Skip to main content

Cloud Audit: Validation Report

Drop — Validation + Security + Cost Report

Date: 2026-02-19 Auditor: cloud-tester (CloudForge cloud-audit team) MC Task: #1443

Executive Summary

Drop's AWS infrastructure has 3 CRITICAL and 4 HIGH security findings requiring immediate remediation. Current spend is ~$50-75/mo, well-optimized for scale. The application is cloud-portable (7.5/10) and the recommended path is to stay on AWS with security hardening + Terraform IaC.

1. Security Posture Assessment

Current vs Improved

Area Current State After Remediation Risk Reduction
Secrets Plaintext in App Runner env vars AWS Secrets Manager CRITICAL → LOW
RDS Access Publicly accessible, SG open 0.0.0.0/0 Private, VPC-only access CRITICAL → LOW
Encryption RDS unencrypted at rest AES-256 encryption enabled CRITICAL → RESOLVED
Monitoring None (no CloudWatch) Basic alarms + Performance Insights HIGH → LOW
WAF None Cloudflare WAF (free tier) HIGH → LOW
CDN None (direct App Runner URL) Cloudflare CDN HIGH → LOW
SSL/TLS App Runner managed cert Cloudflare + App Runner MEDIUM → LOW
IAM Single user (john-deploy) Least-privilege roles MEDIUM → LOW

Security Findings Summary

# Severity Finding Remediation Effort
S1 CRITICAL RDS publicly accessible with SG allowing 0.0.0.0/0:5432 Set publicly_accessible=false, restrict SG to VPC CIDR 1 hour
S2 CRITICAL Database password in plaintext App Runner env var Migrate to Secrets Manager, update App Runner to read from SM 2 hours
S3 CRITICAL JWT_SECRET in plaintext App Runner env var Migrate to Secrets Manager 1 hour
S4 HIGH RDS storage not encrypted at rest Enable encryption (requires snapshot + restore for existing DB) 2-4 hours
S5 HIGH No monitoring or alerting configured Add CloudWatch alarms for CPU, memory, DB connections 1 hour
S6 HIGH No WAF protection Add Cloudflare WAF (free tier) 30 min
S7 HIGH No CDN (direct App Runner URL exposed) Add Cloudflare CDN 30 min
S8 MEDIUM Sentry DSN in plaintext (not secret, but cleanup) Move to Secrets Manager for consistency 30 min
S9 MEDIUM Docker image has build tools in runner (attack surface) Remove python3/make/g++ from runner stage 1 hour
S10 MEDIUM No structured logging (incident investigation gaps) Add pino/winston with JSON output 2 days
S11 LOW ECR image tag mutability (tag overwrite risk) Set image_tag_mutability = IMMUTABLE 5 min
S12 LOW No lifecycle policy for ECR images Add policy to clean old images 15 min

Compliance Checklist

Item Status Notes
GDPR data tables (consents, data_access_requests) PASS Schema includes consent tracking, DSAR, right to erasure
Audit logging PASS audit_log table with IP, user_agent, request_id
AML/KYC compliance PASS aml_alerts, str_reports, screening_results tables
Encryption at rest FAIL RDS storage unencrypted
Encryption in transit PARTIAL App Runner HTTPS, but RDS sslmode=no-verify
Secrets management FAIL Plaintext in env vars
Access control PARTIAL Single IAM user, no MFA enforcement
Backup & recovery PASS RDS 7-day automated backups
DeletionProtection PASS Enabled on RDS

2. Cost Comparison

Current AWS Spend

Resource Monthly Cost Notes
App Runner (1 vCPU, 2GB) $25-35 Always-on, no auto-stop
RDS db.t3.micro $15-18 Single-AZ, 20GB gp3
ECR $1-2 Image storage
VPC Connector $5 Flat fee
Data transfer $2-5 Low traffic
Total $48-65

Optimized AWS (after fixes)

Resource Monthly Cost Change
App Runner $25-35 No change
RDS (encrypted) $15-18 No cost increase
ECR $1-2 No change
Secrets Manager (3 secrets) $1.20 +$1.20
CloudWatch (basic alarms) $3-5 +$3-5
Cloudflare (free tier) $0 Free CDN/WAF/DNS
Total $52-70 +$4-7

Multi-Cloud Equivalent

Provider Monthly Annual vs Current
AWS (optimized) $52-70 $624-840 +$4-7/mo
Azure $100-130 $1,200-1,560 +$50-65/mo
GCP $35-60 $420-720 -$5-15/mo

Verdict: AWS is cost-effective. GCP saves ~$10/mo but migration effort not justified at current scale.

3. Risk Matrix

Risk Probability Impact Current Mitigation Recommended
Data breach via public RDS HIGH CRITICAL DeletionProtection only Restrict SG, disable public access
Secret exposure MEDIUM CRITICAL None (plaintext) Secrets Manager + rotation
Service downtime LOW HIGH App Runner auto-scaling Add health checks, CloudWatch alarms
Data loss LOW CRITICAL 7-day RDS backups Add cross-region backup copy
Cost overrun LOW MEDIUM None Add AWS Budgets alarm at $100
Vendor lock-in LOW MEDIUM Docker + PostgreSQL Terraform abstraction modules
DDoS attack MEDIUM HIGH None Cloudflare WAF + rate limiting
Compliance failure MEDIUM HIGH Tables exist, no encryption Enable encryption, structured logging

4. Implementation Roadmap

Phase 1: Security Fixes (Immediate — Day 1)

  • Create Secrets Manager secrets (DATABASE_URL, JWT_SECRET, SENTRY_DSN)
  • Update App Runner to read from Secrets Manager
  • Restrict RDS security group to VPC CIDR
  • Disable RDS public accessibility
  • Effort: 4-6 hours | Cost impact: +$1.20/mo

Phase 2: IaC Migration (Week 1)

  • Create S3 bucket for Terraform state
  • Import existing resources into Terraform state
  • Run terraform plan to verify no drift
  • Add terraform-ci.yml to GitHub Actions
  • Effort: 1-2 days | Cost impact: $0

Phase 3: Monitoring & Observability (Week 2)

  • Enable RDS Performance Insights
  • Add CloudWatch alarms (CPU > 80%, memory > 80%, DB connections > 80%)
  • Add structured logging (pino) to application
  • Configure Sentry properly (traces, breadcrumbs)
  • Effort: 2-3 days | Cost impact: +$3-5/mo

Phase 4: Edge Security (Week 2-3)

  • Set up Cloudflare (DNS, CDN, WAF)
  • Custom domain (getdrop.no) through Cloudflare
  • Enable Cloudflare WAF rules
  • Add rate limiting at edge
  • Effort: 1 day | Cost impact: $0 (free tier)

Phase 5: RDS Encryption (Week 3)

  • Create encrypted snapshot from current DB
  • Restore to new encrypted instance
  • Update Secrets Manager with new endpoint
  • Verify and swap
  • Effort: 2-4 hours (with downtime) | Cost impact: $0

Phase 6: Multi-Cloud Readiness (Month 2+)

  • Create Azure Terraform modules (optional)
  • Create GCP Terraform modules (optional)
  • Test migration to staging on alternative cloud
  • Effort: 3-5 days | Cost impact: Only if migrated

5. Recommendations Summary

Priority Action Status
P0 (NOW) Fix RDS public access + SG Terraform module created
P0 (NOW) Move secrets to Secrets Manager Terraform module created
P1 (Week 1) Enable RDS encryption Requires snapshot/restore
P1 (Week 1) Deploy Terraform IaC Modules ready
P2 (Week 2) Add monitoring (CloudWatch + Performance Insights) In Terraform
P2 (Week 2) Add Cloudflare CDN/WAF Manual setup
P3 (Month 1) Add structured logging Application code change
P3 (Month 1) Add graceful shutdown handler Application code change
P4 (Month 2+) Multi-cloud Terraform modules As needed

Overall Assessment: Drop's infrastructure is functional but needs immediate security hardening. The Terraform IaC created by this audit provides a complete, reproducible foundation. Total investment: ~1 week of engineering time, ~$5/mo additional cost, significant risk reduction.

No comments to display

Back to top