# Role Deep Dive: Cloud Auditor / Compliance Specialist --- ## Role Overview Cloud Auditors assess Azure environments against regulatory standards, organizational policies, and best practices. They ensure compliance, identify gaps, and provide remediation guidance. They bridge the gap between regulatory requirements and technical implementation. **Alternative Titles:** Cloud Compliance Analyst, IT Auditor, GRC Specialist (Governance, Risk, Compliance), Cloud Auditor, Compliance Engineer **Typical Salary Range:** $85,000 – $145,000 (US) --- ## Core Responsibilities ### 1. Compliance Assessment & Auditing (30% of role) - Assess Azure environments against regulatory frameworks - Conduct internal audits of Azure configurations - Review RBAC assignments, policies, and security controls - Generate compliance reports for leadership and external auditors - Track remediation of non-compliant findings **Granular Tasks:** - Use Microsoft Defender for Cloud Regulatory Compliance dashboard: select frameworks (ISO 27001, SOC 2, PCI DSS 4.0, HIPAA, NIST 800-53, CIS Benchmarks, GDPR, Azure CIS 1.4.0) - Review each control: passed/failed/Not applicable. For failed: identify resources, assess risk, assign remediation owner - Export compliance report (PDF/CSV) for auditors - Map Azure controls to framework requirements (control mapping document) - Track findings in a register: Finding ID, Severity, Resource, Control, Status, Owner, Due Date, Evidence - Re-assess after remediation to verify closure ### 2. Policy & Governance Review (25% of role) - Review Azure Policy compliance - Audit RBAC assignments (over-privileged accounts) - Review tagging and resource organization - Assess management group structure - Review subscription governance **Granular Tasks:** - Azure Policy compliance report: % compliant per policy, list non-compliant resources - RBAC audit: list all Owner/Contributor assignments, verify justification, flag unused assignments, verify PIM usage - Review permanent admin role assignments (should be PIM-eligible only) - Tag audit: resources missing required tags (Environment, Owner, CostCenter, DataClassification) - Management group audit: verify policy inheritance, verify no policies accidentally applied at wrong scope - Subscription audit: orphaned resources, unattached disks, idle public IPs, unused VNets - Cross-subscription consistency: same policies applied across all subscriptions in management group ### 3. Data Governance & Privacy (20% of role) - Review data classification implementation - Assess data residency and sovereignty compliance - Audit data encryption (at rest and in transit) - Review data retention and deletion policies - Ensure GDPR data subject rights compliance - Audit data access and sharing **Granular Tasks:** - Data classification audit: verify all storage accounts/databases have data classification tags - Data residency: Azure Policy "allowed locations" enforced, verify no resources in non-compliant regions - Encryption audit: verify AES-256 at rest, TLS 1.2+ in transit, CMK for sensitive data - Retention audit: verify backup retention matches policy, verify log retention (7 years for compliance) - GDPR: verify data processing agreements, privacy impact assessments, right-to-erasure capability, data breach notification process - Data access audit: review who has access to sensitive data, verify least privilege, review sharing controls - Microsoft Purview: review data catalog, classification scan results, sensitivity labels ### 4. Audit Evidence & Documentation (15% of role) - Collect and organize audit evidence - Maintain evidence repository - Create audit workpapers - Support external audit requests - Document control implementations **Granular Tasks:** - Evidence collection per control: - Screenshots of Azure Policy compliance - Export of RBAC assignments - Defender for Cloud compliance reports - Diagnostic settings configuration (proof of logging) - Key Vault access policies / RBAC assignments - Network configuration (NSG rules, Private Endpoints) - Conditional Access policy configurations - PIM configuration and assignment reports - Organize evidence by framework control (ISO 27001 A.9.2.1 → evidence: RBAC report, PIM config) - Maintain evidence repository (SharePoint/Teams) with version control - Quarterly evidence refresh (re-collect to show ongoing compliance) ### 5. Continuous Monitoring & Improvement (10% of role) - Set up compliance dashboards - Automate compliance checks - Track compliance trends over time - Recommend improvements to controls **Granular Tasks:** - Azure Monitor alerts for compliance drift (new non-compliant resources) - Sentinel analytics rules for suspicious compliance-related activity (new Owner assignments without PIM) - Monthly compliance scorecard per subscription - Quarterly trend report: compliance score over time, top failing controls, remediation velocity - Recommend new policies based on audit findings --- ## Regulatory Frameworks & Azure Mapping ### ISO 27001 (Information Security Management) | Control Area | Azure Implementation | |---|---| | Access Control (A.9) | Entra ID, RBAC, PIM, Conditional Access, MFA | | Cryptography (A.10) | Key Vault, TDE, Always Encrypted, TLS enforcement, CMK | | Operations Security (A.12) | Azure Monitor, Log Analytics, Defender for Cloud, Sentinel | | Communications Security (A.13) | NSGs, Azure Firewall, Private Endpoints, ExpressRoute, WAF | | System Maintenance (A.11) | Update Management, AKS upgrades, patch management | ### PCI DSS 4.0 (Payment Card Industry) | Requirement | Azure Implementation | |---|---| | Network segmentation | VNet, NSG, Azure Firewall, Private Endpoints | | Encryption of cardholder data | TDE, Always Encrypted, TLS 1.2+, Key Vault CMK | | Access control on need-to-know | RBAC, PIM, Conditional Access, Row-Level Security | | Track and monitor access | Azure Monitor, Log Analytics, Sentinel, SQL Auditing | | Regular security testing | Defender for Cloud, vulnerability assessment, penetration testing | ### HIPAA (Health Insurance Portability) | Rule | Azure Implementation | |---|---| | Access controls | Entra ID, RBAC, PIM, Conditional Access, MFA | | Audit controls | Azure Monitor, Log Analytics, SQL Auditing, Activity Log | | Integrity controls | Immutable Storage, versioning, backup, checksums | | Transmission security | TLS 1.2+, ExpressRoute, VPN, Private Endpoints | | Encryption | AES-256 at rest, TLS in transit, CMK, Always Encrypted | ### GDPR (General Data Protection Regulation) | Article | Azure Implementation | |---|---| | Data minimization | Store only necessary data, retention policies, auto-delete | | Right to erasure | Implement data deletion workflows, verify deletion | | Data portability | Export capabilities, standard formats | | Breach notification | Sentinel alerts, incident response process, 72-hour notification | | Data Processing Agreement | Microsoft DPA, sub-processor list | | Cross-border transfer | Data residency via allowed-locations policy, EU regions only | --- ## Certification Path | Certification | Level | Focus | |---|---|---| | **SC-900** | Foundational | Security, Compliance, and Identity fundamentals | | **AZ-500** | Associate | Azure Security Engineer | | **SC-300** | Associate | Identity & Access Administrator | | **CISA** | Professional | Certified Information Systems Auditor (ISACA) | | **CISM** | Professional | Certified Information Security Manager (ISACA) | | **ISO 27001 Lead Auditor** | Professional | ISO 27001 auditing certification | --- ## Interview Focus Areas 1. **How do you assess Azure compliance against ISO 27001?** → Defender for Cloud regulatory compliance dashboard, select ISO 27001 benchmark, review each control, identify non-compliant resources, track remediation. Map Azure controls to ISO clauses. 2. **How do you audit RBAC assignments?** → Export all role assignments, identify Owner/Contributor, verify PIM usage, flag permanent assignments, review least privilege, quarterly access reviews. 3. **How do you ensure data residency compliance?** → Azure Policy "allowed locations" enforced at management group level. Verify no resources in non-compliant regions. Monitor with compliance dashboard. 4. **What evidence do you collect for an audit?** → Policy compliance reports, RBAC exports, Defender for Cloud reports, diagnostic settings proof, network configs, Conditional Access configs, PIM reports, Key Vault audit logs. 5. **How do you handle a compliance finding?** → Document finding (severity, resource, control, risk), assign remediation owner, set due date, track in register, verify remediation, close with evidence.