Cloud Security Portfolio Project
AWS Security
Scanning
Find the misconfigurations that cause real-world data breaches. S3 buckets, IAM policies, security groups, CloudTrail logging โ all checked automatically against the CIS benchmark.
0
Scanners built
0
CIS Level 1 checks
0
Dangerous ports flagged
0
AWS account needed
Why this matters
Most cloud breaches are preventable
The biggest cloud data breaches in recent years were not caused by sophisticated exploits. They were caused by a public S3 bucket, an admin IAM user with no MFA, or a database exposed to the internet. This project finds all of those automatically.
Storage
S3 misconfiguration
A single public bucket can expose millions of customer records.
Identity
IAM overprivilege
AdministratorAccess on a CI pipeline is a full account takeover waiting to happen.
Network
Open security groups
SSH on 0.0.0.0/0 is scanned by attackers within minutes of deployment.
๐ชฃ
S3 Scanner
Checks every bucket for Block Public Access, encryption, versioning and access logging. Sorts findings by severity.
s3_scanner.py๐
IAM Analyser
Finds overprivileged users, missing MFA and access keys older than 90 days. Maps to least privilege best practice.
iam_analyser.py๐
Security Group Scanner
Flags dangerous ports open to 0.0.0.0/0 โ SSH, RDP, MySQL, Redis, MongoDB and more. Explains why each port is dangerous.
sg_scanner.py๐
CloudTrail Check
Verifies audit logging is active, multi-region and has log file validation. Without it, incidents cannot be investigated.
cloudtrail_check.py๐
CIS Compliance Score
Calculates your Level 1 score across 14 controls. Groups by category, shows what is failing and when to fix it.
compliance_score.py๐ฎ
Demo Mode
Runs realistic mock findings with no AWS credentials. Anyone can see the full scanner output immediately after cloning.
demo_mode.pyLive simulation
The scanner in action
This simulates the real scanner output. Click Execute to run a full demo scan โ S3, IAM, security groups and CloudTrail โ exactly as it looks in your terminal.
How it works
Connect once, scan everything
boto3 connects to AWS, runs all four checks, outputs coloured findings sorted by severity.
$ python aws/demo_mode.py
Click Execute to run the full pipeline...
๐ก
No AWS account needed
The demo mode ships with the project and produces realistic findings from mock data. To scan a real AWS account: install boto3, run
aws configure, then python aws/run_all.py.S3
What gets checked
Block Public Access, server-side encryption, versioning enabled, access logging active. One misconfiguration can expose everything.
4 checks per bucketIAM
What gets checked
Dangerous policies (AdministratorAccess, FullAccess variants), MFA status on console users, access key age against 90-day threshold.
3 checks per userSecurity Groups
What gets checked
Ten dangerous ports checked against 0.0.0.0/0 and ::/0 rules. SSH, RDP, MySQL, PostgreSQL, Redis, MongoDB, FTP, Telnet and more.
10 dangerous portsCloudTrail
What gets checked
Logging enabled, multi-region active, global service events captured, log file validation on. Without all four, investigation gaps exist.
4 configuration checksCIS AWS Foundations Benchmark
Level 1 compliance score
The CIS benchmark is what auditors use to assess AWS environments. Level 1 is the essential baseline โ every AWS account should pass all 14 controls. This tool calculates your score and tells you exactly what to fix and when.
8 of 14 controls passing
CIS AWS Foundations Benchmark
Why CIS matters
The auditor's standard
CIS Level 1 is referenced in every enterprise AWS security assessment. Passing it means your baseline is solid.
Two levels
Level 1 vs Level 2
Level 1 is the essential baseline. Level 2 adds advanced controls like GuardDuty, VPC flow logs and Config.
Threat Intelligence
IP reputation lookup
When an IP appears in your AWS logs or triggers a security group rule, knowing whether it is a known attacker changes everything about how you respond. Try the demo IPs below.
How it works
Context changes response
A 97% AbuseIPDB score turns a suspicious SSH attempt into a confirmed targeted attack. That changes priority.
Self-assessment
Cloud security readiness
These are the topics that come up in cloud security interviews at both startups and large organisations. Tick what you can explain confidently.
0 / 12 topics covered
- Explain the AWS Shared Responsibility ModelAWS secures the infrastructure. You secure everything you put on it. Most breaches happen on the customer side.
- Explain why a public S3 bucket is dangerousAnyone on the internet can list and download all objects. No authentication required. This has caused major breaches.
- Describe the principle of least privilege in IAMEvery user, role and service should have only the minimum permissions needed. Nothing more. AdministratorAccess is almost always wrong.
- Explain why SSH should never be open to 0.0.0.0/0Attackers scan for port 22 on every IP constantly. An exposed SSH port receives brute force attempts within minutes.
- Explain what CloudTrail does and why it mattersRecords every API call in your account. Without it, you cannot investigate who did what after an incident.
- Describe CIS AWS Foundations Benchmark Level 114 essential security controls covering IAM, logging, storage and networking. The baseline auditors use to assess AWS accounts.
- Explain why access keys should be rotated every 90 daysThe older a key gets, the more chances it has had to be leaked. 90-day rotation limits the damage window.
- Describe what a security group is and how it worksStateful firewall rules attached to AWS resources. Controls which traffic is allowed in and out. Misconfigured groups are a top finding in cloud security assessments.
- Explain what IAM roles are and when to use themTemporary credentials for services and applications. Safer than static access keys because they expire automatically and leave no long-lived secret to rotate.
- Describe how to investigate a cloud security incidentStart with CloudTrail to build a timeline of API calls. Check which credentials were used, from where, and what they accessed.
- Explain encryption at rest vs encryption in transitAt rest: data encrypted when stored on disk. In transit: data encrypted over the network (TLS). Both are required for sensitive data.
- Describe what MFA does and why it matters for rootMulti-factor authentication requires a second device. Root without MFA can be taken over with just a leaked password โ which is catastrophic in AWS.
Business impact
What does a cloud breach actually cost?
This is what enterprises care about. A public S3 bucket is not just a security problem โ it is a financial and legal one. Adjust the sliders to estimate the real cost of a misconfiguration in your organisation.
GDPR Maximum Fine
4% of global revenue
Or โฌ20M โ whichever is higher. For a โฌ100M company a single public S3 bucket could cost โฌ4M in fines alone.
Average Incident Response
โฌ200โโฌ800/hour
A cloud breach typically takes 2โ4 weeks to fully contain and remediate. At enterprise rates that is โฌ50kโโฌ300k in response costs alone.
IBM Cost of a Data Breach 2024
$4.88M average
IBM's annual report places the global average breach cost at $4.88M in 2024. Cloud misconfigurations are among the top three root causes.