Which cloud platforms do you cover?

Azure, AWS, and GCP. We also cover hybrid and multi-cloud estates. On-premises infrastructure is assessed as part of a broader audit scope.

How long does a cloud audit take?

An introductory cloud audit scoped to a single subscription or account typically produces findings within hours. A full estate audit — multiple subscriptions, accounts, or projects — takes 2–5 days from access.

What access is required?

Read-only at the minimum required scope. We provide an access checklist tailored to the target platform (Azure Reader + specific additional roles; AWS ReadOnlyAccess; GCP Viewer equivalents). No write access required.

How is this different from a cloud security tool like Microsoft Defender or AWS Security Hub?

Automated security tooling flags configuration issues but cannot assess delivery competency, governance practice, or programme risk — the human and process layer. We assess the full picture: configuration, identity, code, and delivery practice, and we deliver a verdict a board can act on.

Can you find cost savings as well as security issues?

Yes. Ungoverned provisioning leaves a trail of idle and oversized resources. We surface these alongside security findings as part of the standard scope.

Audit · Cloud

Cloud audit — Azure, AWS, GCP.

AI-enhanced assessment of cloud estates against IAM, infrastructure configuration, network security, and compliance baselines. Read-only access. Evidence-based findings suitable for board and CISO use.

Book an intro call See audit methodology

Read-only access
Azure · AWS · GCP
Hours to days

What this audit covers

Six domains. The full cloud estate.

We don't sample. We resolve every role assignment, inspect every resource configuration, and assess the full estate against documented security baselines.

Identity & Access Management

Every role assignment resolved against the identity provider. Orphaned principals, over-privileged accounts, ClickOps bypasses, and stale federated credentials.

Network Security

Public exposure of endpoints and services, private endpoint adoption, network security group rules, and traffic inspection gaps.

Infrastructure Configuration

Configuration drift against security baselines, resource misconfigurations, unencrypted storage, and publicly accessible services.

Cost Posture

Idle resources, oversized workloads, unused licences, and billing anomalies that indicate ungoverned provisioning.

Compliance Posture

Alignment to CIS benchmarks, Microsoft Security Benchmark, AWS Foundational Security Best Practices, or GCP security baselines.

Governance Controls

Policy enforcement, RBAC design, subscription structure, and logging/alerting coverage across the estate.

Methodology

Five steps — same methodology as every Volorai audit.

Cloud audits follow the same five-step process as our broader programme audits: discovery call, formal scope and access, AI-assisted delivery, senior validation, and formal report.

See the full methodology

Common findings

What cloud audits typically surface.

These are the most frequent material findings from cloud audit engagements. Not every engagement produces all of them — and some produce findings not listed here.

Orphaned identities with active access

Deleted or disabled users retain live role assignments, automatically inherited by new resources — critical exposure with no remediation in sight.

Public-facing services contradicting security controls

Integration infrastructure, storage, or administrative interfaces accessible from the internet, contradicting stated security posture.

Configuration drift from stated baseline

Resources configured securely at provisioning and then silently drifted — encryption disabled, logging turned off, network rules added outside governance.

Cost overruns from ungoverned provisioning

Idle VMs, orphaned disks, unused licences, and shadow-IT resources provisioned outside the procurement process.

Pricing

Four tiers. Scoped to your estate.

Cloud audits are priced per the standard audit tier table. An introductory audit scoped to a single subscription or account is available at no or low cost.

See audit tiers

Frequently asked questions

Which cloud platforms do you cover?

Azure, AWS, and GCP. We also cover hybrid and multi-cloud estates. On-premises infrastructure is assessed as part of a broader audit scope.
How long does a cloud audit take?

An introductory cloud audit scoped to a single subscription or account typically produces findings within hours. A full estate audit — multiple subscriptions, accounts, or projects — takes 2–5 days from access.
What access is required?

Read-only at the minimum required scope. We provide an access checklist tailored to the target platform (Azure Reader + specific additional roles; AWS ReadOnlyAccess; GCP Viewer equivalents). No write access required.
How is this different from a cloud security tool like Microsoft Defender or AWS Security Hub?

Automated security tooling flags configuration issues but cannot assess delivery competency, governance practice, or programme risk — the human and process layer. We assess the full picture: configuration, identity, code, and delivery practice, and we deliver a verdict a board can act on.
Can you find cost savings as well as security issues?

Yes. Ungoverned provisioning leaves a trail of idle and oversized resources. We surface these alongside security findings as part of the standard scope.

Want to know what's actually in your cloud estate?

Hours from access to first findings. Bring an Azure, AWS, or GCP subscription — we'll tell you what your IAM, network, and configuration baseline really look like.

Book an intro call Back to Audit hub