Sample report
Cloud controls findings — Acme Corp
Output of a 48-hour Controls Review across IAM, logging, CI/CD, vulnerability, backup, and AI workload controls for a fictional Series B SaaS company.
Engagement
Controls Review · 48 hours
Scope
AWS, GCP, GitHub, Vanta, Vertex AI
Trigger
Enterprise security review
Findings
High
3 Medium
5 Low
1Executive summary
Acme Corp has the foundations of a working cloud and engineering setup, but a customer security review will surface concrete gaps in logging, IAM hygiene, deploy approvals, backup evidence, and AI cost control. None of the findings require a re-architecture. All can be implemented inside a 1–2 week Controls Sprint with merged PRs and an evidence folder ready to share with the enterprise buyer's procurement team.
The highest-impact moves are: enabling org-wide CloudTrail, retiring long-lived service-account keys via Workload Identity, and enforcing MFA + deploy approvals as policy. These three changes alone cover the majority of items a SOC 2 readiness assessment or customer questionnaire will flag.
Findings
F-01
CloudTrail not enabled in 2 of 3 production accounts
High- Area
- Logging & monitoring
- Affected system
- AWS / CloudTrail
- Owner
- Platform / Security
- Estimate
- 1-2 days
- Buyer / audit relevance
- Auditors and enterprise buyers expect a complete audit trail across all production accounts. Missing CloudTrail in any production account blocks SOC 2 CC7.2 evidence.
- Evidence requested
- Org-level CloudTrail config export · per-account trail status screenshots.
- Fix path
- Create org-wide CloudTrail in management account; ship logs to dedicated security S3 bucket with object-lock; enable log-file validation.
F-02
Service-account keys not rotated in 11+ months
High- Area
- Access controls
- Affected system
- GCP / IAM
- Owner
- Platform
- Estimate
- 3-5 days
- Buyer / audit relevance
- Stale long-lived keys are a top finding on customer questionnaires and Vanta/Drata IAM checks.
- Evidence requested
- gcloud IAM keys inventory · documented rotation policy · IaC change history.
- Fix path
- Migrate service-to-service auth to Workload Identity; revoke long-lived JSON keys; document rotation policy and quarterly review.
F-03
No required reviews on production deploy workflow
Medium- Area
- CI/CD & change management
- Affected system
- GitHub Actions
- Owner
- Engineering Leads
- Estimate
- 0.5-1 day
- Buyer / audit relevance
- Customer questionnaires routinely ask for evidence of code-review and deployment approval gates (SOC 2 CC8.1).
- Evidence requested
- Branch-protection JSON export · CODEOWNERS file · GitHub environment protection screenshot.
- Fix path
- Enable required PR reviews and required status checks on main; gate production environment on a designated approvers group.
F-04
Container images deployed without scanning
Medium- Area
- Vulnerability hygiene
- Affected system
- Artifact Registry / CI
- Owner
- Platform
- Estimate
- 1 day
- Buyer / audit relevance
- Vanta and Drata both flag missing image scanning. Enterprise buyers ask for evidence that no critical/high CVEs are deployed.
- Evidence requested
- CI pipeline log showing scan step · scanner output for last 30 deploys · policy doc.
- Fix path
- Add Trivy or Artifact Registry vulnerability scanning to CI; fail builds on critical CVEs; document exception process.
F-05
Database backups: no documented restore test
Medium- Area
- Backups & recovery
- Affected system
- Cloud SQL / RDS
- Owner
- Platform / SRE
- Estimate
- 1-2 days
- Buyer / audit relevance
- Restore tests (not just backup configuration) are the evidence auditors and buyers actually want.
- Evidence requested
- Restore-test runbook · last restore-test report · monitoring of backup success.
- Fix path
- Document quarterly restore-test runbook; schedule a recurring drill; capture restored row counts and runtime in the evidence folder.
F-06
Admin console access lacks enforced MFA evidence
High- Area
- Access controls
- Affected system
- Identity provider (Okta / Google Workspace)
- Owner
- IT / Security
- Estimate
- 0.5-1 day
- Buyer / audit relevance
- MFA evidence is the single most-requested item on customer security questionnaires.
- Evidence requested
- IdP policy export · per-user MFA status report · enforcement screenshot.
- Fix path
- Set IdP policy to require MFA for all admin roles; revoke standing access for users without MFA; export quarterly evidence.
F-07
AI feature has no token-spend guardrail
Medium- Area
- AI workload controls
- Affected system
- Vertex AI / OpenAI
- Owner
- AI / Platform
- Estimate
- 1-2 days
- Buyer / audit relevance
- Procurement teams increasingly ask whether AI features can be rate-limited and have cost controls before granting enterprise access.
- Evidence requested
- Spend dashboard · per-tenant rate-limit policy · alert routing config.
- Fix path
- Set per-tenant token quotas; route spend alerts to on-call; document abuse-handling runbook.
F-08
No documented offboarding evidence for terminated users
Medium- Area
- Access controls
- Affected system
- IdP / Cloud / Git
- Owner
- HR / IT
- Estimate
- 0.5-1 day
- Buyer / audit relevance
- Auditors expect time-bound evidence that access was revoked across all systems for departed users.
- Evidence requested
- Offboarding checklist · ticket history for last 5 offboardings · IdP audit export.
- Fix path
- Document offboarding runbook with checkpoints across IdP, cloud, repo, and SaaS; store completed checklists in evidence folder.
F-09
Secret scanning not enabled on repositories
Low- Area
- Vulnerability hygiene
- Affected system
- GitHub
- Owner
- Security
- Estimate
- 0.5 day
- Buyer / audit relevance
- Secret scanning is an easy check that customer questionnaires often ask about explicitly.
- Evidence requested
- Repo settings screenshot · secret scanning alert dashboard · remediation history.
- Fix path
- Enable GitHub Advanced Security secret scanning org-wide; route alerts to a security channel; document triage SLA.
This is what gets delivered.
Book a 15-minute fit call to see whether a Controls Review can do the same for your cloud and security posture before your next enterprise review.