At a Glance
- Industry: Fintech
- Engagement type: AWS Cloud Security Audit
- Tech stack: AWS multi-account organization, EKS-based microservices, RDS PostgreSQL, S3 data lake, Lambda + API Gateway, Cognito identity, GuardDuty, CloudTrail
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Fintech
Product: Account aggregator and lending platform serving 350K retail customers
Tech stack: AWS multi-account organization, EKS-based microservices, RDS PostgreSQL, S3 data lake, Lambda + API Gateway, Cognito identity, GuardDuty, CloudTrail
The client is an RBI-regulated fintech operating an account aggregator and lending platform with 350K retail customers across 12 Indian states. Their AWS multi-account footprint had grown organically over 18 months without dedicated security review.
Challenge
Three factors drove the urgency of this engagement:
- RBI examination upcoming. The annual RBI cybersecurity examination required current cloud security audit evidence with documented remediation
- Rapid AWS sprawl. 12 AWS accounts across dev, staging, prod and analytics had been created without consistent baseline controls
- SOC 2 Type 2 audit deadline. A major enterprise partnership required SOC 2 evidence within 90 days
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- CIS AWS Foundations benchmark v2.0 audit across all 12 AWS accounts
- IAM analysis covering excessive permissions, unused credentials and root account hygiene
- S3 bucket exposure analysis including public access, encryption and lifecycle policies
- VPC and network security group review for overly permissive ingress
- EKS Kubernetes security audit including RBAC, pod security and secret management
- CloudTrail, GuardDuty and Security Hub coverage validation
- KMS key management and customer data encryption review
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Production RDS database publicly accessible via 0.0.0.0/0 security group rule, exposing 350K customer KYC records
- Root account credentials in plaintext in a Confluence wiki accessible to 80+ employees
- Customer document S3 bucket public with versioning disabled, retroactive Aadhaar and PAN exposure
High & Medium Severity
Long-lived IAM access keys older than 1 year, no MFA on 4 admin users, GuardDuty disabled in 2 regions, EKS cluster running with privileged pods, no encryption at rest on 3 EBS volumes, CloudTrail not enabled in 4 secondary regions, weak password policy on Cognito user pool.
Before vs. After
Before Engagement
- Production RDS publicly accessible
- Root credentials in shared Confluence
- KYC document bucket public
- No MFA on 4 admin users
- GuardDuty disabled in 2 regions
- No formal cloud audit in 12 months
After Remediation
- RDS in private subnet, security groups locked down
- Root credentials in AWS Secrets Manager with rotation
- All customer document buckets private with object lock
- MFA enforced on every IAM user
- GuardDuty + Security Hub enabled in all regions
- Quarterly CSPM scans + monthly executive review
"When Codesecure showed us a public-internet endpoint to our production database, my CTO went pale. We had no idea. The fix took an hour. The audit report unblocked our SOC 2 timeline and our RBI examination."
Anonymous, Co-founder, RBI-regulated Indian fintech
Key Lessons
What Other Teams Can Take Away
- Cloud misconfigurations are the #1 fintech breach cause. Public RDS, exposed S3, leaked IAM keys account for the majority of recent Indian fintech incidents.
- Multi-account sprawl needs governance. Use AWS Organizations, SCPs and centralized logging from day one; retrofit is expensive.
- Long-lived IAM keys are a liability. Move to SSO + temporary credentials. Rotate any remaining keys every 90 days minimum.
- CSPM is necessary but not sufficient. Combine continuous CSPM with periodic human audit; tools miss business-logic and architectural risks.
Conclusion
Cloud-native fintech has compressed the time between rapid growth and serious security exposure. AWS misconfigurations, IAM sprawl and missing baseline controls create breach paths that scanners alone cannot fully surface. Codesecure's cloud audit identified exactly the issues that would have surfaced in the next regulatory examination or, worse, a real breach.
For Indian fintech, healthtech and SaaS running on AWS, Azure or GCP, cloud security audit is now a quarterly cadence aligned with RBI, ISO 27001 and SOC 2 expectations. Codesecure delivers CIS-benchmark-aligned audits with named consultants, fixed pricing and instant response.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
