US-037US-038US-039US-040US-112
L6 — Cloud Security Posture
AWS Account: 123456789012 · Read-only IAM role · Prowler + CloudFox
3
Critical
5
High
8
Medium
71%
CIS Score
Connect Cloud Account US-037
AWS
Azure US-112
GCP
✓ AWS Account 123456789012 connected · Read-only IAM role active
Deploy via CloudFormation (1-click):
aws cloudformation deploy \
--template-file socvault-readonly-role.yaml \
--stack-name SOCVault-ReadOnly \
--capabilities CAPABILITY_NAMED_IAM
External ID: sv-ext-a8f3b2c9 · Permissions: Describe*/Get*/List* only
IAM Privilege Escalation Paths — CloudFox US-038
⚠ 2 privilege escalation paths found — attacker could gain AdministratorAccess
| Path | From Role | To | Risk |
|---|---|---|---|
| iam:CreatePolicyVersion Allows overwriting managed policy to add AdministratorAccess | dev-ci-role | AdministratorAccess | CRITICAL |
| lambda:UpdateFunctionCode Lambda exec role has S3:* — can exfiltrate all data | lambda-processor-role | S3 Full Access | HIGH |
S3 Bucket Exposure & Encryption Status US-040
| Bucket Name | Public Access Block | Encryption | Versioning | Logging | Risk |
|---|---|---|---|---|---|
acme-user-uploads | ❌ Disabled | ✓ AES-256 | ✓ On | ⚠ Off | CRITICAL |
acme-backups | ✓ Enabled | ❌ None | ⚠ Off | ✓ On | HIGH |
acme-static-assets | ✓ Enabled | ✓ AES-256 | ✓ On | ✓ On | PASS |
acme-logs | ✓ Enabled | ⚠ SSE-S3 | ✓ On | ✓ On | MEDIUM |
CIS AWS Foundations Benchmark — Prowler US-039
CIS Level 1
- MFA enabled on root account
- CloudTrail enabled in all regions
- Root account access keys exist
- S3 public access block not universal
- Password policy meets requirements
CIS Level 2
- VPC flow logs not enabled
- EBS volumes unencrypted (3)
- Config rules enabled
- Security Hub not enabled
- GuardDuty enabled
CIS Compliance Score
71% · 32/45 controls passing