Security Posture
IAM policies, network security, encryption, data protection, and CSPM findings benchmarked against CIS, NIST, and provider best practice. The baseline every other compliance framework inherits from.
Audit category · 03 of 08
01 Scope
What this audit covers
+
Scope
What this audit covers
The Security Posture category is the preventive layer: how access, networks, and data are configured before anything goes wrong. It answers the question a compliance auditor, an investor, or a prospect's security questionnaire is really asking.
Identity & access
IAM users, roles, policies, service accounts. Privilege analysis, dormant-identity cleanup, MFA coverage, key rotation, externally assumable roles, federation / SSO configuration.
Network security
Security groups, NACLs, NSGs, firewall rules, Private Endpoints, VPC endpoints, ingress from the internet, internal segmentation, zero-trust readiness.
Data protection
Encryption-at-rest coverage, KMS / Key Vault / KMS-key usage, encryption-in-transit, public-bucket exposure, cross-account data access, DLP readiness.
Workload hardening
OS baselines, container image provenance, package-vulnerability exposure, SSH / RDP surface, secret sprawl in instances and functions.
CSPM benchmarks
CIS AWS/Azure/GCP Foundations Benchmark v2, NIST SP 800-53, provider-native recommendations (Security Hub, Defender for Cloud, Security Command Center).
Third-party & integrations
Connected SaaS, OAuth grants, marketplace subscriptions, service-to-service trust boundaries.
02 Why it matters
Most cloud breaches are misconfiguration
+
Why it matters
Most cloud breaches are misconfiguration
Year after year, Verizon's DBIR and the major cloud providers' own incident analyses put the same story on the page: the majority of cloud-native incidents are configuration failures, not zero-days. An overpermissioned role, a forgotten public bucket, a security group that never had its temporary rule removed.
Security posture is where the cheapest, highest-leverage risk reduction sits. It is also where compliance frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS) derive most of their technical controls — fixing posture is simultaneously a security investment and a compliance investment.
03 Method
How we assess it
+
Method
How we assess it
Three-layer assessment to separate real risk from checkbox noise.
Layer A
Breadth — CSPM sweep
Prowler, ScoutSuite, Steampipe, and provider-native security tooling run against every account. CIS benchmark, NIST SP 800-53, and provider best-practice checks generate the raw finding set.
Layer B
Depth — IAM analysis
Policies, trust relationships, and resource-based permissions analyzed with IAM Access Analyzer (AWS), PIM / Entra ID reviews (Azure), and Policy Analyzer (GCP). Privilege-escalation paths modeled explicitly.
Layer C
Context — manual review
Raw CSPM findings are noisy and many are false positives in context. We triage every medium-and-above finding by hand before delivery. Score reflects real risk, not scan output.
04 Deliverables
What you get
+
Deliverables
What you get
- Findings register — every issue classified by severity (critical / high / medium / low), exploitability, and CVSS-style scoring where applicable.
- CIS benchmark scorecard — per-control pass/fail against CIS AWS / Azure / GCP Foundations Benchmark v2. Auditor-ready.
- IAM privilege report — externally assumable roles, excessive privilege, privilege-escalation paths, unused permissions.
- Network exposure map — every path from the internet to a production resource, every cross-segment flow, every public endpoint.
- Encryption & data-protection inventory — what is encrypted, with what key, by whom.
- Remediation roadmap — prioritized by risk × effort. Sprint-sized work packages for your security / platform team.
- Executive summary — one page. Three changes with the largest posture lift, expected outcome, effort estimate.
05 Patterns
Common findings
+
Patterns
Common findings
The posture findings that show up most often:
Overprivileged IAM roles far beyond their actual usage.
Admin-equivalent policies attached where read-only would suffice. IAM Access Analyzer usage-based refinement surfaces this cleanly — the role uses 6 actions, the policy grants 600.
Security groups open to 0.0.0.0/0 on management ports.
SSH or RDP exposed to the internet, usually with a comment like “temporary — for Alice's laptop” from 2022. Replace with bastion, Session Manager, or identity-aware proxy.
Public object storage where private was intended.
S3 buckets, Azure Blob containers, or GCS buckets with ACLs or bucket policies that make them world-readable. Almost always accidental; block-public-access at the account level is the safe default.
Long-lived access keys where federation would work.
IAM users with access keys created years ago, never rotated, used from developer laptops. Replace with SSO + short-lived credentials via AWS IAM Identity Center, Azure AD, or Workload Identity.
Encryption “on” but using default provider keys.
Technically encrypted; effectively equivalent to no-customer-control. Moves to CMK/CMEK are usually low-effort and unlock cross-account and compliance posture.
Dormant identities and abandoned service accounts.
Users who left, build systems that retired, OAuth apps nobody remembers granting. Each one is a credential on someone's old laptop, waiting.
06 FAQ
Questions we get asked
+
FAQ
Questions we get asked
Is this the same as a penetration test? +
No. Security Posture is a preventive-controls review — configuration, IAM, segmentation, encryption. VAPT is an active test of whether those controls hold up against a real attacker. Most clients do both: posture first, VAPT on the hardened environment.
Do you use only automated tools? +
We use CSPM tooling for breadth and manual analysis for depth. Raw CSPM output is noisy; delivering unfiltered scan output is not an audit. Every medium-and-above finding is validated by an engineer before it reaches your register.
Can we use our existing Security Hub / Defender for Cloud / SCC? +
Yes. We ingest findings from provider-native tooling and layer our analysis on top. Where you already have a CSPM deployed, our job is to make sense of its output and close the gaps it does not cover.
Is the CIS benchmark scorecard auditor-usable? +
Yes. The scorecard is intended to be handed to a SOC 2 or ISO 27001 auditor as evidence of technical-control posture. It does not replace the attestation itself.
How often should this be done? +
Full assessment annually. Continuous monitoring via CSPM tooling between. Posture drifts quickly in active environments; a once-every-three-years engagement is not enough.
Related
Benchmarked against CIS Benchmarks. See also VAPT, CI/CD & DevSecOps, and Compliance readiness.
Start with a free Cloud Health Check.
A scoped-down CloudCheck 360° of your current environment. Delivered in five business days, no commitment.