Services

Cloud Service Configuration Review

Our cloud service configuration review uncovers misconfigurations and strengthens your cloud security posture with confidence.

Cloud service configuration review for AWS, Azure, and GCP

Ensuring your cloud is built on a secure foundation

A cloud service configuration review is a systematic, inside-out examination of cloud settings. It assesses IAM controls, network security, and encryption against the CIS Benchmarks for cloud providers and the CSA Cloud Controls Matrix. It differs from a cloud penetration test. A configuration review examines control plane settings that determine whether exploitation is possible. It does not ask only whether exploitation is possible today. It also identifies latent control weaknesses that may not yet be visible from an external attacker perspective. Swarmnetics delivers this through Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentialled consultants since 2015.

When one cloud misconfiguration exposes live data

Because secure operations depend on secure configurations

In August 2025, cybersecurity firm UpGuard discovered a publicly accessible Amazon S3 bucket containing 273,000 bank transfer documents across at least 38 financial institutions. UpGuard reported that 3,000 new files were added daily after a single misconfiguration left the bucket open. A cloud service configuration review would have identified the publicly accessible bucket before live customer financial data reached it. Cloud infrastructure misconfigurations represent a potential risk that external testing cannot surface. Penetration tests probe the perimeter. They do not inspect the control plane settings that govern data protection and cloud security. They may also miss excessive IAM permissions, weak encryption defaults, inconsistent logging, or inherited access paths that are present in the environment before an attacker exploits them.

Read more

A cloud configuration review maps every finding to recognised security standards, so your team has evidence that security controls are working before an auditor asks for it.

Gartner Peer Insight Review

See your cloud environment from the control plane

Find misconfigurations that lead to exploitable exposure

Swarmnetics begins by establishing secure, read-only access to the in-scope cloud environment. Our consultants then establish secure, read-only access through a dedicated IAM role for AWS, Microsoft Azure or Google Cloud Platform (GCP) to extract cloud service configurations using cloud-native security tools. We also use open-source scanners such as Prowler, ScoutSuite, and CloudSploit to review cloud accounts, subscriptions, projects, and relevant shared services where applicable.

Our consultants then assess the extracted configurations against the CIS Benchmarks for the relevant cloud provider and the CSA Cloud Controls Matrix. This security assessment is designed to identify misconfigurations across cloud services before they create exploitable exposure. Automated tools are necessary but not sufficient. Manual review validates each finding, removes false positives, and confirms security settings and configuration intent through team interviews. This helps distinguish an intentional design choice from a genuine security gap and shows what an external penetration test would not normally confirm from the outside. Network security boundaries, web services, identity and access management IAM controls, and data protection controls all fall within scope. The review also considers whether key controls are applied consistently across the cloud environment, not just whether they exist in isolated services.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more
CREST Pentest

Inside the cloud attack surface

What gets checked

A comprehensive cloud service configuration review covers the following domains and the wider cloud security posture:

  • IAM policies, role assignments, and least-privilege boundaries
  • Multi-factor authentication enforcement on cloud service accounts
  • S3, Blob, and GCS storage access controls — a leading source of cloud data exposure
  • Network security group rules, VPC configurations, and firewall policies
  • Encryption at rest and in transit across storage and databases
  • Logging and monitoring configuration including CloudTrail, Azure Monitor, and GCP Audit Logs
  • Secrets management and exposed credentials in cloud-native services
  • Web service configurations and publicly exposed endpoints
  • Data protection controls across managed database services

FAQ

A cloud penetration test probes from outside and identifies vulnerabilities an attacker could exploit. A cloud service configuration review works inside-out. It examines IAM policies, network rules, storage access controls, and encryption settings that determine whether exploitation is possible at all. For audit purposes, its findings are directly traceable to specific hardening standards.

The cloud service configuration review covers identity and access management, network security controls, storage access settings, encryption at rest and in transit, logging and monitoring, secrets management, and web service configurations across AWS, Azure, and GCP. Every finding is mapped to the CIS Benchmarks for the relevant cloud provider and the CSA Cloud Controls Matrix.

The standard approach is grey-box: your team grants read-only access via a dedicated IAM role for AWS or an equivalent custom role for Azure and GCP. Swarmnetics extracts and analyses live configurations without modifying anything in your environment. We make no changes to production systems during the assessment.

Publicly accessible storage buckets allow direct data exfiltration without authentication. Overly permissive IAM roles enable privilege escalation to full administrative access. Disabled logging allows an attacker to persist undetected for weeks. These outcomes are documented in publicly reported incidents across all three major cloud providers.

A cloud service configuration review from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report maps every finding to CIS Benchmarks for cloud providers and the CSA Cloud Controls Matrix with a severity rating, a description of the configuration gap, and specific remediation guidance. An executive summary is included for non-technical stakeholders. After you have remediated the findings, we conduct a follow-up review to confirm adequate remediation.

A cloud service configuration review is relevant to any organisation that needs to validate that its cloud services and environments are configured securely. It is particularly relevant for organisations subject to regulatory, contractual, or industry security requirements, which requires demonstrable evidence of secure configuration and hardening. A cloud service configuration review is also recommended after significant infrastructure changes, migrations, or new system deployments. Swarmnetics has delivered cloud service configuration reviews across all sectors since 2015.

The duration of a cloud service configuration review depends on the number of cloud services and accounts in scope and their complexity. A typical cloud configuration review engagement takes three to five business days, followed by an initial report within five business days for your review.

A cloud service configuration review is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must implement and validate secure configurations for cloud environments. It provides documented evidence of compliance with hardening standards that regulators and auditors may request.

Every cloud service configuration review follows a three-phase process. In the planning phase, Swarmnetics agrees the scope and schedule with your team. In the assessment phase, our consultants extract the cloud service configurations extracted using cloud-native tools and open-source scanners and assess them against CIS Benchmarks for the relevant cloud provider and the CSA Cloud Controls Matrix, conducting interviews with relevant team members where needed to confirm configuration intent. In the reporting phase, we deliver a draft report for review and a final report with remediation guidance mapped to the applicable standard.

All Swarmnetics configuration reviews are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and acts as a trusted VAPT delivery partner to service and solution providers, supporting their customers across multiple sectors.

The security assessment report includes specific, actionable remediation guidance for every finding — not generic advice. For each vulnerability, we describe the fix, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each issue has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.