LeapScan · Confidential Audit Report
AWS Security Assessment — SaaS Startup
Account: 1234-XXXX-5678  |  Region: us-east-1 + eu-west-1  |  Scanned: March 2026  |  Engine: v3.1 / 131 checks
41
Security Score / 100
8 Critical 11 High 14 Medium 98 Passed

Executive Summary

This SaaS startup has a strong foundational AWS setup — EBS encryption is on, GuardDuty is active, and CloudTrail is logging globally. However, 3 years of rapid growth have created significant IAM sprawl. The most critical findings are 12 access keys older than 400 days (one belonging to a former contractor) and a Lambda function with a hardcoded STRIPE_SECRET_KEY visible in environment variables. These two findings alone represent an existential billing and data-breach risk. Remediation of the critical items is estimated at 4 engineering hours.

Critical Findings
CRITICAL
12 IAM Access Keys Older Than 400 Days — Including 1 Terminated Employee
Keys belonging to user contractor_dev_2021 were created 1,386 days ago and never rotated or deactivated. This account has S3 read access to the production data bucket.
aws iam delete-access-key --user-name contractor_dev_2021 --access-key-id AKIA...XYZ aws iam update-access-key --user-name api_service --access-key-id AKIA...ABC --status Inactive
CRITICAL
Lambda Function payment-processor-prod Has Hardcoded Secret in Env Vars
The environment variable STRIPE_SECRET_KEY=sk_live_xxx... is visible in plaintext via the AWS Lambda console and CloudFormation exports. Anyone with read access to your AWS account can read your live Stripe key.
aws lambda update-function-configuration --function-name payment-processor-prod \ --environment "Variables={STRIPE_SECRET_KEY_ARN=arn:aws:secretsmanager:us-east-1:...}"
CRITICAL
Root Account Has No MFA and Active Access Keys
The AWS root account does not have MFA enabled and has 2 programmatic access keys created in 2021.CIS Benchmark 1.5. A compromised root account means complete, irreversible account takeover.
1. Log in as root → IAM → Security credentials → Delete both access keys 2. IAM → Activate MFA → Assign Virtual MFA device (Google Authenticator)
CRITICAL
S3 Bucket acme-user-uploads-prod Has Public ACL Enabled
The bucket ACL is set to public-read and the account-level S3 Block Public Access is disabled. Any file uploaded to this bucket is immediately publicly accessible via a direct URL.
aws s3control put-public-access-block --account-id 123456789012 \ --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
High Severity Findings
HIGH
Security Group sg-0a1b2c3d Allows SSH from 0.0.0.0/0
Port 22 is open to the entire internet on 3 EC2 instances in the default VPC. These instances appear to be development jump boxes. CIS 5.2.
HIGH
4 IAM Users Have Direct AdministratorAccess Policy Attached
Users dev_alice, dev_bob, staging_deploy, and old_admin all have full AdministratorAccess. These should use roles with scoped permissions instead.
HIGH
2 Lambda Functions Running on Deprecated Python 3.8 Runtime (EOL Oct 2024)
AWS no longer patches Python 3.8. Known CVEs in the runtime remain unaddressed. Upgrade to Python 3.12 immediately.
Passing Controls (Sample)
PASS
GuardDuty Enabled in All Regions
Threat detection is active and monitoring VPC Flow Logs, CloudTrail events, and DNS activity.
PASS
CloudTrail Multi-Region Logging with KMS Encryption Enabled
All API activity is logged, encrypted, and integrity-validated. Log file delivery to S3 is functioning.
PASS
All EBS Volumes Encrypted at Rest
All 14 EBS volumes use AWS-managed KMS keys. No unencrypted volumes found.
PASS
RDS Instances Use Encrypted Storage and Multi-AZ Failover
PostgreSQL production instance has encryption-at-rest, automated backups, and a standby replica.

Generated by Leaptrix Solutions · LeapScan Engine v3.1 · 131 Checks · Delivered within 24 hours of IAM trust established

This report is confidential. Client account details are redacted for demonstration purposes.

← Back to LeapScan