Disclaimer: Generated from cloud metadata, configuration, identity relationships, and scan scope. Customer validation recommended before execution.
Example finding
Each finding in the technical report includes full evidence context linking back to the decision graph.
| Field | Value |
|---|---|
| Finding ID | CR-2026-0042 |
| Severity | Critical |
| Cloud Provider | AWS |
| Asset Type | EC2 Instance |
| Asset Name | prod-app-east-1a (i-0abc1234def56789) |
| Region | us-east-1 |
| Exposure | Public IP, port 22 open to 0.0.0.0/0 |
| Attack Path | Internet → EC2 (SSH) → IAM Role arn:aws:iam::123456789:role/prod-app-role → RDS prod-database-east |
| Crown-Jewel Reachable | Yes — 3 paths to prod-database-east |
| Risk Driver | Overly-broad IAM role with rds:Connect on * resources attached to publicly-accessible EC2 |
Example evidence
The technical report includes the specific configuration evidence that confirms the finding. This is pulled from cloud API data at scan time.
{
"InstanceId": "i-0abc1234def56789",
"PublicIpAddress": "52.x.x.x",
"SecurityGroups": [
{
"GroupId": "sg-0abc123",
"InboundRules": [
{ "Protocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": "0.0.0.0/0"}] }
]
}
],
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789:instance-profile/prod-app-role"
}
}
// IAM role inline policy (prod-app-role):
{
"Effect": "Allow",
"Action": ["rds:Connect", "rds:DescribeDBInstances"],
"Resource": "*"
}
Example remediation guidance
Each finding includes numbered remediation steps linked to the specific evidence. Steps are ordered by risk reduction impact.
- Restrict SSH access: Update security group
sg-0abc123to remove the 0.0.0.0/0 inbound rule on port 22. If SSH is required, scope access to a specific bastion or corporate IP range. - Scope IAM role permissions: Update the inline policy on
prod-app-roleto specify only the required RDS instance ARN instead of*. Example target ARN:arn:aws:rds:us-east-1:123456789:db:prod-database-east. - Remove public IP if not required: If the EC2 instance serves only internal traffic, remove the public IP association and route traffic via internal load balancer.
- Enable MFA for role assumption: Add an MFA condition to the trust policy if this role is assumed interactively. For EC2 instance profiles, consider a more tightly-scoped task role instead.
- Validate with next scan: After making changes, trigger a new Cloudryption scan to confirm the attack path has been eliminated from the graph.
Example validation checklist
Use this checklist to confirm remediation is complete before closing the finding:
- Security group
sg-0abc123: 0.0.0.0/0 inbound SSH rule removed - IAM role
prod-app-role: Resource scope narrowed to specific DB ARN - EC2 instance
i-0abc1234def56789: Public IP removed or SSH access confirmed scoped - Cloudryption re-scan triggered after changes
- Post-fix scan confirms 0 attack paths from internet to
prod-database-eastvia this instance - Findings CR-2026-0042 closed in remediation hub with fix confirmation timestamp
What the technical report includes
- Full finding table with severity, asset, evidence, and attack path for every identified risk
- Decision graph evidence references for each finding
- Remediation steps linked to specific configuration changes
- Validation checklist for each high-severity finding
- Minimum-fix set with expected risk reduction after completion
- Before/after attack path count estimate
- Link back to the executive report summary for leadership
Ready to receive your own technical report?
The pilot produces both the technical evidence report and the executive report from your actual cloud environment.