Skip to content
Cyberoptic Security
Services About Releases Contact Get a quote

Cloud Secure Configuration Review

A systematic assessment of how your AWS, Azure or Google Cloud environment is set up, measured against security baselines.

Get a quote

What is a cloud secure configuration review?

A cloud secure configuration review is a systematic assessment of how your cloud environment is set up. It evaluates your AWS, Azure or Google Cloud environment against security baselines and identifies settings that are out of line, including resources that are exposed when they should not be, permissions that are too broad, and controls that are incomplete.

Most cloud incidents do not come from sophisticated exploits. They come from misconfigurations, such as a publicly readable S3 bucket, an over-permissioned IAM role, an uncontrolled storage account, or an admin port exposed to the internet. These issues build up gradually during normal operations and often go unnoticed by the people managing the environment day to day.

What we review

  • Identity and access management (IAM): whether roles follow least privilege, where accounts or service principals are over-permissioned, what service accounts can reach, and how contained the blast radius is if one is compromised.
  • Storage and data exposure: whether storage like S3 buckets, Azure Blob containers or GCP Cloud Storage is appropriately restricted, and where sensitive data sits.
  • Network configuration: security groups, firewall rules and network ACLs, looking for unnecessary internet exposure and confirming segmentation is enforced.
  • Compute and workload security: virtual machines, containers and serverless functions, checking for exposed management interfaces, weak authentication, unpatched software and insecure defaults.
  • Logging and monitoring: whether audit logging is enabled across services and captures attacker activity, identifying partial configurations that create blind spots.
  • Secrets management: whether API keys, credentials and secrets are stored securely rather than in environment variables, instance metadata or public repositories.

How this differs from a penetration test

A configuration review is a systematic audit of how your environment is set up, assessing settings against best-practice benchmarks. A penetration test goes further, attempting to exploit weaknesses and demonstrate what an attacker could actually do, including privilege escalation and lateral movement.

For most New Zealand businesses, a configuration review is the right starting point, especially for an environment that has never been assessed or has grown significantly. You can add penetration testing afterwards for a deeper understanding of impact.

Who needs a cloud configuration review?

  • Businesses running cloud workloads: if you host applications, databases or customer data with a cloud provider, your configuration choices directly affect your exposure.
  • Compliance requirements: ISO 27001 typically includes cloud infrastructure in scope, and PCI DSS covers cloud environments that store, process or transmit cardholder data.
  • After significant cloud changes: migrations, new services, architecture changes or a new development team are all good reasons to reassess. Configuration drift is one of the most common findings.
  • Never-reviewed environments: many organisations stand up cloud infrastructure themselves or through a provider without an independent security assessment.

What the process looks like

The engagement begins with a scoping discussion covering the provider, the scale of the environment, and the workloads it supports.

You typically grant read-only access, with no disruption risk. Most reviews use a dedicated read-only role scoped to the relevant services; elevated privileges are not needed unless specific testing requires them.

Reviews generally take two to four days depending on size and complexity. Findings include severity ratings, plain-language risk explanations, and specific remediation steps your cloud team or provider can action. The report also gives an overall view of configuration maturity, useful for internal reporting and compliance.

Retesting

A follow-up review after remediation confirms the issues are resolved and the fixes were implemented correctly, and provides documented evidence for compliance.