← Back to PipelineAtlas
🛡

AWS Security Audit

The most comprehensive AWS security and cost audit available. 18 services. Over 200 checks. Full report in under two minutes.

18 Services Audited
200+ Security Checks
2 min Average Runtime
$0 Cost to Audit
S3 EC2 IAM RDS CloudTrail GuardDuty Lambda VPC KMS CloudWatch DynamoDB ECR SNS SQS Secrets Manager ELB OpenSearch AWS Config
🔌

Connect Your AWS Account

Enter your credentials and we handle the rest

Create a temporary read only IAM user with the PipelineAtlasReadOnly policy and delete the key after the audit completes.

Your full report will be emailed here as an attachment the moment the audit finishes.

Select the primary region your resources are deployed in.

Services to Audit · 18 Total
🔒

Your credentials are never stored. They are used only to make read only API calls and are cleared from memory immediately after the connection is established. All traffic is encrypted via HTTPS. The audit policy has zero write permissions and cannot modify or delete any resources.

18 Services Audited

Every check is read only. We look, never touch. Zero changes made to your account.

🪣

Amazon S3

  • Public access block gaps
  • Encryption at rest status
  • Server access logging
  • Versioning and MFA Delete
⚙️

EC2 and Networking

  • Security groups open to the internet
  • IMDSv1 metadata service exposure
  • Unattached EBS volumes with cost
  • Stopped instances with EBS charges
👤

IAM and Identity

  • Root account MFA and access keys
  • User MFA enforcement gaps
  • Old and unused access keys
  • Admin policy over permission
🗄️

RDS Databases

  • Publicly accessible instances
  • Storage encryption status
  • Backup retention and deletion protection
  • Multi-AZ and snapshot costs
📋

CloudTrail

  • Logging enabled across all regions
  • Log file validation
  • CloudWatch Logs integration
  • Insights for anomaly detection
🛡

GuardDuty

  • Threat detection enabled
  • Unresolved active threats
  • S3 protection status
📐

AWS Config

  • Configuration recording active
  • All resource types covered
  • Compliance rules and violations
  • Delivery channel configured
🔑

KMS Encryption Keys

  • Automatic key rotation enabled
  • Overly permissive key policies
  • Keys pending deletion
λ

Lambda Functions

  • Deprecated and end of life runtimes
  • Secrets stored in environment variables
  • Admin IAM roles attached
  • Public function URLs without auth
🌐

VPC and Networking

  • VPC Flow Logs not enabled
  • Default VPC in use for production
  • Subnets auto-assigning public IPs
  • Overly permissive NACLs
📊

CloudWatch

  • Log groups with no retention policy
  • Missing root account usage alarms
  • No alarm for unauthorized API calls
  • Missing CloudTrail change alarms
🔔

SNS Topics

  • Topics with public access policies
  • Unencrypted topics at rest
  • Subscriptions pending confirmation
📬

SQS Queues

  • Queues with public access
  • Unencrypted message queues
  • No dead letter queue configured
  • Very short message retention
🤫

Secrets Manager

  • Secrets without automatic rotation
  • Overdue rotation schedules
  • Potentially unused secrets
⚖️

Load Balancers

  • HTTP not redirecting to HTTPS
  • Outdated TLS security policies
  • Access logging disabled
  • Deletion protection off

DynamoDB

  • Point-in-time recovery not enabled
  • Encryption with customer managed keys
  • Deletion protection disabled
  • Fixed provisioned capacity waste
📦

ECR Container Images

  • Image scanning on push disabled
  • Mutable image tags
  • No lifecycle policy accumulating cost
  • Critical and high CVEs in images
🔍

OpenSearch

  • Domains not deployed in a VPC
  • Encryption at rest disabled
  • Node to node encryption off
  • HTTPS not enforced
PipelineAtlas · Read only · No changes are ever made to your account
pipelineatlas.org