Cloud security
IAM audit, network hardening, secrets management, data encryption, suspicious event monitoring. AWS, GCP, Azure, Kubernetes — following CIS Benchmarks and AWS Well-Architected Framework.
The context
In 2026, cloud attacks are almost never « sophisticated hacks ». 82% come from configuration errors: an accidentally public S3 bucket, an IAM role with `*:*`, an access key committed to a public repo, a Security Group open on 0.0.0.0/0. The cloud exposes so much surface that a single flaw opens the house.
Yet the fundamentals are known: least-privilege IAM, managed secrets (never in clear), private network by default, audit logs enabled, encryption at-rest and in-transit. But between « knowing » and « having actually checked screen by screen on 300 resources », there's a world. Teams ship product, not hardening.
We do the audit for you. CIS Benchmarks, AWS Security Hub, ScoutSuite, Prowler, kube-bench if Kubernetes. Actionable report sorted by criticality with patches ready to apply (Terraform, IaC). We can also implement the hardening if you want.
150+
Controls audited
CIS Benchmarks AWS Foundations (1.5), GCP, Azure covered
< 5d
Audit timeline
Medium-size AWS/GCP account audited in 5 business days
100%
Actionable report
Every finding with proof, severity, Terraform patch
0
Silent false positive
We verify every alert before including it in the report
What we audit
The audit covers the full surface: identities, network, data, app layer, observability, governance.
Achilles heel #1.
Audit of roles, policies, MFA, key rotation. Detection of excessive privileges (`*:*`, AdministratorAccess on non-admin roles). Least-privilege recommendations with generated policies. SSO, SCP, AWS OUs, Boundary Permissions.
VPC, Security Groups, WAF.
Audit VPC, Subnets, Routing Tables, Security Groups, NACLs, VPC Endpoints. Detection of SGs open on Internet, overly broad peering, routes to external accounts. WAF rules review, DDoS Shield, Network Firewall.
No clear-text keys.
Audit Secrets Manager, Parameter Store, KMS keys. Detection of hardcoded secrets (git history scan, Lambda env vars). Automatic rotation, key policies, envelope encryption for sensitive data.
Encrypted at-rest and in-transit.
Audit S3 buckets (public access, encryption), RDS (encryption, snapshots), EBS, DynamoDB. Detection of public buckets, unencrypted data, unencrypted backups. TLS 1.2+ in transit mandatory.
See before it breaks.
Audit CloudTrail, GuardDuty, Security Hub, Config, Inspector. Detective Controls setup (IAM anomalies, root access, critical changes). Slack/PagerDuty alerting on security events. Multi-account log centralisation.
SOC 2, ISO 27001 ready.
Mapping to SOC 2, ISO 27001, HIPAA controls as needed. Custom AWS Config rules, Service Control Policies, Organizations strategy. Immutable audit log. Automatic compliance reporting.
Our approach
We start by mapping your infra, identifying findings, prioritising, fixing them.
Complete inventory of AWS/GCP/Azure accounts, resources, human and machine access. Blast radius identification per environment (prod, staging, dev). No aggressive scan — read-only API via dedicated audit role.
Run ScoutSuite, Prowler, kube-bench (if K8s), aws-iam-actions-lookup. Cross-reference with CIS Benchmarks. Filter false positives. Classify by criticality (CVSS-like + business context).
For critical and high findings: manual analysis of policy, SG, bucket. Real exposure validation. Exploitation PoC if relevant (no impact). Quantified recommendations.
Implementation of fixes (if you choose): Terraform/CloudFormation for persistence, refactored IAM policies, tightened SGs, enabled encryption. Re-scan after patching to validate. Operational docs delivered.
Tools used
Mix of mature open-source tools and cloud-native tooling.
Cloud scanners
ScoutSuite · Prowler · CloudSploit · Steampipe
ScoutSuite multi-cloud (AWS/GCP/Azure), Prowler very complete on AWS (200+ checks). Steampipe to query cloud like a SQL DB.
AWS-native
Security Hub · GuardDuty · Inspector · Macie · Config
Security Hub aggregates all findings (CIS, PCI). GuardDuty for anomalies. Inspector for CVEs. Macie for sensitive data in S3.
Kubernetes
kube-bench · kube-hunter · Falco · Trivy · OPA Gatekeeper
kube-bench applies CIS Kubernetes. Falco for runtime anomalies. Trivy scans images. OPA Gatekeeper enforces admission policies.
IaC scanning
Checkov · tfsec · Terrascan · Cloudsploit
Checkov for Terraform, CloudFormation, K8s manifests, Helm. tfsec fast integrated in CI. Terrascan for compliance benchmarks.
Secrets scanning
gitleaks · TruffleHog · detect-secrets
gitleaks scans git history. TruffleHog same + entropy detection. detect-secrets for CI/CD with baseline.
IAM analysis
iam-floyd · Cloudsplaining · pmapper · aws-iam-actions-lookup
Cloudsplaining identifies excessive policies. pmapper models privilege escalation paths. iam-floyd generates clean policies.
Measurable guarantees
150+
Controls
CIS Benchmarks AWS, GCP, Azure covered on 100% of the audit. No control skipped.
100%
IaC delivered
Every fix delivered in Terraform or CloudFormation, ready to apply. No throwaway shell scripts.
0
Data stored
No client data extracted nor stored on our side. Read-only audit via dedicated role, deleted after mission.
30 d
Re-scan included
30 days after patching delivery, free re-scan to validate that fixes hold under real conditions.
Pricing
Instead of abstract packages, we scope to your context: scope, complexity, deadlines, constraints. Write us 3 sentences about what you want to do — we come back with a firm quote within 48 business hours.
Response within 48 business hours Request a quote →Your email is ready 🚀
We've opened your email client pre-filled with everything. Hit Send and the team will reply within 24 business hours.
