Client Overview

Cloud-native fintech company built on AWS over 18 months, prioritising features over security. Used Terraform for IaC but security configs not consistently reviewed. Needed assessment before RBI compliance audit and investor due diligence.

Challenge

Fast development pace created security debt. Multiple AWS accounts with inconsistent configurations. Engineering team lacked dedicated cloud security expertise. Upcoming regulatory requirements demanded a thorough assessment.

Our Approach

Codesecure conducted a comprehensive AWS cloud security audit covering the following areas:

• IAM review — accounts, roles, policies, access keys, MFA, least privilege
• S3 bucket audit — public access, encryption, versioning, logging, lifecycle
• VPC review — subnets, security groups, NACLs, NAT gateways, private endpoints
• Data protection — KMS encryption, TLS, secrets management
• Logging — CloudTrail, GuardDuty, Config Rules, CloudWatch
• Compute — EC2 metadata protection, ECS/EKS container security, Lambda permissions
• CIS AWS Foundations Benchmark mapping

Results

23 findings were identified — 3 critical, 9 high, and 11 medium severity.

Critical findings included:

• IAM user with AdministratorAccess and no MFA
• S3 bucket with customer KYC documents publicly readable
• CloudTrail disabled in two regions

High findings included:

• Overly permissive security groups
• Unencrypted RDS snapshots
• Missing VPC flow logs

All critical findings were remediated immediately. A revalidation assessment confirmed full remediation across all findings.

Conclusion

For cloud-native fintech companies, a cloud security audit is essential before regulatory audits and investor reviews. The client established a strong security baseline and demonstrated compliance readiness. Contact Codesecure to discuss how we can help secure your cloud environment.