Sample Assessment Report
Redacted for confidentiality
Cloud Security
AWS, Azure & GCP Security Assessment
Confidential Client — Enterprise Technology Company
AWS multi-account environment (12 accounts), AWS Organisations with SCPs, EC2 fleet (340 instances), RDS, S3 (180 buckets), IAM configuration
8 business days
AWS CIS Benchmark v2.0
Executive Summary
UnlockSec conducted a comprehensive AWS environment security assessment across the client's 12-account organisation. Critical findings include a publicly accessible S3 bucket containing customer PII, an IAM privilege escalation path from a developer role to full administrator access, and 23 EC2 instances running IMDSv1 exploitable via SSRF vulnerabilities in hosted web applications.
Methodology
Sample Findings
Public S3 Bucket — Customer PII Exposed
Description
S3 bucket 'client-prod-exports-2024' has Block Public Access disabled and a bucket policy granting s3:GetObject to Principal: '*'. The bucket contains 47,000 customer records including names, email addresses, and partial payment information in CSV export format.
Recommendation
Enable Block Public Access on all S3 buckets immediately. Audit all bucket policies using AWS Config rule 's3-bucket-public-read-prohibited'. Enable S3 server-side encryption and access logging. Notify affected customers per applicable breach notification requirements.
IAM Privilege Escalation — Developer to Administrator
Description
The 'developer' IAM role has iam:AttachRolePolicy permission scoped to all resources. By attaching the AdministratorAccess managed policy to their own role, any developer can escalate to full AWS account administrator without triggering CloudTrail alerts configured for direct AdministratorAccess attachment.
Recommendation
Remove iam:AttachRolePolicy, iam:PutRolePolicy, and iam:CreatePolicyVersion from all developer roles. Implement SCPs to prevent PrivEsc paths at the organisation level. Use AWS IAM Access Analyzer to continuously identify privilege escalation paths.
IMDSv1 Enabled — SSRF to Credential Theft Path
Description
23 EC2 instances have IMDSv1 enabled. Several of these instances run web applications with unpatched SSRF vulnerabilities. An attacker exploiting an SSRF can call http://169.254.169.254/latest/meta-data/iam/security-credentials/ to retrieve the instance's IAM role temporary credentials.
Recommendation
Require IMDSv2 on all EC2 instances via instance metadata options. Apply this configuration via AWS Config remediation or Systems Manager Automation. Patch identified SSRF vulnerabilities in hosted web applications.
CloudTrail — Disabled in 3 Regions
Description
CloudTrail multi-region logging is not configured. Trails exist only in us-east-1 and eu-west-1. Three additional regions (ap-southeast-1, ap-northeast-1, eu-central-1) have no CloudTrail logging, creating forensic blind spots exploited by advanced threat actors for staging activities.
Recommendation
Enable CloudTrail in all regions using an organisation-level trail. Configure log file integrity validation and S3 server-side encryption. Enable CloudTrail insights to detect unusual API call rates.
* Showing 4 of 55 total findings. Full report provided upon engagement.
Risk Summary
Deliverables Included
- AWS CIS Benchmark compliance report
- IAM privilege escalation path analysis
- S3 public exposure inventory
- CloudTrail and monitoring gap analysis
- Infrastructure-as-Code remediation templates (Terraform/CloudFormation)
Ready for a real assessment?
Get a tailored Cloud Security engagement led by certified operators with unlimited retests.
Request AssessmentView All Services