CRITICAL RISK — This account scored 14/100. Immediate remediation required before this environment handles any customer data.
LeapScan · Critical Breach Posture Report
AWS Security Assessment — Pre-Launch Startup (Redacted)
Account: 5555-XXXX-9999  |  Region: us-east-1  |  Scanned: March 2026  |  Engine: v3.1 / 131 checks
14
Security Score / 100
19
Critical Findings
22
High Findings

Critical Risk Executive Summary

This account is in a pre-breach state. The root account has been used 3 times in the past 14 days with no MFA. GuardDuty is disabled. CloudTrail is not logging. There is no monitoring of any kind. An attacker with the root password — which has never been changed from a likely weak initial value — has absolute, unlogged control. We strongly recommend halting all production data ingestion until the Critical findings are remediated. Estimated remediation time: 8–12 engineering hours.

Critical Findings — 19 Items
CRITICAL
Root Account Used 3 Times in Last 14 Days — No MFA
CloudTrail shows root console logins from 3 different IP addresses on March 14, 18, and 22. The root account has no MFA. If any of these IPs are not authorized, the account is already compromised. Root keys found: 2 active.
IMMEDIATE: Change root password → Enable Virtual MFA → Delete ALL root access keys Then: IAM → Account Settings → Verify no active root sessions
CRITICAL
GuardDuty Is Completely Disabled — No Threat Detection
Amazon GuardDuty is not enabled in any region. This means all active threats — crypto-mining, data exfiltration, reconnaissance — are completely invisible. This is a CIS Benchmark 2.0 Level 1 failure.
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES
CRITICAL
CloudTrail Is Disabled — Zero Audit Log Exists
There is no CloudTrail trail active. This means no record exists of any API call, console login, or resource change since account creation. It is impossible to perform forensic investigation of a breach without this log.
aws cloudtrail create-trail --name leapscan-audit-trail --s3-bucket-name my-cloudtrail-logs --is-multi-region-trail aws cloudtrail start-logging --name leapscan-audit-trail
CRITICAL
7 S3 Buckets Are Publicly Accessible — Including a Database Backup Bucket
A bucket named acme-db-backups-nightly has public read access enabled. It contains 180 MySQL dump files (.sql.gz) dating back 6 months. These dumps likely contain PII subject to GDPR/CCPA.
CRITICAL
All EC2 Security Groups Allow Inbound All Traffic (0.0.0.0/0 on Port 0-65535)
Every EC2 security group uses the rule Allow ALL from 0.0.0.0/0. This means every port on every instance is exposed to the public internet. Port scans and exploitation attempts are certainly underway.
What Is Correctly Configured
PASS
EBS Default Encryption Enabled at Region Level
New EBS volumes are encrypted by default using AWS-managed KMS keys.
PASS
RDS PostgreSQL Instance Uses Encrypted Storage
The production database uses AES-256 encryption at rest.

Generated by Leaptrix Solutions · LeapScan Engine v3.1 · 131 Checks

This report is confidential. Client account details are redacted for demonstration purposes.

← Back to LeapScan