud console, CLI, or API without MFA are one phished password away from a breach. Configure your identity provider to require MFA for all cloud resource access. On AWS, attach SCP policies that deny actions unless MFA is present. On Azure, create Conditional Access policies requiring MFA. On GCP, enforce 2-Step Verification at the organization level. On OCI, configure sign-on policies requiring MFA.

Logging and Monitoring (Critical)

Enable comprehensive audit logging on day one. You cannot investigate security incidents, detect unauthorized access, or demonstrate compliance without logs. Once an attacker gains access and disables logging, you lose visibility into everything they do afterward.

On AWS, enable CloudTrail in all regions with management events logging. Configure CloudTrail to deliver logs to a centralized S3 bucket in a dedicated logging account that is accessible only to security personnel. Enable CloudTrail log file validation to detect tampering. Enable VPC Flow Logs for all VPCs to capture network traffic metadata. Enable AWS Config to record all resource configuration changes.

On Azure, enable Azure Activity Log collection into a Log Analytics workspace. Enable Microsoft Defender for Cloud on all subscriptions. Configure Diagnostic Settings on all resources to send logs to the Log Analytics workspace. Enable Network Watcher and NSG flow logs for network visibility.

On GCP, audit logging is enabled by default for Admin Activity logs but Data Access logs must be enabled explicitly. Enable Data Access audit logs for all services, especially IAM, Cloud Storage, BigQuery, and Compute Engine. Configure log sinks to export logs to a dedicated logging project with restricted access. Enable VPC Flow Logs on all subnets.

On OCI, enable the Audit service, which records all API calls to OCI services. Configure the Audit service to retain logs for the maximum retention period or export logs to Object Storage for long-term retention. Enable VCN Flow Logs for network visibility. Enable Cloud Guard to detect and respond to security threats.

Threat Detection (Critical)

Enable managed threat detection services that analyze your logs and network traffic for suspicious activity. These services use machine learning and threat intelligence to detect common attack patterns: cryptocurrency mining, data exfiltration, compromised credentials, unusual API calls, and known malicious IP addresses.

On AWS, enable GuardDuty in all regions and all accounts. GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS query logs to detect threats. At approximately $4/million CloudTrail events and $1/GB of VPC Flow Logs analyzed, GuardDuty is inexpensive relative to the protection it provides. Enable GuardDuty S3 Protection and EKS Protection for additional coverage. Configure findings to send to SecurityHub for centralized management and to SNS for alerts.

On Azure, enable Microsoft Defender for Cloud with the enhanced security features (Defender for Servers, Defender for Storage, Defender for SQL, Defender for Containers, Defender for Key Vault). Enable Microsoft Sentinel for SIEM capabilities if your organization needs centralized security event management. Configure alerts to send to email and Teams channels for immediate investigation.

On GCP, enable Security Command Center (SCC) in Premium tier. SCC detects misconfigurations (Security Health Analytics), vulnerabilities (Web Security Scanner), and threats (Event Threat Detection). Configure SCC findings notifications through Pub/Sub to your alerting infrastructure. Enable Container Threat Detection for GKE workloads.

On OCI, enable Cloud Guard with the Oracle-managed detector and responder recipes. Cloud Guard monitors your tenancy for security misconfigurations and threats. Configure notifications for high-severity findings. Enable Vulnerability Scanning for compute instances. Enable Data Safe for database security monitoring.

Network Security (High Priority)

Configure network security to enforce the principle of least privilege at the network level. Default-deny network access and explicitly allow only the traffic required for your workloads.

On AWS, ensure the default security group in every VPC denies all inbound traffic (the default security group allows all inbound from itself, which should be removed). Remove the default VPC in all regions to prevent accidental resource deployment with public IP addresses. Use security groups with specific source IP ranges and ports rather than 0.0.0.0/0. Deploy resources in private subnets and use NAT Gateways or VPC endpoints for outbound internet access. Enable VPC Flow Logs for all VPCs.

On Azure, create Network Security Groups (NSGs) with explicit deny rules for all inbound traffic from the internet except on required ports. Use Azure Private Endpoints for accessing PaaS services (Storage, SQL, Key Vault) rather than public endpoints. Enable Azure Firewall or third-party NVAs for centralized outbound traffic inspection. Use Azure Bastion for secure administrative access to VMs rather than public RDP/SSH.

On GCP, use VPC firewall rules with explicit allow rules for required traffic and rely on the implicit deny-all-ingress rule. Enable Private Google Access on all subnets to allow instances without external IPs to access Google APIs. Use Identity-Aware Proxy (IAP) for secure access to web applications and VMs. Enable Cloud NAT for outbound internet access from private instances.

On OCI, configure Security Lists or Network Security Groups with explicit ingress and egress rules. Use Service Gateways for access to OCI services without traversing the internet. Use Bastion Service for secure administrative access. Enable Network Firewall for advanced threat inspection on critical network paths.

Encryption (High Priority)

Enable encryption at rest and in transit for all data. In 2026, there is no legitimate reason to store unencrypted data in the cloud or transmit data over unencrypted connections.

On AWS, enable default EBS encryption in all regions so that every new EBS volume is automatically encrypted. Enable default S3 encryption (SSE-S3 or SSE-KMS) on all buckets. Use SSL/TLS for all RDS connections by setting the rds.force_ssl parameter to 1. Enable encryption on ElastiCache clusters, Redshift clusters, and all other data stores. Use AWS KMS for key management and consider customer-managed keys (CMKs) for sensitive workloads where you need to control key rotation and access policies.

On Azure, encryption at rest is enabled by default for most services using Microsoft-managed keys. For higher security requirements, use customer-managed keys stored in Azure Key Vault. Enforce HTTPS-only access on Storage Accounts. Require TLS 1.2 minimum on all services. Enable transparent data encryption (TDE) on Azure SQL databases.

On GCP, encryption at rest is enabled by default for all services using Google-managed keys. For additional control, use customer-managed encryption keys (CMEK) stored in Cloud KMS. Enforce HTTPS on Cloud Storage buckets. Require TLS for Cloud SQL connections. Enable confidential computing for workloads processing highly sensitive data.

On OCI, enable encryption using OCI Vault for master encryption keys. Configure block volume encryption, object storage encryption, and database encryption with vault-managed keys. Enforce TLS on all load balancers and API endpoints.

Account and Resource Organization (High Priority)

Organize your cloud resources into a logical hierarchy that supports security isolation, cost attribution, and governance. Do not run all workloads in a single account, subscription, project, or tenancy.

On AWS, use AWS Organizations with separate accounts for production, staging, development, logging, security, and shared services. Apply Service Control Policies (SCPs) at the organizational unit (OU) level to enforce guardrails. Use AWS Control Tower for automated account provisioning and landing zone setup if you are starting fresh.

On Azure, use Management Groups to organize subscriptions into a hierarchy. Apply Azure Policy at the management group level for consistent governance. Separate production, non-production, and platform subscriptions. Use Azure Blueprints or landing zone accelerators for standardized subscription provisioning.

On GCP, use an Organization node with folders for environments (production, staging, development) and functional areas (networking, security, applications). Apply Organization Policies at the folder level. Use the Cloud Foundation Toolkit for standardized project provisioning.

On OCI, use compartments to isolate resources by environment, application, and function. Apply IAM policies at the compartment level. Use nested compartments for hierarchical organization. Create a security compartment for logging, vault, and security tools that is accessible only to the security team.

Backup and Recovery (Medium Priority)

Configure automated backups for all critical data stores. Backups protect against accidental deletion, data corruption, ransomware, and application bugs that corrupt data. Without backups, a single DELETE statement without a WHERE clause can destroy your business.

On AWS, enable automated backups on RDS with a retention period of at least 7 days (35 days for production). Use AWS Backup to centralize backup management across EBS, RDS, DynamoDB, EFS, and S3. Configure cross-region backup copies for disaster recovery. Protect backup vaults with resource policies that prevent deletion even by administrators (vault lock).

On Azure, enable Azure Backup for VMs, SQL databases, and blob storage. Configure geo-redundant storage for backup vaults. Use soft delete and immutable backup policies to protect against ransomware and accidental deletion. On GCP, enable automated backups on Cloud SQL. Use backup plans for Compute Engine instances. Enable versioning on Cloud Storage buckets. On OCI, enable automated backups on databases. Configure cross-region backup copies. Use retention rules on Object Storage buckets to prevent deletion.

Compliance and Posture Management (Medium Priority)

Enable cloud security posture management (CSPM) tools to continuously evaluate your environment against security best practices and compliance frameworks. These tools identify misconfigurations before they become security incidents.

On AWS, enable Security Hub with the AWS Foundational Security Best Practices standard and the CIS AWS Foundations Benchmark. Security Hub aggregates findings from GuardDuty, Inspector, Macie, Config, and other security services into a single dashboard. Address critical and high findings within 48 hours. On Azure, enable Microsoft Defender for Cloud with the Azure Security Benchmark. Review Secure Score regularly and prioritize recommendations by severity. On GCP, enable Security Command Center with Security Health Analytics. Review findings and address critical misconfigurations promptly. On OCI, enable Cloud Guard with the CIS Benchmark detector recipe. Monitor and remediate problems identified by Cloud Guard responders.