Cloud Audit: Validation Report

Drop — Validation + Security + Cost Report 
 Date: 2026-02-19
 Auditor: cloud-tester (CloudForge cloud-audit team)
 MC Task: #1443 
 
 Executive Summary 
 Drop's AWS infrastructure has 3 CRITICAL and 4 HIGH security findings requiring immediate remediation. Current spend is ~$50-75/mo, well-optimized for scale. The application is cloud-portable (7.5/10) and the recommended path is to stay on AWS with security hardening + Terraform IaC. 
 
 1. Security Posture Assessment 
 Current vs Improved 
 
 
 
 Area 
 Current State 
 After Remediation 
 Risk Reduction 
 
 
 
 
 Secrets 
 Plaintext in App Runner env vars 
 AWS Secrets Manager 
 CRITICAL → LOW 
 
 
 RDS Access 
 Publicly accessible, SG open 0.0.0.0/0 
 Private, VPC-only access 
 CRITICAL → LOW 
 
 
 Encryption 
 RDS unencrypted at rest 
 AES-256 encryption enabled 
 CRITICAL → RESOLVED 
 
 
 Monitoring 
 None (no CloudWatch) 
 Basic alarms + Performance Insights 
 HIGH → LOW 
 
 
 WAF 
 None 
 Cloudflare WAF (free tier) 
 HIGH → LOW 
 
 
 CDN 
 None (direct App Runner URL) 
 Cloudflare CDN 
 HIGH → LOW 
 
 
 SSL/TLS 
 App Runner managed cert 
 Cloudflare + App Runner 
 MEDIUM → LOW 
 
 
 IAM 
 Single user (john-deploy) 
 Least-privilege roles 
 MEDIUM → LOW 
 
 
 
 Security Findings Summary 
 
 
 
 # 
 Severity 
 Finding 
 Remediation 
 Effort 
 
 
 
 
 S1 
 CRITICAL 
 RDS publicly accessible with SG allowing 0.0.0.0/0:5432 
 Set publicly_accessible=false, restrict SG to VPC CIDR 
 1 hour 
 
 
 S2 
 CRITICAL 
 Database password in plaintext App Runner env var 
 Migrate to Secrets Manager, update App Runner to read from SM 
 2 hours 
 
 
 S3 
 CRITICAL 
 JWT_SECRET in plaintext App Runner env var 
 Migrate to Secrets Manager 
 1 hour 
 
 
 S4 
 HIGH 
 RDS storage not encrypted at rest 
 Enable encryption (requires snapshot + restore for existing DB) 
 2-4 hours 
 
 
 S5 
 HIGH 
 No monitoring or alerting configured 
 Add CloudWatch alarms for CPU, memory, DB connections 
 1 hour 
 
 
 S6 
 HIGH 
 No WAF protection 
 Add Cloudflare WAF (free tier) 
 30 min 
 
 
 S7 
 HIGH 
 No CDN (direct App Runner URL exposed) 
 Add Cloudflare CDN 
 30 min 
 
 
 S8 
 MEDIUM 
 Sentry DSN in plaintext (not secret, but cleanup) 
 Move to Secrets Manager for consistency 
 30 min 
 
 
 S9 
 MEDIUM 
 Docker image has build tools in runner (attack surface) 
 Remove python3/make/g++ from runner stage 
 1 hour 
 
 
 S10 
 MEDIUM 
 No structured logging (incident investigation gaps) 
 Add pino/winston with JSON output 
 2 days 
 
 
 S11 
 LOW 
 ECR image tag mutability (tag overwrite risk) 
 Set image_tag_mutability = IMMUTABLE 
 5 min 
 
 
 S12 
 LOW 
 No lifecycle policy for ECR images 
 Add policy to clean old images 
 15 min 
 
 
 
 Compliance Checklist 
 
 
 
 Item 
 Status 
 Notes 
 
 
 
 
 GDPR data tables (consents, data_access_requests) 
 PASS 
 Schema includes consent tracking, DSAR, right to erasure 
 
 
 Audit logging 
 PASS 
 audit_log table with IP, user_agent, request_id 
 
 
 AML/KYC compliance 
 PASS 
 aml_alerts, str_reports, screening_results tables 
 
 
 Encryption at rest 
 FAIL 
 RDS storage unencrypted 
 
 
 Encryption in transit 
 PARTIAL 
 App Runner HTTPS, but RDS sslmode=no-verify 
 
 
 Secrets management 
 FAIL 
 Plaintext in env vars 
 
 
 Access control 
 PARTIAL 
 Single IAM user, no MFA enforcement 
 
 
 Backup & recovery 
 PASS 
 RDS 7-day automated backups 
 
 
 DeletionProtection 
 PASS 
 Enabled on RDS 
 
 
 
 
 2. Cost Comparison 
 Current AWS Spend 
 
 
 
 Resource 
 Monthly Cost 
 Notes 
 
 
 
 
 App Runner (1 vCPU, 2GB) 
 $25-35 
 Always-on, no auto-stop 
 
 
 RDS db.t3.micro 
 $15-18 
 Single-AZ, 20GB gp3 
 
 
 ECR 
 $1-2 
 Image storage 
 
 
 VPC Connector 
 $5 
 Flat fee 
 
 
 Data transfer 
 $2-5 
 Low traffic 
 
 
 Total 
 $48-65 
 
 
 
 
 Optimized AWS (after fixes) 
 
 
 
 Resource 
 Monthly Cost 
 Change 
 
 
 
 
 App Runner 
 $25-35 
 No change 
 
 
 RDS (encrypted) 
 $15-18 
 No cost increase 
 
 
 ECR 
 $1-2 
 No change 
 
 
 Secrets Manager (3 secrets) 
 $1.20 
 +$1.20 
 
 
 CloudWatch (basic alarms) 
 $3-5 
 +$3-5 
 
 
 Cloudflare (free tier) 
 $0 
 Free CDN/WAF/DNS 
 
 
 Total 
 $52-70 
 +$4-7 
 
 
 
 Multi-Cloud Equivalent 
 
 
 
 Provider 
 Monthly 
 Annual 
 vs Current 
 
 
 
 
 AWS (optimized) 
 $52-70 
 $624-840 
 +$4-7/mo 
 
 
 Azure 
 $100-130 
 $1,200-1,560 
 +$50-65/mo 
 
 
 GCP 
 $35-60 
 $420-720 
 -$5-15/mo 
 
 
 
 Verdict: AWS is cost-effective. GCP saves ~$10/mo but migration effort not justified at current scale. 
 
 3. Risk Matrix 
 
 
 
 Risk 
 Probability 
 Impact 
 Current Mitigation 
 Recommended 
 
 
 
 
 Data breach via public RDS 
 HIGH 
 CRITICAL 
 DeletionProtection only 
 Restrict SG, disable public access 
 
 
 Secret exposure 
 MEDIUM 
 CRITICAL 
 None (plaintext) 
 Secrets Manager + rotation 
 
 
 Service downtime 
 LOW 
 HIGH 
 App Runner auto-scaling 
 Add health checks, CloudWatch alarms 
 
 
 Data loss 
 LOW 
 CRITICAL 
 7-day RDS backups 
 Add cross-region backup copy 
 
 
 Cost overrun 
 LOW 
 MEDIUM 
 None 
 Add AWS Budgets alarm at $100 
 
 
 Vendor lock-in 
 LOW 
 MEDIUM 
 Docker + PostgreSQL 
 Terraform abstraction modules 
 
 
 DDoS attack 
 MEDIUM 
 HIGH 
 None 
 Cloudflare WAF + rate limiting 
 
 
 Compliance failure 
 MEDIUM 
 HIGH 
 Tables exist, no encryption 
 Enable encryption, structured logging 
 
 
 
 
 4. Implementation Roadmap 
 Phase 1: Security Fixes (Immediate — Day 1) 
 
 Create Secrets Manager secrets (DATABASE_URL, JWT_SECRET, SENTRY_DSN) 
 Update App Runner to read from Secrets Manager 
 Restrict RDS security group to VPC CIDR 
 Disable RDS public accessibility 
 Effort: 4-6 hours | Cost impact: +$1.20/mo 
 
 Phase 2: IaC Migration (Week 1) 
 
 Create S3 bucket for Terraform state 
 Import existing resources into Terraform state 
 Run terraform plan to verify no drift 
 Add terraform-ci.yml to GitHub Actions 
 Effort: 1-2 days | Cost impact: $0 
 
 Phase 3: Monitoring & Observability (Week 2) 
 
 Enable RDS Performance Insights 
 Add CloudWatch alarms (CPU > 80%, memory > 80%, DB connections > 80%) 
 Add structured logging (pino) to application 
 Configure Sentry properly (traces, breadcrumbs) 
 Effort: 2-3 days | Cost impact: +$3-5/mo 
 
 Phase 4: Edge Security (Week 2-3) 
 
 Set up Cloudflare (DNS, CDN, WAF) 
 Custom domain (getdrop.no) through Cloudflare 
 Enable Cloudflare WAF rules 
 Add rate limiting at edge 
 Effort: 1 day | Cost impact: $0 (free tier) 
 
 Phase 5: RDS Encryption (Week 3) 
 
 Create encrypted snapshot from current DB 
 Restore to new encrypted instance 
 Update Secrets Manager with new endpoint 
 Verify and swap 
 Effort: 2-4 hours (with downtime) | Cost impact: $0 
 
 Phase 6: Multi-Cloud Readiness (Month 2+) 
 
 Create Azure Terraform modules (optional) 
 Create GCP Terraform modules (optional) 
 Test migration to staging on alternative cloud 
 Effort: 3-5 days | Cost impact: Only if migrated 
 
 
 5. Recommendations Summary 
 
 
 
 Priority 
 Action 
 Status 
 
 
 
 
 P0 (NOW) 
 Fix RDS public access + SG 
 Terraform module created 
 
 
 P0 (NOW) 
 Move secrets to Secrets Manager 
 Terraform module created 
 
 
 P1 (Week 1) 
 Enable RDS encryption 
 Requires snapshot/restore 
 
 
 P1 (Week 1) 
 Deploy Terraform IaC 
 Modules ready 
 
 
 P2 (Week 2) 
 Add monitoring (CloudWatch + Performance Insights) 
 In Terraform 
 
 
 P2 (Week 2) 
 Add Cloudflare CDN/WAF 
 Manual setup 
 
 
 P3 (Month 1) 
 Add structured logging 
 Application code change 
 
 
 P3 (Month 1) 
 Add graceful shutdown handler 
 Application code change 
 
 
 P4 (Month 2+) 
 Multi-cloud Terraform modules 
 As needed 
 
 
 
 
 Overall Assessment: Drop's infrastructure is functional but needs immediate security hardening. The Terraform IaC created by this audit provides a complete, reproducible foundation. Total investment: ~1 week of engineering time, ~$5/mo additional cost, significant risk reduction.