Capability Brief
AWS Cloud Infrastructure Security Review
We review AWS environments from account-level controls down to individual resource configurations, examining IAM policies, container security, network segmentation, and the gaps between them.
What this is about
Misconfigurations create paths to compromise
AWS environments can span multiple accounts within an organization, each with its own IAM policies, network configurations, and service deployments. Misconfigurations at any level - from an overly permissive IAM role to an EKS pod with access to the Instance Metadata Service - can give attackers a path from initial access to full account compromise. Casaba reviews AWS infrastructure systematically, evaluating identity management, network controls, container orchestration, storage, logging, and secrets management against security best practices.
What we test
Nine focus areas
Account and Organization Security
Management and member account configurations, root account security (hardware MFA, credential usage), AWS Organizations structure.
IAM Policies and Access Controls
Least privilege enforcement, overly permissive roles and policies (wildcard resource access), deprecated roles, access key rotation, credential reports for unused accounts, users with multiple access keys.
Network Segmentation
VPC configurations, security group rules (ingress, egress, inter-group traffic), network ACLs, unused security groups, default security group hardening.
EKS and Container Security
Pod network policies and IMDS access restrictions, IMDSv1 vs. IMDSv2 enforcement on EC2 instances, Kubernetes API server public exposure, security group configuration around clusters, Kubernetes version currency, container image vulnerability scanning.
Storage and Encryption
S3 bucket policies and ACL configurations, encryption at rest for EC2 snapshots, EBS volumes, and SQS queues, KMS key rotation scheduling.
Logging and Monitoring
CloudTrail configuration and CloudWatch integration, VPC flow logs, S3 access logging, ELB and CloudFront logging, credential usage monitoring.
Encryption in Transit
TLS policies on load balancers and CloudFront distributions, clear-text HTTP detection across services and endpoints.
Secrets Management
Detection of secrets embedded in source code and infrastructure configuration files (API keys, tokens, credentials, connection strings), recommendations for centralized secrets management.
DNS and Domain Security
Route 53 domain transfer lock, domain hardening configurations.
How we approach it
Automated scanning plus manual analysis
Casaba uses a combination of automated scanning and manual analysis. Scout Suite is configured with appropriate IAM roles and run against target AWS accounts to identify misconfigurations across all services. Results are triaged manually to remove false positives, then verified in the AWS console.
For EKS environments, Casaba reviews cluster configurations, security groups, and network policies, with particular attention to IMDS access and API server exposure. Network policies are obtained and reviewed to confirm whether egress filtering blocks pod access to metadata endpoints. IAM policies are reviewed for adherence to least privilege, with credential reports pulled and analyzed for unused accounts, missing MFA, and key rotation gaps. Source code repositories are reviewed for embedded secrets using both manual review and automated scanning.
What we find
Typical finding patterns
Root Account MFA Gaps
Root accounts without hardware MFA enabled, particularly in member accounts within AWS Organizations.
Overly Broad IAM Policies
Policies with wildcard resource access and deprecated roles that violate least privilege, expanding the blast radius of any credential compromise.
EKS Pod IMDS Access
Pods with unrestricted access to the Instance Metadata Service, enabling IAM role credential theft from within containers.
IMDSv2 Not Enforced
EC2 instances not enforcing IMDSv2, leaving them vulnerable to SSRF-based credential theft.
Exposed Kubernetes API Servers
Kubernetes API servers exposed to public internet traffic with no network restrictions.
S3 Misconfiguration
Buckets with misconfigured ACLs or unintended public access settings that expose sensitive data.
Unencrypted Resources
EC2 snapshots, EBS volumes, and SQS queues without encryption at rest.
Incomplete Logging
Disabled or incomplete logging across CloudTrail, CloudWatch, VPC flow logs, and load balancers, creating blind spots.
Permissive Network Controls
Network ACLs permitting all traffic on all ports, along with overly permissive security groups and unused groups left in the environment.
Secrets in Source Code
API keys, tokens, credentials, and connection strings embedded in source code and infrastructure configuration files.
Missing Domain Transfer Lock
Route 53 domains without transfer lock enabled, leaving them vulnerable to unauthorized domain transfers.
Why it matters
One misconfiguration can chain into full account access
AWS environments can span hundreds of services and thousands of resources. Misconfigurations at the IAM, network, or container level can give attackers a path from a single compromised pod to full account access. An EKS cluster without IMDS restrictions lets an attacker inside a container steal credentials and pivot to other AWS resources. A root account without hardware MFA is one social engineering attack away from total account loss. Secrets left in a code repository survive long after the engineer who committed them has moved on. Regular infrastructure reviews identify these gaps and provide actionable remediation guidance before they become incidents.
Need your systems tested?
We review AWS environments for the misconfigurations that lead to breaches. Let's talk about yours.
Get in touch