top of page

Cloud Secure Configuration Review

What is a cloud secure configuration review?

A cloud secure configuration review is a systematic assessment of how your cloud environment is set up. We work through your AWS, Azure or Google Cloud environment and measure it against established security baselines, identifying settings that deviate from secure configuration such as things that are exposed when they should not be, permissions that are broader than they need to be, and controls that are missing or partially implemented.

Cloud environments fail differently from traditional on-premise networks. The most common source of serious incidents is not a sophisticated exploit but rather a misconfiguration. An S3 bucket left publicly readable, an over-permissioned IAM role, a storage account with no access controls, a virtual machine with an administrative port open to the internet. These are mistakes that happen routinely during normal cloud operations, often introduced gradually as environments grow and change, and they are not always picked up by the people managing the environment day to day.

We wrote about this in more detail in our article on cloud misconfigurations if you want background before getting in touch.

What we review

Identity and access management (IAM) - IAM is the foundation of cloud security and the most frequently misconfigured area. We review whether roles and permissions follow the principle of least privilege, whether there are over-permissioned accounts or service principals, whether service accounts have more access than they need, and whether the blast radius of a single compromised account is appropriately limited.

Storage and data exposure - checking whether storage resources such as S3 buckets, Azure Blob containers or GCP Cloud Storage buckets are publicly accessible or accessible to more principals than intended, and whether sensitive data is stored in locations that could be reached with limited access.

Network configuration - reviewing security groups, firewall rules and network access control lists to identify services that are exposed to the internet unnecessarily, and whether network segmentation between environments is properly enforced.

Compute and workload security - assessing virtual machines, containers and serverless functions for exposed management interfaces, weak authentication, unpatched software and insecure default configurations.

Logging and monitoring - whether audit logging is enabled across services and whether the logs would capture the activity an attacker would generate. Many cloud environments have logging partially configured, leaving blind spots that can go unnoticed for months.

Secrets management - checking whether API keys, credentials and secrets are stored securely or whether they appear where they should not, such as environment variables, instance metadata endpoints or public code repositories.

How this differs from a penetration test

A configuration review and a penetration test are related but different things. A configuration review is a systematic audit of how your environment is set up. We assess settings, permissions and configurations against industry best practice and identify what deviates from secure configuration. The focus is real-world issues, what issues in the environment will actually have a negative impact.

A penetration test goes further by attempting to exploit identified weaknesses to demonstrate what an attacker could actually do with them such as escalating privileges, accessing data, moving between accounts. This gives you a picture of real-world impact rather than a list of configuration gaps.

For most NZ businesses, a configuration review is the right starting point, particularly if the environment has never been assessed before or has grown significantly. It gives you a comprehensive picture of where the environment stands and a prioritised list of what to fix. If you want to go further and understand what an attacker could actually achieve, we can scope penetration testing on top of that.

Who needs a cloud configuration review?

Businesses running workloads in the cloud. If your organisation hosts applications, databases or customer data in AWS, Azure or GCP, the configuration of that environment directly affects your exposure. Cloud environments that have grown organically tend to accumulate permissions and open configurations that made sense at the time but that nobody has revisited since.

Compliance requirements. ISO 27001 scope typically includes cloud infrastructure where it hosts or processes information assets covered by the management system. If your organisation is working toward certification or maintaining it, a configuration review of your cloud environment is a natural part of the process. PCI DSS similarly includes cloud environments in scope where they store, process or transmit cardholder data.

After significant cloud changes. A migration to the cloud, the addition of new services, a significant architecture change, or taking on a new development team are all reasonable triggers for a fresh assessment. Configuration drift, where settings gradually diverge from a secure baseline as the environment evolves, is one of the most common findings in cloud environments that were set up correctly but never reassessed.

Organisations that have never had their cloud environment reviewed. Many businesses set up cloud infrastructure themselves or with the help of a managed service provider and have never had an independent review of the security configuration. A review gives you an objective picture of where things stand.

What the process looks like

We start with a scoping call to understand your cloud environment, which providers you use, the rough scale of the environment, and what workloads it supports.

We are typically provided with read-only access to the environment, which lets us assess settings and configurations without any risk of disruption to running services. For most reviews this is a dedicated read-only role scoped to the services in scope we do not need more privileged access unless specific tests require it.

Reviews typically take two to four days depending on the size and complexity of the environment. Findings are reported with a severity rating, a plain-language explanation of the risk, and specific remediation steps that your cloud team or managed service provider can act on directly. We also provide an overall picture of the environment's configuration maturity, which is useful context for internal reporting or compliance documentation.

Retesting

We offer a follow-up review after remediation to confirm that identified issues have been resolved and that the fixes are correctly implemented. For compliance purposes this provides documented evidence that findings were addressed.

Based in Auckland, working across New Zealand

Cloud configuration reviews are conducted remotely and work equally well for businesses anywhere in New Zealand.

bottom of page