Cloud no longer gets a regulatory pass in India. The RBI Cyber Security Framework, the SEBI CSCRF and the DPDP Act all now ask cloud-specific questions, and an auditor who knows cloud will ask them directly. The findings that surface are rarely exotic — they are the same handful of misconfigurations every quarter, sitting in plain sight because the team assumed 'the cloud provider handles security'. This is the list we see fail audits most often, and exactly what closes each one.
The pattern matters: every item below is configuration you own, not a provider weakness. The shared-responsibility model puts identity, data, network exposure and workload configuration squarely on your side of the line. Auditors know this, which is why these are the first things they check.
1. Public object storage holding regulated data
The classic finding: an S3 bucket, Azure Blob container or GCS bucket readable by anyone on the internet, holding logs, backups, KYC documents or transaction exports. It usually started as a 'temporary' sharing fix and was never locked down. In an RBI or SEBI audit this is a near-automatic high-severity finding because it combines an exposure control failure with a data-classification failure.
- Close it: enforce account-level public-access blocks, audit every bucket for anonymous and over-broad access, and classify what each store actually holds.
- Prove it: a posture-management report showing zero public stores plus a data-classification register the auditor can sample.
2. IAM sprawl and standing privilege
Wildcard policies, unused admin roles, human users with permanent high privilege, and root/owner accounts without MFA. Identity is the cloud perimeter, so this is where auditors spend their time — and where the real breach risk lives. SEBI CSCRF and RBI both expect least-privilege access governance with evidence, not assertion.
- Close it: eliminate wildcard and unused admin policies, move standing privilege to just-in-time access, enforce MFA on all privileged and root accounts, and run a blast-radius review of who can escalate to admin.
- Prove it: an entitlement report showing right-sized roles, an MFA-coverage attestation, and a documented access-review cadence.
3. Disabled or unmonitored logging
CloudTrail, Azure Activity logs or GCP Audit Logs switched off, sampled, retained for too short a period, or flowing to a SIEM nobody reads. This fails on two counts: you cannot detect a compromise, and you cannot reconstruct one for the CERT-In six-hour incident report. RBI and SEBI both expect monitoring with retention; CERT-In expects logs available on a tight timeline.
- Close it: enable full audit logging across every account, centralise it, set retention to meet the longest applicable mandate, and route it into a monitored SOC.
- Prove it: a logging-coverage map, the retention configuration, and SOC monitoring evidence (alerts, triage, escalation).
4. Data-residency and region gaps
Production data, backups or DR replicas sitting in a cloud region outside India when RBI localisation or DPDP transfer rules apply. This is the newest and fastest-growing finding because estates were architected for latency and cost, not residency. Under DPDP the region your data lives in — including where snapshots and replicas land — is a compliance decision.
- Close it: map data classes to regions, confirm production, backup and DR all sit in compliant locations, and document any cross-border transfer against its legal basis.
- Prove it: a data-flow and region map tied to the DPDP and RBI requirements, reviewed and signed off.
5. Weak encryption and key management
Unencrypted volumes, snapshots and databases, or encryption where the cloud account itself holds keys it can freely read. Auditors look for encryption-at-rest with customer-managed keys and a key-rotation policy, especially for regulated data.
| Finding | Fails which expectation | Evidence that closes it |
|---|---|---|
| Public storage | Exposure + data classification | Posture report: zero public stores + classification register |
| IAM sprawl | Least-privilege access governance | Entitlement report + MFA attestation + review cadence |
| Weak logging | Monitoring, retention, incident readiness | Logging-coverage map + SOC monitoring evidence |
| Region/residency | Data localisation (RBI/DPDP) | Data-flow + region map, transfer legal basis |
| Encryption/keys | Data protection at rest | Encryption config + customer-managed key rotation |
The five findings and what proves closure
How Macksofy helps
Macksofy is a CERT-In empanelled auditor that runs cloud security assessments mapped directly to the frameworks that bind you — RBI Cyber Security Framework, SEBI CSCRF, DPDP and CERT-In empanelled audit. We find these misconfigurations through posture and IAM blast-radius review plus cloud penetration testing, hand you a prioritised closure plan, and stand up a managed SOC so logging and monitoring stop being audit findings. For the full method, read our cloud security guide for Indian enterprises; BFSI teams can also see our banking & financial services practice.