Services Capabilities Industries Cloud Audit Free Scanner Case Studies Use Cases Book a Consultation
Home Use Cases CloudReach AWS
AWS Cloud Infrastructure Security Assessment

92/100 Risk Score.
25 AWS Misconfigurations. One Audit.

A full-spectrum AWS infrastructure security assessment of CloudReach SaaS — a B2B cloud-native platform running across a 5-account AWS organization. We found everything from public S3 buckets leaking customer data to a Terraform state file sitting in a public bucket. CIS AWS Foundations compliance: 8%. SOC2 coverage: 10%.

7 Critical Active exposure
7 High Urgent remediation
11 Medium Address promptly
92 Risk Score Out of 100

CloudReach SaaS operates a Terraform-managed, multi-account AWS organization serving 340 enterprise B2B customers. Their stack spans S3, RDS, Lambda, ECS, EKS, and VPCs across five AWS accounts. The engagement started with a read-only IAM role handoff — within 2 hours, we had identified customer data leaking from a publicly accessible S3 bucket with no bucket policy.

The most alarming discovery wasn't a single vulnerability — it was the complete absence of detection infrastructure. GuardDuty was not enabled in any AWS region. CloudTrail was missing from two of five accounts. There were no AWS Config rules, no budget alerts, and no VPC flow logs. CloudReach had been running $40,000/month in AWS spend with zero visibility into what was happening inside their own infrastructure.

Across three days of assessment, we mapped every misconfiguration, demonstrated active data exposure from the public S3 bucket, and documented the IAM privilege escalation path from a Lambda execution role to full administrative access via an overprivileged *:* policy. The Terraform state file stored in a public bucket alone would have given any attacker a complete map of the infrastructure.

Client CloudReach SaaS
Industry B2B SaaS / Cloud-native
Infrastructure 5-account AWS Organization
Monthly AWS Spend $40,000 — no budget alerts
Engagement Date April 2026
Duration 3 days assessment
Risk Score 92 / 100
AWS

Why AWS misconfigurations hit differently: Unlike application vulnerabilities, AWS misconfigurations are infrastructure-level. A public S3 bucket leaks data to the entire internet — no exploit required, just an HTTP request. An overprivileged IAM role lets an attacker who compromises any service immediately escalate to full account control. These aren't theoretical risks — they're the #1 cause of cloud data breaches. The AWS Shared Responsibility Model puts this squarely on CloudReach: AWS secures the infrastructure; the customer secures what they run on it.

Attack Surface

AWS Services with Findings

Every major AWS service in the CloudReach stack had at least one misconfiguration. This is what the infrastructure looked like from an attacker's perspective.

Amazon S3
Public bucket, no access logging, public Terraform state
3 findings
AWS IAM
Wildcard policies, cross-account trust without external ID, no password policy
3 findings
Amazon RDS
Public snapshots, publicly accessible instances, unencrypted storage
2 findings (+ EBS)
AWS Lambda
Hardcoded secrets in env vars, deprecated runtimes (Python 3.8, Node 16)
2 findings
Security Groups
0.0.0.0/0 on SSH (22) and RDP (3389) — open to the world
1 finding
CloudTrail / GuardDuty
No detective controls — 2 accounts with no CloudTrail, GuardDuty completely off
2 findings
EC2 / VPC
IMDSv1 on public instances (SSRF risk), no VPC flow logs
2 findings
AWS SES / CloudFront / ELB
Open relay, no WAF, outdated TLS 1.0/1.1
3 findings
AWS KMS / ECR / SSM
Key rotation off, no image scanning, plaintext secrets in Parameter Store
3 findings
Root Account / Billing
Root used daily with no MFA. $40k/month with no budget alerts
2 findings
All 25 Findings

Every Misconfiguration, Explained

7 Critical, 7 High, 11 Medium. Every finding maps to CIS AWS Foundations Benchmark controls, SOC2 trust criteria, and NIST 800-53 control families.

7 Critical
7 High
11 Medium
25 Total Findings
Critical C-01
Public S3 Bucket — Customer Data Exposed
The cloudreach-customer-exports bucket had no bucket policy and was set to public. Any unauthenticated HTTP request could LIST and GET every customer export file — contract PDFs, usage reports, and billing data for 340 enterprise accounts.
CIS AWS 2.1.1 SOC2 CC6.1 NIST 800-53 AC-3
Remediation

Enable Block Public Access at the account level (aws s3api put-public-access-block). Add an explicit bucket policy denying s3:GetObject to *. Use S3 Access Points with IAM conditions for application access.

Critical C-02
Overprivileged IAM Roles — Wildcard *:* Policy
Three Lambda execution roles and one ECS task role had inline policies granting "Effect":"Allow","Action":"*","Resource":"*". Compromise of any of these services — via a dependency vulnerability, SSRF, or RCE — would give an attacker full administrative access to the entire AWS account.
CIS AWS 1.16 SOC2 CC6.3 NIST 800-53 AC-6
Remediation

Apply least-privilege principles using IAM Access Analyzer to generate service-specific policies based on CloudTrail activity. Replace wildcard actions with exact service actions required. Enable IAM Access Analyzer organization-wide for continuous policy analysis.

Critical C-03
RDS Snapshots Unencrypted and Shared Publicly
Two manual RDS snapshots of the production database were shared with AWS account ID all, making them publicly restorable by any AWS customer. The snapshots contained unencrypted production data including customer PII and API credentials.
CIS AWS 2.3.1 SOC2 CC9.9 NIST 800-53 SC-28
Remediation

Delete public snapshots immediately. Enable encryption at rest using AWS KMS on all RDS instances (requires a snapshot → restore cycle for existing instances). Set snapshot visibility to private and restrict sharing to specific account IDs only.

Critical C-04
Security Groups Open to World on SSH and RDP
14 security groups had inbound rules allowing 0.0.0.0/0 on TCP port 22 (SSH) and 7 security groups allowed 0.0.0.0/0 on TCP port 3389 (RDP). These EC2 instances are exposed to global brute-force and credential-stuffing attacks 24/7.
CIS AWS 5.2 CIS AWS 5.3 SOC2 CC6.6
Remediation

Remove all 0.0.0.0/0 rules on port 22/3389. Use AWS Systems Manager Session Manager for SSH-less EC2 access. If SSH is required, restrict to corporate NAT IP ranges and rotate key pairs quarterly.

Critical C-05
Root Account Used Daily — No MFA
CloudTrail logs showed root account API calls being made 3–5 times per week for routine infrastructure changes. The root account had no MFA configured. Root account compromise is permanent — it cannot be revoked like an IAM user. A successful phishing attack on the root email address would give an attacker irrecoverable full control.
CIS AWS 1.4 CIS AWS 1.5 SOC2 CC6.1
Remediation

Enable hardware MFA on root immediately. Create dedicated IAM admin users for all routine tasks. Set a CloudTrail-based alarm for any root account activity. Lock root credentials in a hardware security key stored in a physical safe.

Critical C-06
Terraform State File in Public S3 Bucket
The Terraform state file (terraform.tfstate) was stored in the same public S3 bucket as customer exports. Terraform state contains a complete map of all infrastructure: resource IDs, database connection strings, IAM role ARNs, KMS key IDs, and plaintext output values — a full blueprint for targeted attacks.
CIS AWS 2.1.1 NIST 800-53 CM-7 CVE-Adjacent
Remediation

Move Terraform state to a private, encrypted S3 bucket with versioning and DynamoDB state locking. Enable server-side encryption (SSE-KMS). Never store Terraform state in a public bucket. Consider Terraform Cloud or AWS CodePipeline for managed state.

Critical C-07
RDS Instances Publicly Accessible
Four RDS PostgreSQL instances had publicly_accessible = true and were reachable from the internet on port 5432. While security groups restricted access, public accessibility combined with any security group misconfiguration creates direct database exposure. Production databases must never be internet-reachable.
CIS AWS 2.3.3 SOC2 CC6.6 NIST 800-53 SC-7
Remediation

Set publicly_accessible = false on all RDS instances. Place databases in private subnets with no internet gateway route. Use RDS Proxy for Lambda connections and a bastion host or SSM for administrative access.

High H-01
CloudTrail Disabled in 2 of 5 AWS Accounts
The cloudreach-dev and cloudreach-staging accounts had no CloudTrail configured. Any API activity — including IAM changes, resource creation, or data access — in these accounts is completely unauditable. Attackers routinely use non-production accounts as lateral movement pivot points precisely because logging is often absent.
CIS AWS 3.1 SOC2 CC7.2 NIST 800-53 AU-2
High H-02
Cross-Account Role Assumption Without External ID
The trust policy on the cloudreach-cicd-role allowed any principal in the partner organization to assume it without an external ID condition. This is a textbook "confused deputy" vulnerability — any compromised account in the trusted organization can assume production deployment roles.
CIS AWS 1.20 Confused Deputy NIST 800-53 AC-17
High H-03
Lambda Functions with Hardcoded Secrets in Environment Variables
11 Lambda functions stored credentials — database passwords, third-party API keys, and an internal service-to-service token — as plaintext environment variables. Lambda environment variables are visible in the AWS console to any IAM user with lambda:GetFunctionConfiguration access, and are captured in exception reporting and CloudWatch Logs.
CIS AWS 2.1.2 SOC2 CC6.7 NIST 800-53 IA-5
High H-04
GuardDuty Not Enabled in Any Region
AWS GuardDuty — the primary threat detection service for AWS accounts — was not enabled in any of the five accounts or any AWS region. GuardDuty is the first line of defense against cryptomining, data exfiltration, compromised credentials, and reconnaissance. Without it, active attacks in the environment generate no alerts whatsoever.
CIS AWS 3.9 SOC2 CC7.2 NIST 800-53 SI-4
High H-05
Elastic Load Balancer — Outdated TLS (1.0/1.1)
Three Application Load Balancers were configured with SSL policies that permitted TLS 1.0 and TLS 1.1 connections. Both protocols are deprecated and vulnerable to BEAST and POODLE attacks. Enterprise customers connecting over TLS 1.0 are transmitting data over a cipher suite with known practical exploits.
CIS AWS 2.1.3 SOC2 CC6.7 NIST 800-53 SC-8
High H-06
Public-Facing EC2 Instances Using IMDSv1 (SSRF Risk)
All EC2 instances were running IMDSv1 (Instance Metadata Service v1), which does not require session tokens. Any SSRF vulnerability in a web application running on these instances allows an attacker to query http://169.254.169.254/latest/meta-data/iam/security-credentials/ and extract temporary IAM credentials — the same technique used in the Capital One breach.
CIS AWS 5.6 SSRF / IMDS CVE-2019-Capital One
High H-07
SES Configured as Open Relay
The AWS SES configuration did not restrict the From address to verified domains. Any authenticated IAM user (or any compromised Lambda function with SES permissions) could send email appearing to originate from @cloudreach.io — enabling internal spear-phishing attacks against their own enterprise customers.
SOC2 CC6.8 NIST 800-53 SI-8 Phishing Risk
Medium M-01
No VPC Flow Logs Enabled
VPC flow logs were disabled across all VPCs in all five accounts. Flow logs are the primary tool for detecting network-level anomalies — lateral movement, port scanning, data exfiltration via unusual traffic patterns. Without them, there is no network visibility and no forensic record of traffic during a breach.
CIS AWS 3.9 SOC2 CC7.2 NIST 800-53 AU-12
Medium M-02
S3 Server Access Logging Disabled
Server access logging was disabled on all S3 buckets, including the production data bucket. Without access logs, there is no record of who accessed what files, when, or from which IP address. In the event of a data breach, forensic investigation of S3 data access is impossible.
CIS AWS 3.6 SOC2 CC7.2 NIST 800-53 AU-9
Medium M-03
EBS Volumes Unencrypted
23 of 31 EBS volumes were unencrypted. While EC2 IAM controls gate access while instances are running, unencrypted EBS snapshots can be shared and attached to any other EC2 instance. Physical access to AWS datacenter hardware (an insider threat vector) would expose raw disk data.
CIS AWS 2.2.1 SOC2 CC9.9 NIST 800-53 SC-28
Medium M-04
KMS Key Rotation Disabled
Automatic annual rotation was disabled on all 9 KMS customer-managed keys. Long-lived encryption keys increase the blast radius if a key material is ever compromised or exfiltrated. NIST recommends annual rotation for symmetric keys protecting sensitive data.
CIS AWS 3.8 SOC2 CC6.7 NIST 800-53 SC-12
Medium M-05
No AWS Config Rules for Drift Detection
AWS Config was not enabled in any account. There were no managed rules to detect configuration drift — public S3 buckets, overly permissive security groups, or unencrypted resources could be introduced by any team member and would go undetected indefinitely. The findings in this report could silently recur post-remediation.
CIS AWS 3.5 SOC2 CC7.1 NIST 800-53 CM-2
Medium M-06
No IAM Password Policy
No IAM password policy was configured for the AWS account. All 14 IAM users were allowed to set passwords of any length and complexity with no rotation requirement. Short, simple passwords on IAM console accounts are trivially brute-forced from public access key leaks or phishing attacks.
CIS AWS 1.8–1.11 SOC2 CC6.1 NIST 800-53 IA-5
Medium M-07
CloudFront Distribution Without WAF
The CloudReach customer portal CloudFront distribution had no AWS WAF attached. Without WAF, the application is fully exposed to automated OWASP Top 10 attacks — SQL injection, XSS, HTTP flood DDoS — with no L7 filtering between the internet and the origin servers.
AWS WAF Best Practice SOC2 CC6.6 NIST 800-53 SC-5
Medium M-08
Lambda Functions on Deprecated Runtimes
8 Lambda functions were running on Python 3.8 (EOL September 2024) and Node.js 16 (EOL March 2024). AWS has blocked creation of new functions on these runtimes. Deprecated runtimes no longer receive security patches — any new CVE in the Python 3.8 or Node 16 runtime will remain unpatched in production indefinitely.
AWS Lambda EOL SOC2 CC7.7 NIST 800-53 SI-2
Medium M-09
ECR Repositories — Image Scanning Disabled
All 11 Elastic Container Registry repositories had image scanning disabled. Container images used in production ECS and EKS workloads were never scanned for known CVEs. Images with critical vulnerabilities (Log4Shell, Spring4Shell equivalents in base images) can be deployed to production without any detection.
AWS ECR Best Practice SOC2 CC7.7 NIST 800-53 SI-3
Medium M-10
Secrets in SSM Parameter Store as Plaintext (Secrets Manager Not Used)
47 application secrets — including API keys, database connection strings, and third-party OAuth tokens — were stored in SSM Parameter Store as String type parameters (plaintext) rather than SecureString or AWS Secrets Manager. Any IAM user or role with ssm:GetParameter access can read these in plaintext.
CIS AWS 2.1.2 SOC2 CC6.7 NIST 800-53 IA-5
Medium M-11
No Budget Alerts — $40k/Month Unmonitored
CloudReach was spending approximately $40,000/month in AWS with zero cost anomaly detection or budget alerts configured. Cryptomining attacks (a common post-exploitation action) can add $10,000–$50,000 in EC2/GPU costs within 48 hours. Without budget alerts, a cryptomining attack would only be discovered on the monthly AWS bill.
AWS Billing Best Practice SOC2 CC9.1 Cryptomining Indicator
Compliance Benchmarks

Where CloudReach Stood

Three frameworks govern AWS infrastructure security. CloudReach's pre-assessment scores reflect an organization that has never run a formal cloud security review.

CIS
8%
CIS AWS Foundations Benchmark
The CIS AWS Foundations Benchmark is the gold standard for AWS account hardening — 58 controls across IAM, logging, monitoring, networking, and storage. CloudReach passed 5 of 58 controls. Every logging and monitoring control failed. Every IAM hardening control failed.
8% controls passing
Not compliant — requires full remediation program
SOC
10%
SOC 2 Type II
SOC 2 is required by virtually every enterprise B2B buyer in CloudReach's target market. The audit found gaps across the Security (CC6), Availability (A1), and Confidentiality (C1) trust service criteria. The absence of GuardDuty, CloudTrail gaps, and public data exposure are each individually disqualifying for SOC 2 certification.
~10% criteria met
Not certifiable in current state
NIST
11%
NIST 800-53
NIST 800-53 is the federal security control standard widely adopted by enterprises and government contractors. Findings mapped to Access Control (AC), Audit & Accountability (AU), System & Communications Protection (SC), and System Integrity (SI) control families. Nearly every control family had critical gaps.
~11% controls satisfied
Not aligned — significant gaps across 4 control families
Video Walkthrough

Watch the AWS Audit in Action

A screen-share walkthrough of the CloudReach findings — service by service, finding by finding. Coming soon to the Sentinel Stacks video channel.

AWS Cloud Security Audit · April 2026
25 AWS Misconfigurations — CloudReach SaaS
Multi-Account AWS Organization · Risk Score 92 · Sentinel Stacks
Video coming soon Walkthrough covers S3 public access demo, IAM privilege escalation path, and the Terraform state exposure — live in the AWS console
Coming Soon
More Use Cases

Other Audit Walkthroughs

Each use case covers a different industry, stack, and threat profile. All findings are realistic and reference-able for sales conversations.

DataVault CRM
Financial Services
OWASP Top 10 + cloud IAM audit of a financial services CRM. 21 findings: SQL injection, plaintext SSNs, plaintext credit cards, broken JWT auth, exposed .env file. Risk score 87.
Live — Read full audit
NeuralPath AI
AI / ML
ML model serving platform audit: 4.2TB training data on public S3, model weights unauthenticated, Pickle RCE, Kubernetes container escape to cluster-admin. 25 findings, risk score 89.
Live — Read full audit
MedFlow Analytics
Healthcare
HIPAA-focused cloud audit: unencrypted PHI at rest in S3, overly permissive IAM, missing audit logging. 19 findings, full NIST 800-53 alignment.
Case study in progress
GridEdge Energy
IoT
Smart-grid IoT audit: unprotected MQTT endpoints, missing device authentication, insecure firmware update pipelines. 18 findings, full AWS IoT Core hardening.
Case study in progress

Running AWS Infrastructure?

If your team uses S3, IAM, Lambda, RDS, or ECS — your environment may have findings like these. Run a free cloud audit or schedule a full AWS security assessment.

Run AWS Cloud Audit Book a Consultation