Cloud Security Posture Assessment for an EdTech SaaS Platform
An EdTech SaaS provider operating an AWS-hosted learning management system engaged us to conduct a comprehensive cloud security posture assessment. We discovered publicly accessible S3 buckets containing student assessment data, a production RDS database exposed to the internet, and six developer IAM users with unrestricted administrator access in production.
Confidential engagement. NDA available upon request.
81%
CIS Benchmark Score
76%
Risk Reduction
0
Exposed Data Resources
0
Overprivileged Admins
About the Client
Industry
EdTech
Company Size
75 to 120 employees, growth stage
Background
An AWS-hosted SaaS platform providing a learning management system (LMS) to K to 12 schools and higher education institutions. The platform stored student assessment results, educator content, and personally identifiable information for minor students, making data exposure risk a critical compliance and reputational concern.
Security Challenges Identified
Student Assessment Data Publicly Accessible via S3
An S3 bucket containing student assessment results and educator-uploaded content was publicly accessible via direct URL with no authentication required, violating FERPA obligations and exposing minors' educational records.
Production Database Accessible from the Public Internet
The production RDS instance was configured with public accessibility enabled, with security group rules permitting broad inbound access, creating direct database exposure to external threat actors.
Six Developer IAM Users with Unrestricted Admin Access
Six developer IAM users retained AdministratorAccess policies in the production environment with no MFA enforcement, representing a significant credential compromise risk.
Monitoring Blind Spots Across Secondary AWS Region
CloudTrail logging was disabled in a secondary AWS region, creating a complete monitoring blind spot for all API activity and making threat detection and incident response impossible in that region.
The Mission
Identify and remediate all cloud security misconfigurations across the AWS environment, eliminate all exposed student data resources, achieve measurable CIS AWS Foundations Benchmark compliance, and establish comprehensive logging and monitoring coverage.
How We Approached It
01. AWS Account Discovery & Inventory
Week 1- Scout Suite multi-service cloud security scan
- Prowler compliance checks against CIS AWS Foundations Benchmark
- IAM policy and user access review
- S3 bucket public access and policy audit
02. CIS Benchmark Assessment
Week 1 to 2- CIS-CAT Pro automated benchmark assessment
- Security group inbound rule audit across all VPCs
- CloudTrail and AWS Config coverage review
- AWS Trusted Advisor security recommendation review
03. Data Exposure & Access Control Testing
Week 2- S3 bucket public accessibility testing from unauthenticated context
- RDS instance external connectivity verification
- AWS IAM Access Analyzer cross-account and public access findings
- Data classification and PII exposure mapping
04. Logging, Monitoring & Detection Review
Week 3- CloudTrail region coverage gap identification
- AWS Config rule compliance assessment
- GuardDuty coverage and alert configuration review
- Log retention policy and integrity validation review
05. Reporting & Remediation Workshops
Week 3 to 4- Executive and technical findings report with CIS benchmark scoring
- Remediation priority matrix by risk and remediation effort
- Engineering team remediation workshops
- Post-remediation configuration validation
Vulnerabilities Discovered
2
CRITICAL
2
HIGH
3
MEDIUM
0
LOW
Publicly Accessible S3 Bucket with Student Data
One S3 bucket containing student assessment results and educator-uploaded content was publicly accessible via direct URL without authentication.
One S3 bucket containing student assessment results and educator-uploaded content was publicly accessible via direct URL without authentication.
RDS Database Publicly Accessible
Production database instance was configured with public accessibility enabled with security group rules permitting broad inbound access.
Production database instance was configured with public accessibility enabled with security group rules permitting broad inbound access.
Overprivileged Developer IAM Access
Six developer IAM users retained AdministratorAccess policies in production, with no MFA enforcement.
Six developer IAM users retained AdministratorAccess policies in production, with no MFA enforcement.
CloudTrail Disabled in Secondary Region
API activity in a secondary AWS region was not being logged, creating a monitoring blind spot.
API activity in a secondary AWS region was not being logged, creating a monitoring blind spot.
Security Groups with 0.0.0.0/0 Inbound Rules
Four security groups permitted unrestricted inbound access on ports beyond operational requirements.
Four security groups permitted unrestricted inbound access on ports beyond operational requirements.
S3 Versioning and MFA Delete Not Enabled
Production data buckets lacked versioning and MFA delete protection, increasing ransomware and accidental deletion risk.
Production data buckets lacked versioning and MFA delete protection, increasing ransomware and accidental deletion risk.
No Encryption for Data in Transit on Internal Services
Several internal service communications were not enforcing TLS, permitting potential interception.
Several internal service communications were not enforcing TLS, permitting potential interception.
How We Fixed It
S3 Public Access Remediation
Enabled S3 Block Public Access at account level, corrected bucket policies, and implemented bucket access logging.
RDS Hardening
Disabled public accessibility, restricted security group access to application server ranges only, and enabled encryption at rest plus automated backups.
IAM Remediation
Replaced AdministratorAccess with least-privilege policies, enforced MFA for console users, and implemented access key rotation policy.
CloudTrail Completion
Enabled CloudTrail across all regions and accounts with log file integrity validation and centralized log storage.
Security Group Cleanup
Restricted security group rules to documented operational requirements and removed 0.0.0.0/0 inbound rules on non-public resources.
Encryption Enforcement
Enforced TLS 1.2 minimum across internal service communications and API endpoints.
Measurable Outcomes
Following remediation, the client passed a security review conducted by a large school district procurement team, enabling contract execution worth approximately $180,000 annually.
81%
CIS Benchmark Score
76%
Overall Risk Reduction
0
Exposed Data Resources
100%
CloudTrail Coverage
CIS AWS Benchmark Score
34%
81%
Publicly Exposed Data Resources
2
0
Critical Vulnerabilities
2
0
High Vulnerabilities
2
0
IAM Users with Admin Access (Production)
6
0
CloudTrail Coverage
Partial
100% (all regions)
Want to share this with your team or leadership?
Sharing a URL with your co-founder, CTO, or board does not always land the way it should. A polished PDF tells the same story in a format people actually open, read, and forward in Slack.
Download this case study as a branded PDF complete with key metrics, methodology, and outcomes and drop it straight into your next internal review, due diligence pack, or vendor evaluation deck.
Instant download · No sign-up required