As part of an expanding multi-cloud business i have a task to review and present the top 10 or 15 priority Cloud misconfiguration risks to promote a focused security program. Has anyone else approached this topic and found any useful material?

The cloud simplifies deployment of complex architecture and server configuration, but the simplicity in creating configuration file (Terraform --> YAML, ANSIBLE --> ML) conflicts with hardending of infrastructure and servers. The principal issues are:
1. leaving standard configuration of application servers,
2. using standardized template of servers subject to balooning of memory and unoptimized disks
3. using standard network translation scheme for private networks
4. basing on cloud security for External Firewall, WAF, NAT, Load Balancing etc.
5. basing on cloud security for server Hardening
6. focusing too much on application software, forgetting that cloud always have backdoors to access to server that are not reachable from outside the cloud.
7. lack of control on IAM of infrastructure which enable particoular feature on our arhcitecture.

There have to be a strict control on where the cloud ends its control and where it begins our paranoia on cloud security.
Regards
Antonio

This is my short synthesis when analyzing diffrences between MS AZ and AWS, hope that will help you. H.B  

Risk 1: Accounts managements (for admins) (critical accounts for subscriptions, billings) check that you're using MFA.
Risk 2 : Compliance and gouvernance: check access rights for every account (Role based access control), assign policy compatible with your organisation.
Risk3 : Identity Management (for users) : check that identity and security are preserved during user experience, config your MFA, access or not to anonymous IP, Machine learning activation and Ressources Directory (Active Directory on Azure as Exple)
Risk 4: Logging configuration : are your application connected to external monitoring application like Ms SIEM? which events must be logged?
Risk 5: Network Configurations:
1- Proxy config if your application communicate with on premise application,
2- Gateways Parameters: connexion between your application and external VPN
3-  Check Firewall config (WAF)
4- Rule to automate actions like block a malicious user
Risk 6: Storage :
1- Another check of accounts and access.
2- are you using replication caching ?
Risk 7: Databases:
Check if you're using encryption to store your data on the cloud.
Risk 8: Check your calculation ressources (number of VM and VCPUS), configure thresholds and alerts.
Risk 9: Backup and Disaster Recovery: Which on premise critical data must be backed up in the cloud in the case of a disaster.
Risk 10: Check that you're following recommandations of your security monitor.

I would recommend a tenant analysis against the current Center for Internet Security Secure Configuration Benchmark, for example, for M365, Azure, GCP, AWS, etc. specific to what service(s) you may be using.  I'd also suggest performing a combination of manual and automated review to reduce false positives.   I find that CSP secure configuration reviews are generally lacking in most client environments, this despite sensitive data sets and applications already running in such deployments.