Free CloudFormation-based audit across IAM, Network, Data, Logging, FinOps, and Architecture in ~20 minutes. $499 detailed reports with CIS Benchmark mapping and FinOps dollar amounts in ~40 minutes. Manual Cloud Audit with senior-engineer depth from $4,999 — available across AWS, GCP, and Azure.
Coverage
Most AWS security assessments focus on IAM and network configuration. Ours covers six categories — including FinOps findings most security audits skip entirely. Each category aligns with CIS AWS Foundations Benchmark v1.5 and AWS Well-Architected Security Pillar.
Root account usage, MFA enforcement, password policy, IAM user privilege analysis, role trust relationships, access key rotation.
Common finding: IAM user has console access without MFA enabled — Critical, fix via SCP enforcement.
VPC architecture, security group rules, NACLs, public exposure of resources, VPC Flow Logs configuration, internet-facing ELBs and exposed ports.
Common finding: Security group allows ingress from 0.0.0.0/0 to all ports — Critical, network firewall bypass.
Storage encryption (S3, EBS, RDS, DynamoDB), public S3 bucket exposure, public access block configuration, KMS key rotation, snapshot encryption.
Common finding: S3 bucket allows public access — Critical, direct path to data exfiltration.
CloudTrail configuration (multi-region, log file validation, integration with CloudWatch), Config recording rules, GuardDuty enablement, audit log retention.
Common finding: CloudTrail not configured for multi-region coverage — High, blind spots in 17 regions.
Cost-optimization findings most security audits skip entirely. Idle resources, unattached EBS volumes, unused Elastic IPs, snapshot retention waste, oversized instances, Reserved Instance and Savings Plan opportunities — all flagged with qualitative impact tiers (significant / measurable / incremental). Quantified dollar modeling is the Manual Cloud Audit tier.
Common finding: 32 unattached EBS volumes flagged at significant impact — ongoing storage cost with no compute value.
AWS Well-Architected Security Pillar alignment, defense-in-depth review, secrets management practices, backup and disaster recovery posture, cross-AZ resilience for security-critical resources.
Common finding: 5 EC2 instances concentrated in single AZ — single-zone outage availability risk.
Automated tiers (Free Scan, $499 Full Report) cover all 6 categories at machine speed. Manual Cloud Audit covers the full 8-category CloudCheck 360° methodology with senior-engineer review. Tier difference is depth and presentation, not category coverage.
Inside the report
Every paid finding includes what’s wrong, why it matters, the exact CLI commands to fix it, rollback steps in case the change disrupts a service, and verification commands to confirm the fix landed. Below: an actual finding from a recent AWS audit, lifted verbatim from a paid Cloud Audit Report.
arn:aws:iam::ACCOUNT-ID:root · us-east-1 · CIS 1.7 (root user)
What it means
Your AWS root user is unrestricted, meaning the most powerful identity in your account has no guardrails to prevent high-risk, irreversible actions. Anyone who gains access to root credentials can perform any operation without limitation.
Why it matters
A compromised root credential is the most severe security failure possible in AWS. Without a restrictive policy, an attacker can irrevocably damage your account, delete all data and infrastructure, and lock you out permanently.
How to fix
Apply a Service Control Policy (SCP) at the organization level that denies destructive actions when performed by the root identity:
# Save policy as restrict-root-policy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": ["account:CloseAccount",
"organizations:LeaveOrganization"],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}]
}Create and attach the SCP:
aws organizations create-policy \
--name "RestrictRootUser" \
--content file://restrict-root-policy.json \
--type SERVICE_CONTROL_POLICYRollback
If the policy causes operational issues, detach immediately:
aws organizations detach-policy \
--policy-id <p-xxxxxxxx> --target-id <r-xxxx>Verify
IAM Policy Simulator should return “denied” for restricted actions when simulated as root user.
27 issue families per audit.
Most audits surface 25-40 issue families across 150-400 raw scanner findings, consolidated and prioritized.
CIS AWS Foundations v1.5 mapping.
Each finding linked to specific CIS controls — drop directly into compliance evidence packages.
This-week / this-month action plan.
Findings sequenced by severity and remediation effort, not just dumped as a flat list.
Tiers
Start free. Upgrade when you need full evidence, FinOps depth, or compliance documentation. Each tier includes everything in the tiers below it.
$0
All 6 categories · AWS · Automated · ~20 minutes
$499
All 6 categories · AWS · Automated · ~40 minutes
Or upgrade from a free scan results page.
Starting at $4,999
All 8 CloudCheck 360° categories · AWS / GCP / Azure · Human-led · Scoping call required
Custom scope per engagement; includes everything in Full Report plus full CloudCheck 360° methodology.
Custom
Findings remediation · Scoping call required
Most buyers start with the Free Audit and upgrade to the $499 Full Report for compliance documentation. Manual Cloud Audit is for buyers with multi-account environments, multi-cloud footprints, or compliance evidence packages that require senior-engineer review. Implementation is for buyers ready to remediate.
Methodology · Automated tier
Our automated cloud audit pipeline is designed by senior credentialed engineers, executed automatically against your AWS environment via a read-only CloudFormation role, and analyzed with LLM-assisted synthesis. Same scan engine at the free and $499 tiers. The $499 unlocks per-finding remediation steps with CLI commands, AWS cost notes, and CIS Benchmark compliance mapping.
Audit logic, finding criteria, severity scoring, and remediation patterns are designed by credentialed engineers (CCSP, GCP Professional Cloud Architect, AWS Solutions Architect). We update the pipeline as new CIS Benchmarks ship, AWS service capabilities expand, and incident patterns surface in the field.
You deploy a CloudFormation template that creates a read-only audit role in your AWS account. We never get write access. The scan reads configuration metadata only — no traffic capture, no log ingestion, no agent installation. Findings are derived from API responses describing your environment’s configured state.
Raw scanner output (typically 150-400 findings per AWS audit) is consolidated into 25-40 issue families, prioritized by severity and remediation effort, and rendered as actionable findings with executable CLI commands, rollback procedures, and verification steps. Analysis is automated; the underlying audit logic is engineer-designed.
Manual Cloud Audit follows a different methodology — CloudCheck 360°, 8 categories, senior-engineer review. Automated tiers cover the 6-category configuration audit; manual tiers add architecture review, IR readiness, and engagement-specific scoping. See CloudCheck 360° methodology →
Multi-cloud
Automated audits — Free Scan and $499 Full Report — currently support AWS only. GCP and Azure automated audits are on the roadmap. Manual Cloud Audit and Implementation engagements are available across all three clouds today.
Automated + manual. Free Scan, $499 Full Report, Manual Cloud Audit from $4,999, Implementation custom-scoped.
Manual only. Manual Cloud Audit from $4,999, Implementation custom-scoped. Same 8-category CloudCheck 360° methodology adapted for GCP services.
Manual only. Manual Cloud Audit from $4,999, Implementation custom-scoped. Same 8-category CloudCheck 360° methodology adapted for Azure services.
Need a GCP or Azure review? Talk to the team →
AWS, GCP, and Microsoft Azure are trademarks of their respective owners. We are not affiliated with, endorsed by, or sponsored by these companies.
Compliance
Both the Free Scan and the $499 Full Report ship with explicit CIS AWS Foundations Benchmark v1.5 mapping per finding. Manual Cloud Audit can scope additional framework cross-references when your evidence package needs them. The CIS mapping is the backbone; everything else is a Manual tier add-on.
Typical audit: 85 of 152 findings map directly to CIS v1.5 controls. Top failed controls in recent engagements:
When your engagement is scoped to include compliance evidence, Manual Cloud Audit adds explicit framework cross-references on top of the CIS mapping:
Common questions
An AWS security audit is a structured assessment of your AWS account configuration for security vulnerabilities, misconfigurations, compliance gaps, and cost-optimization opportunities. Cloud Upload’s audits cover six categories: IAM, Network, Data, Logging, FinOps, and Architecture — using CIS AWS Foundations Benchmark v1.5 and AWS Well-Architected Security Pillar methodology. Free automated audits give you a letter grade and top findings; paid audits add full findings with evidence, CVSS scoring, remediation guidance, and FinOps dollar amounts.
Cloud Upload’s AWS audit covers six categories: (1) IAM — root account usage, MFA, password policy, user/role privilege analysis, access key rotation; (2) Network — security groups, NACLs, public exposure, VPC Flow Logs, internet-facing resources; (3) Data — S3/EBS/RDS/DynamoDB encryption, KMS key rotation, public access blocks; (4) Logging — CloudTrail configuration, AWS Config rules, GuardDuty, log retention; (5) FinOps — idle resources, oversized instances, unattached EBS volumes, Reserved Instance opportunities; (6) Architecture — Well-Architected Security Pillar alignment, secrets management, backup posture. All findings include severity scoring, evidence, and remediation guidance.
Annually at minimum, plus after major architecture changes (new VPC, new product line, acquisition, or significant IAM restructure). Most SOC 2 Type II auditors expect annual evidence. High-velocity engineering teams often run audits quarterly to catch drift between formal annual audits. Cloud Upload’s Free Scan makes ongoing baseline monitoring practical without subscription commitment.
Cloud security audits are configuration-layer assessments — they review IAM, network, encryption, logging, and architecture settings against best-practice frameworks. Penetration testing is application-layer offensive testing — credentialed engineers actively probe your web app, API, mobile, or network for exploitable vulnerabilities. Most SaaS companies need both: audits for ongoing compliance and configuration hygiene; pen tests for evidence of secure application code. See our manual pen testing tier →
Cloud Upload’s AWS audits ship with CIS AWS Foundations Benchmark v1.5 mapping per finding. Both the Free Scan and the $499 Full Report use the same CIS mapping. Manual Cloud Audit can scope additional framework cross-references (AWS Well-Architected Security Pillar, NIST 800-53, and customer-specific compliance evidence packages) when requested as part of the engagement.
Yes — and increasingly, your enterprise customers require it. Customer security questionnaires regularly ask for evidence of cloud audits. Investor due diligence for Series B+ rounds typically includes security review. Cloud Upload’s Free Audit gives baseline visibility for $0; the $499 Full Report provides per-finding evidence and CIS mapping; Manual Cloud Audit at $4,999+ delivers senior-engineer review for buyers with complex environments or multi-customer security questionnaires.
Same scan, different depth of presentation. The Free Scan returns a letter grade, severity counts across all 6 categories, and 8–12 representative findings — enough to see the overall picture and surface top FinOps wins. The $499 Full Audit Report unlocks all findings with evidence (specific resource IDs, screenshots where applicable), CVSS 3.1 scoring per finding, remediation guidance per finding, FinOps findings with calculated dollar amounts, and CIS AWS Foundations Benchmark v1.5 mapping per finding.
AWS Inspector is a vulnerability scanner — automated assessment of EC2 instances, container images, and Lambda functions for known CVEs and configuration weaknesses. AWS GuardDuty is a threat detection service — continuous monitoring of CloudTrail, VPC Flow Logs, and DNS logs for anomalous behavior (e.g., compromised credentials, crypto-mining instances). Both are AWS-managed; both produce findings; they answer different questions. Inspector tells you what’s vulnerable; GuardDuty tells you when something’s actively going wrong. Cloud Upload’s audit reviews configuration of both — whether they’re enabled, whether findings are being acted on.
Yes — AWS Macie is a data loss prevention (DLP) service focused on S3. It uses machine learning to discover sensitive data (PII, credentials, financial data) in S3 buckets and alerts when it appears in unexpected locations. Cloud Upload’s Cloud Audit reviews Macie configuration as part of the Data category — whether it’s enabled, what coverage you have across accounts, whether findings are being routed to a response process.
AWS Inspector is the primary AWS-native automated security assessment service. It scans EC2 instances and container images for known vulnerabilities. Cloud Upload’s free Cloud Scan complements Inspector — it covers configuration audits across IAM, Network, Data, Logging, FinOps, and Architecture using CIS AWS Foundations Benchmark methodology. Most teams run both: Inspector for ongoing vulnerability scanning, Cloud Upload for periodic configuration audits and compliance evidence.
Still have questions? Talk to the Team →