> prowler aws --severity critical high --compliance cis_2.0_
You migrated to the cloud for agility and scale. Attackers migrated to the cloud because you left the defaults on. Misconfiguration is now the number one cause of cloud breaches — and the fix is almost always a settings change, not a rewrite.
AWS, Azure, and GCP invest billions in securing their platforms. But security of the cloud is their responsibility — security in the cloud is yours. That shared responsibility model is where almost every breach begins, because most organisations assume the provider has it covered. They haven't. The defaults are permissive by design, and the documentation is measured in hundreds of thousands of pages. Nobody reads all of it. Attackers don't need to.
Publicly exposed S3 buckets, overly permissive IAM policies, security groups that allow 0.0.0.0/0 on port 22, unencrypted storage, disabled logging — these aren't exotic attack vectors. They're checkboxes that someone forgot to tick (or untick). And they account for more cloud breaches than every zero-day combined.
Our cloud configuration review systematically audits your environment against industry benchmarks, identifies every misconfiguration, and gives you a prioritised remediation plan. Not a 400-page PDF of scanner output — a clear, actionable report that your engineering team can work through in order of risk.
Every major cloud provider operates a shared responsibility model. They secure the hypervisor, the physical data centres, and the global network. You secure everything you deploy on top of it — the IAM policies, the network rules, the storage permissions, the encryption settings. When a breach occurs because of a misconfigured security group, the cloud provider's SLA is perfectly intact. Your data, however, is not.
We assess your cloud environment across six critical domains. Each one is a category where a single misconfiguration can expose your entire estate.
Our reviews are anchored to the CIS (Centre for Internet Security) Benchmarks — the industry-recognised gold standard for cloud configuration. We combine automated tooling with manual expert analysis, because some misconfigurations require context that no scanner can provide.
Whether you're all-in on a single provider or running a multi-cloud estate, we have you covered. Our review scope adapts to each platform's native services and terminology.
| Domain | AWS | Azure | GCP |
|---|---|---|---|
| Identity & Access | IAM, STS, Organizations, SSO | Entra ID, RBAC, Managed Identities | Cloud IAM, Workload Identity, Organization Policies |
| Networking | VPC, Security Groups, NACLs, Transit Gateway | VNet, NSGs, Azure Firewall, Private Link | VPC, Firewall Rules, Cloud Armor, Private Google Access |
| Storage | S3, EBS, EFS, Glacier | Blob Storage, Managed Disks, Azure Files | Cloud Storage, Persistent Disks, Filestore |
| Logging | CloudTrail, CloudWatch, VPC Flow Logs | Azure Monitor, Activity Log, NSG Flow Logs | Cloud Logging, Cloud Audit Logs, VPC Flow Logs |
| Compute | EC2, ECS, EKS, Lambda | VMs, AKS, Container Instances, Functions | Compute Engine, GKE, Cloud Run, Cloud Functions |
| Secrets | KMS, Secrets Manager, Parameter Store | Key Vault, Managed HSM | Cloud KMS, Secret Manager |
Cloud environments change constantly — new services get spun up, IAM roles get cloned with excessive permissions, a developer opens a port "temporarily" and forgets to close it. A configuration review tells you where you stand today. Continuous monitoring tells you when things change tomorrow.
For ongoing cloud security monitoring, see our SOCinaBox managed SOC service — 24/7 threat detection, cloud-native log analysis, and real-time alerting on configuration drift and suspicious API calls across your entire cloud estate.
You can pass every CIS Benchmark check on Monday and be exposed by Friday. Combine periodic cloud configuration reviews with continuous monitoring from SOCinaBox. The review sets the baseline. The SOC alerts you the moment anyone deviates from it. Together, they close the gap between audit and reality.
Every engagement starts with a free, no-obligation scoping call. We'll assess your cloud estate, define the review scope, and give you a clear quote — no surprises, no jargon. The only misconfiguration you should worry about is the one you never checked.