• AWS
• SECURITY

AWS S3 SSE-KMS Encryption

Remediates S3 buckets missing server-side encryption so data at rest is protected with customer-managed KMS keys.

VIEW FIX ON GITHUB

• GCP
• SECURITY

GCS Uniform Bucket-Level Access

Enforces uniform bucket-level access on GCS buckets to eliminate object-level ACLs that bypass central IAM policies.

VIEW FIX ON GITHUB

• AWS
• SECURITY

AWS Security Group SSH Ingress Restriction

Restricts security  group SSH ingress from the open internet to approved corporate CIDR ranges.

VIEW FIX ON GITHUB

• GCP
• SECURITY

GCP GKE Workload Identity + Shielded Nodes

Enables Workload  Identity and Shielded Nodes on GKE clusters for per-pod GCP identity and  hardware-rooted node trust.

VIEW FIX ON GITHUB

• Azure
• Security

Azure Subnet NSG Association

Associates Network  Security Groups with subnets so inbound and outbound traffic is filtered at  the network layer.

VIEW FIX ON GITHUB

• GCP
• Security

GCP Cloud SQL SSL + Authorized Networks

Requires SSL for  Cloud SQL connections and restricts authorized networks so databases are not  exposed on the public internet.

VIEW FIX ON GITHUB

• Kubernetes
• Security

Kubernetes StatefulSet Image Update

Updates a StatefulSet  container image to patch known Redis CVEs in production caching workloads.

VIEW FIX ON GITHUB

• AWS
• Security

AWS S3 Legacy Provider Encryption (Inline Syntax)

Adds encryption to S3  buckets defined with legacy inline provider syntax that modern scanners often  miss.

VIEW FIX ON GITHUB

• AWS
• SECURITY
• Cost

AWS VPC Endpoints (NAT Gateway Traffic Bypass)

Adds VPC endpoints so  private traffic to AWS services bypasses NAT gateways, reducing data transfer  cost and public egress.

VIEW FIX ON GITHUB

• Kubernetes
• Reliability

Kubernetes Resource Limits

Adds CPU and memory  requests and limits to containers so workloads cannot exhaust shared cluster  resources.

VIEW FIX ON GITHUB

• GCP
• Reliability

AWS RDS Multi-AZ + Automated Backups

Configures Multi-AZ  deployment and automated backups on RDS instances to survive AZ failures and  enable point-in-time recovery.

VIEW FIX ON GITHUB

• AWS
• Reliability

AWS EKS Multi-AZ Expansion

Expands an EKS  cluster to a third Availability Zone with coordinated subnet, node pool, and  autoscaler changes.

VIEW FIX ON GITHUB

• GCP
• Cost

GCE Disk Type Migration (Hyperdisk Balanced)

Migrates  overprovisioned pd-ssd disks to Hyperdisk Balanced to decouple capacity from  IOPS and reduce storage waste.

VIEW FIX ON GITHUB

• AWS
• Cost

AWS EC2 Right-Sizing + Scheduling

Right-sizes  underutilized dev instances and schedules batch ETL instances to cut EC2  spend without breaking workload patterns.

VIEW FIX ON GITHUB

• KUBERNETES
• Cost

AWS CloudTrail Organizational Consolidation

Consolidates  redundant per-account CloudTrail trails into a single organizational trail to  cut cost and unify audit logs.

VIEW FIX ON GITHUB

• AWS
• SECURITY
• Cost

AWS VPC Endpoints (NAT Gateway Traffic Bypass)

This scenario illustrates a billing anti-pattern that is extremely common but rarely detected because it requires combining network topology knowledge

VIEW FIX ON GITHUB