Cloud configuration audit against the rulebooks your auditor already cites.
A two-week read-only review of your AWS, GCP, Azure, and (where in scope) Kubernetes environments against CIS Benchmarks. IAM misconfigurations, public buckets, exposed metadata endpoints, security-group sprawl, KMS key hygiene, logging coverage. Findings handed over as a remediation map your platform team can execute against in the same sprint.
Four phases over twelve working days.
Read-only by construction — we never make changes inside your account. The IaC for the access role is yours from day one and can be revoked the moment the engagement ends.
- §01Read-only access provisioningDays 1-2
We deploy a read-only role into your AWS / GCP / Azure environment with the minimal permissions our review tooling requires. Scope is documented; no write actions, no provisioning changes. We hand back the IaC for the role at engagement end so you can revoke or keep it on your terms.
- §02Automated baselineDays 2-4
Prowler, ScoutSuite, kube-bench / kube-hunter where applicable. CIS Benchmarks pass over your accounts. The output is the floor for the manual review — we don't ship the raw tool dump as a deliverable.
- §03Manual review & deduplicationDays 4-9
Each automated finding triaged: real risk in your context, false positive, or known-and-accepted. Manual examination of items the tooling cannot reason about: business-logic IAM grants, cross-service trust patterns, secret-handling architecture.
- §04Walkthrough & remediation mapDays 9-12
Findings ranked by exploitability in your specific deployment and by remediation cost. Walkthrough with the engineering team. Where remediation is mechanical we open the IaC pull request; where it requires architectural change we discuss it on a call.
Six layers of a typical cloud estate.
Coverage map below; the delivered report contains the specific resource ARNs / IDs, current state, recommended state, and remediation cost estimate per finding.
- ·Over-privileged users / roles / service accounts
- ·Wildcard policies and unbounded resource grants
- ·Cross-account trust relationships review
- ·MFA enforcement gaps
- ·Inactive credentials and stale access keys
- ·Public buckets, ACL misconfiguration
- ·Bucket policy reachable from internet
- ·Encryption-at-rest gaps (S3 / EBS / RDS / GCS)
- ·Snapshot exposure
- ·Public datasets and BigQuery tables
- ·Security groups with 0.0.0.0/0 ingress
- ·Public RDS / databases
- ·VPC peering & transit gateway sprawl
- ·NACL audit
- ·Internet-facing load-balancer hygiene
- ·IMDSv1 still enabled (SSRF risk)
- ·EC2 / GCE instance role least-privilege
- ·Public AMIs / snapshots
- ·Container image registry exposure (ECR / Artifact Registry)
- ·Lambda / Cloud Run inbound auth
- ·CloudTrail / CloudAudit Logs coverage
- ·GuardDuty / Security Command Center signal review
- ·KMS key rotation, key policy hygiene
- ·Secrets Manager / Parameter Store usage vs hard-coded creds
- ·VPC Flow Logs enablement
- ·Cluster RBAC & default service-account permissions
- ·Privileged pod / hostPath usage
- ·Network policies (or absence of them)
- ·Image pull from untrusted registries
- ·etcd encryption and admission-controller posture
What this review does not include.
Available as separate engagements when surfaced findings warrant deeper work.
- ×Application-layer pentest. See web-pentest service.
- ×SOC / detection engineering. We audit log-coverage gaps but do not author detections.
- ×FedRAMP / SOC 2 attestation. Our deliverable supports your auditor; we are not the auditor.
- ×Active exploitation in the cloud account. Read-only by construction; exploitation against discovered weaknesses scoped as a follow-on with explicit authorisation.
Cloud heavy, security team light?
Send us your cloud provider, region count, account count, and whether Kubernetes is in scope. We reply within two working days with a fixed-fee estimate.