Security · 132 checks

Close the gaps before they become incidents.

Not every finding is about the bill. Some are about the breach. A public S3 bucket, a database open to the internet, root access keys lying around: the cost of one incident dwarfs any subscription.

In the same read-only pass that finds waste, Graymole surfaces exposure and misconfiguration across identity, storage, firewalls, keys, snapshots, and detective controls (on AWS, GCP, and Azure), so cost and risk are one workflow, not two tools.

Why it pays off

  • Public buckets, snapshots, and AMIs are data-leak risks Graymole flags immediately, on S3, Cloud Storage, and Azure Storage alike.
  • Security groups, GCP firewalls, and Azure NSGs open to 0.0.0.0/0 on SSH, RDP, or database ports are attack surface to close now.
  • Identity hygiene (root keys, missing MFA, stale access keys, long-lived service account keys) cuts your blast radius.
  • Detective gaps (GuardDuty off, no flow logs, single-region CloudTrail) mean blind spots; we name them.

1 click

One publicly exposed database or bucket can become a breach. Graymole catches it in the same scan that finds your savings, with no extra tool.

What we check

A representative sample, grouped by theme: Security has 132 checks across AWS, GCP, and Azure.

Public exposure

8 checks

Resources reachable from the open internet: the highest-risk findings, surfaced first.

Security group SSH open to the world

Port 22 reachable from 0.0.0.0/0.

GCP firewall rules open to 0.0.0.0/0

VPC firewall ingress from every IP on earth.

Azure NSG exposure

Network security groups letting the internet in.

Public GCP Cloud Storage buckets

Buckets readable by allUsers.

Security group database ports open to the world

Postgres/MySQL/Redis exposed publicly.

RDS publicly accessible

Managed databases reachable outside your VPC.

EBS / AMI / RDS snapshot is public

Backups shared with the entire world.

S3 Block Public Access disabled

Account/bucket public-access guardrails turned off.

Identity & access

8 checks

IAM hygiene that shrinks your blast radius if a credential leaks.

IAM root account access keys

The one credential that should never be active.

IAM users without MFA

Console logins protected by a password alone.

IAM old access keys

Long-lived keys that were never rotated.

GCP user-managed service account keys

Downloaded SA keys that never expire (CIS).

GCP OS Login disabled

VM SSH access outside centralized IAM control (CIS).

GKE posture checks

CIS hardening gaps on Kubernetes clusters.

IAM role with wildcard principal

Roles any account could potentially assume.

IAM policy with Action=* Resource=*

Effectively admin, far beyond least privilege.

Encryption & secrets

7 checks

Keys, secrets, and certificates that should be locked down and rotated.

S3 buckets without default encryption

Objects stored unencrypted at rest.

KMS keys without rotation

Encryption keys that never roll.

KMS key policy too wide

Key usage granted more broadly than needed.

KMS unused customer-managed keys

Paying for CMKs nothing references.

Secrets Manager rotation disabled

Static secrets that never change.

Secrets Manager unused secrets

Stale secrets lingering in the vault.

ACM certificates expiring / unused

Outages and clutter from cert mismanagement.

Application & API edge

5 checks

Front-door misconfigurations on the services users actually hit.

Lambda function URL with no auth

Public function endpoints with no authorizer.

API Gateway methods without auth

Unauthenticated routes on your APIs.

API Gateway stage without WAF

No web-application firewall in front of the API.

ALB HTTP listener without HTTPS redirect

Plaintext traffic not forced to TLS.

S3 bucket has ACLs enabled

Legacy ACLs that bypass bucket policies.

Detective controls

5 checks

Visibility gaps: if these are off, you're flying blind during an incident.

GuardDuty disabled in region

Threat detection switched off where you run.

No multi-region CloudTrail

Audit blind spots outside one region.

VPC flow logs disabled

No network-level record to investigate with.

Inspector v2 not enabled

Workload vulnerability scanning turned off.

ECR scanning disabled

Container images pushed without a vuln scan.

See your security savings

Connect a read-only role and run a free scan. Security findings come priced in real dollars with a fix for each.

Start scanning free

Explore more

Compute 69 Storage 45 Database 54 Network 35 Governance 136