Cloud Infrastructure Audit
Risk Score
74
out of 100
Total Findings
14
vulnerabilities
Critical
4
require urgent fix
Resources
31
scanned
Remediation coverage without blueprints
0 of 14 findings have Terraform fixes ready to download
Critical & High
7 findings
Public S3 Bucket Exposure
s3://app-uploads-prod · 3 buckets affected
S3 buckets with public-read or public-read-write ACLs expose your data to unauthenticated internet access.
Attackers actively scan for open buckets — this is one of the most exploited misconfigurations in AWS.
Block Public Access must be enabled at both account and bucket level.
Security Group: Unrestricted Inbound (0.0.0.0/0)
sg-0a1b2c3d · Ports 22, 3389, 5432 exposed
Security groups with 0.0.0.0/0 inbound on SSH (22), RDP (3389), or database ports (5432, 3306, 6379)
expose your instances and data to brute-force attacks from anywhere on the internet.
Replace with VPN-restricted CIDR rules and tiered SG model.
IAM Over-Privilege: Wildcard Actions
arn:aws:iam::*:role/AppRole · AdministratorAccess attached
IAM roles with
Action: "*" or
AdministratorAccess violate the principle of least privilege.
Compromised credentials give attackers complete control of your AWS account.
Use service-specific scoped policies and enable MFA enforcement.
MFA Not Enforced for IAM Users
3 of 5 IAM users have no MFA device
IAM users without MFA can be compromised via credential stuffing or phishing.
Any leaked password is an immediate account takeover. The IAM Least-Privilege Blueprint
includes a deny policy that blocks all API calls when MFA is not active.
Medium
5 findings
RDS Instance: Encryption at Rest Disabled
db.t3.medium · postgres · us-east-1
Your RDS instance stores data on unencrypted EBS volumes. If the underlying storage is
physically compromised, your database is exposed. Enable KMS-based encryption via a snapshot
restore (encryption cannot be toggled on a running instance).
CloudTrail Not Enabled in All Regions
2 regions missing: ap-southeast-1, eu-west-1
Without CloudTrail, you have no audit log of API calls — including unauthorized access attempts
or privilege escalation. SOC 2, PCI-DSS, and HIPAA all require comprehensive audit logging.
The IAM blueprint enables multi-region CloudTrail with log file validation.
EBS Default Encryption Not Enabled
4 volumes unencrypted · us-east-1
New EBS volumes are created unencrypted by default. Enabling account-level default encryption
ensures all new volumes, snapshots, and AMI copies are automatically encrypted with KMS —
zero-friction compliance for new infrastructure.
Low / Informational
2 findings
S3 Versioning Not Enabled
5 buckets without versioning
Without versioning, accidentally deleted or overwritten objects are unrecoverable.
Enable versioning with a lifecycle rule to expire old versions after 90 days —
included in the S3 Lockdown Blueprint.
Weak IAM Password Policy
Min length: 8 chars · No rotation · No symbol requirement
Your IAM password policy doesn't meet CIS Benchmark standards.
The IAM blueprint sets minimum 14-char passwords, requires uppercase/lowercase/numbers/symbols,
90-day rotation, and 24-password reuse prevention.