Virtualization Environment — Compliance & Audit Checklist

Iris Li

Get access control + centralized, tamper-proof logging + regular recovery drills right, and you’ll satisfy most compliance & audit needs.

Core Controls (must-haves)

Identity & Access Management (IAM)

Enforce least privilege: users/accounts get only the permissions they need.
Centralize auth: LDAP/AD or SSO (SAML/OIDC) + mandatory MFA for admin access.
Separate roles: split operational, auditing, and emergency accounts; enforce separation of duties for critical ops (approval / two-person rule).

Audit Logging & Central Collection

Forward logs from hypervisors, management APIs, backup systems, storage, and critical guests to a centralized logging/SIEM.
Encrypt logs in transit and at rest (TLS, HTTPS).
Ensure consistent timestamps (NTP) across all systems.

Immutable Storage / Backup Preservation

Enable immutability for critical audit logs and backups (object lock / immutable snapshots / WORM).
Keep offsite copies of backups and ensure encryption for both transit and at rest.
Record backup metadata (who/when/why) to preserve chain-of-custody.

Change Control & Configuration Management

All changes to hypervisors/management plane must use change requests with reason, implementer, and rollback plan.
Version and checksum/sign templates and base images.

Monitoring, Alerting & Incident Response

Define alerts for key events (failed logins, privilege escalations, backup failures, storage errors, deletion of snapshots).
Integrate alerts to ticketing/incident workflows and maintain an IR playbook: detect → isolate → recover → postmortem.

Audit Log Recommendations (what to collect & retention)

Events to collect: admin login/logout, API calls, backup jobs, snapshot/create/delete, storage changes, network/security-group changes, VM clone/delete, permission changes.

Retention guidance (example):

Hot (quick access): last 90 days.
Cold (archive, retrievable): 90–365 days.
Long-term (compliance/legal): >365 days as required.
(Adjust to legal/regulatory needs.)

Pre-audit Quick Checklist

Are admin accounts centralized and protected with MFA?
Are logs forwarded centrally and encrypted?
Are key logs set to immutable/archive retention?
Are backups offsite, encrypted, and periodically tested for restore?
Are change requests and rollback plans recorded and archived?
Is NTP/time synchronization enforced and protected?
Are SIEM alerts integrated into ticketing/incident workflows?