Compute & Workloads
From EC2 instances to Lambda functions and containers, we check that every workload is hardened, patched, and backed up — and flag the ones that aren't.
EC2 Hardening & Endpoint Protection
We review EC2 instance configurations for security best practice — including IMDSv2 enforcement, EBS encryption, public IP exposure, and instance profile permissions. We check whether instances are running endpoint protection agents and whether those agents are healthy and reporting.
Patch Management
We assess OS and application patch compliance across your EC2 fleet using AWS Systems Manager Patch Manager. This includes identifying instances with outstanding critical or security patches, instances not enrolled in any patch baseline, and any failed patching operations. Unpatched systems remain one of the most common entry points for attackers.
Container & ECS/EKS Security
For containerised workloads, we review ECR image scanning configuration, ECS task role permissions, EKS cluster security settings, and pod security policies. We identify containers running as root, images with known vulnerabilities, and overly permissive task or pod roles that could be exploited.
Lambda & Serverless Configuration
We review Lambda function configurations including execution role permissions, VPC placement, environment variable usage for secrets, and runtime versions. We identify functions with overly broad IAM roles, deprecated runtimes, and configurations that don't follow the principle of least privilege.
Backup & Disaster Recovery
We review AWS Backup vault configuration, backup plan coverage, and retention policies. We identify production resources that are not backed up, check that backup jobs are completing successfully, and assess whether your recovery point objectives (RPO) and recovery time objectives (RTO) are supported by the current configuration.