🔐 IAM (Global)
IAM Compliance Findings
4
Total IAM Users
4
Users Without MFA
3
Access Keys >90 Days Old
1
Users with Admin Access
IAM Users
| User Name | MFA Enabled | Access Key ID | Key Status | Key Created |
|---|---|---|---|---|
| deploy-wordpress | No | AKIA4X6GTHKUHS7FWJEV | Active | 2025-09-18 |
| it_projects_devops | No | AKIA4X6GTHKUNMAF6NNA | Active | 2025-12-04 |
| ses-smtp-user-myaffiliates | No | AKIA4X6GTHKUD62G453E | Active | 2025-08-11 |
| upload-download-wordpress-files | No | AKIA4X6GTHKUNEYS34LW | Active | 2025-09-19 |
Users with AdministratorAccess Policy
| User Name |
|---|
| it_projects_devops |
📍 Region: eu-west-2
VPCs & Subnets
| Name | VPC ID | CIDR Block | State | Tenancy | Tags |
|---|---|---|---|---|---|
| aws-controltower-VPC | vpc-024a533ad6ba5dd9a |
172.31.0.0/16 | available | default | aws:cloudformation:stack-id=arn:aws:cloudformation:eu-west-2:876052953768:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c/34665350-2aaf-11f0-b629-0205572ba1bfaws:cloudformation:stack-name=StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360caws:cloudformation:logical-id=VPC |
| london-wordpress-vpc | vpc-02ba26ed1849bbfbd |
10.0.0.0/16 | available | default | ManagedBy=terraformMap-migrated=migS0EK6JMBZCApplication=wordpressLocation=london |
| london-marketing-bp-vpc | vpc-09d8b1476c0b5456c |
10.0.0.0/16 | available | default | Application=marketing-bpManagedBy=terraformMap-migrated=migS0EK6JMBZCLocation=london |
Subnets
| Name | Subnet ID | VPC ID | CIDR Block | AZ | Available IPs | Public IP on Launch | Tags |
|---|---|---|---|---|---|---|---|
| aws-controltower-PrivateSubnet1A | subnet-021c0c39000e5151b |
vpc-024a533ad6ba5dd9a | 172.31.64.0/20 | eu-west-2a | 4091 | No | Network=Privateaws:cloudformation:stack-id=arn:aws:cloudformation:eu-west-2:876052953768:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c/34665350-2aaf-11f0-b629-0205572ba1bfaws:cloudformation:logical-id=PrivateSubnet1Aaws:cloudformation:stack-name=StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c |
| london-wordpress-public-subnet-1 | subnet-01bdfd346777af622 |
vpc-02ba26ed1849bbfbd | 10.0.1.0/24 | eu-west-2a | 247 | Yes | ManagedBy=terraformMap-migrated=migS0EK6JMBZCLocation=londonApplication=wordpress |
| aws-controltower-PrivateSubnet3A | subnet-0482e4cd609ade83a |
vpc-024a533ad6ba5dd9a | 172.31.80.0/20 | eu-west-2c | 4091 | No | aws:cloudformation:stack-id=arn:aws:cloudformation:eu-west-2:876052953768:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c/34665350-2aaf-11f0-b629-0205572ba1bfNetwork=Privateaws:cloudformation:logical-id=PrivateSubnet3Aaws:cloudformation:stack-name=StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c |
| aws-controltower-PrivateSubnet2A | subnet-02905222204bf22a4 |
vpc-024a533ad6ba5dd9a | 172.31.32.0/20 | eu-west-2b | 4091 | No | Network=Privateaws:cloudformation:stack-id=arn:aws:cloudformation:eu-west-2:876052953768:stack/StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c/34665350-2aaf-11f0-b629-0205572ba1bfaws:cloudformation:logical-id=PrivateSubnet2Aaws:cloudformation:stack-name=StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c |
| london-marketing-bp-private-subnet-2 | subnet-06ebe652b9afaa301 |
vpc-09d8b1476c0b5456c | 10.0.4.0/24 | eu-west-2b | 251 | No | Map-migrated=migS0EK6JMBZCApplication=marketing-bpLocation=londonManagedBy=terraform |
| london-marketing-bp-public-subnet-2 | subnet-0fedd45d12b246ff9 |
vpc-09d8b1476c0b5456c | 10.0.2.0/24 | eu-west-2b | 249 | Yes | Location=londonApplication=marketing-bpManagedBy=terraformMap-migrated=migS0EK6JMBZC |
| london-marketing-bp-public-subnet-1 | subnet-0252de4fb95de6952 |
vpc-09d8b1476c0b5456c | 10.0.1.0/24 | eu-west-2a | 247 | Yes | Map-migrated=migS0EK6JMBZCApplication=marketing-bpLocation=londonManagedBy=terraform |
| london-wordpress-private-subnet-1 | subnet-0b5677174c660503e |
vpc-02ba26ed1849bbfbd | 10.0.3.0/24 | eu-west-2a | 250 | No | Application=wordpressMap-migrated=migS0EK6JMBZCManagedBy=terraformLocation=london |
| london-wordpress-public-subnet-2 | subnet-0576fb3541923cced |
vpc-02ba26ed1849bbfbd | 10.0.2.0/24 | eu-west-2b | 249 | Yes | Application=wordpressLocation=londonManagedBy=terraformMap-migrated=migS0EK6JMBZC |
| london-marketing-bp-private-subnet-1 | subnet-04f2856270216be28 |
vpc-09d8b1476c0b5456c | 10.0.3.0/24 | eu-west-2a | 249 | No | Application=marketing-bpManagedBy=terraformMap-migrated=migS0EK6JMBZCLocation=london |
| london-wordpress-private-subnet-2 | subnet-0222970c1b0e29bcf |
vpc-02ba26ed1849bbfbd | 10.0.4.0/24 | eu-west-2b | 250 | No | Location=londonApplication=wordpressManagedBy=terraformMap-migrated=migS0EK6JMBZC |
EC2 Instances
| Name | Instance ID | Type | State | Public IP | Private IP | VPC | Security Groups | AMI | Key Pair | IAM Profile | EBS Volumes | IMDSv2 | Tags |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| prod-london-wordpress-bastion-runner | i-03dc16a80ffd6c5af |
t3.medium | running | 18.175.153.55 | 10.0.1.245 | vpc-02ba26ed1849bbfbd | sg-09e4ab5bfdc422447 | ami-0f3b811cdb7e8c34d | london-kp | - | 1 | required | Environment=prodApplication=wordpressMap-migrated=migS0EK6JMBZCManagedBy=terraformLocation=london |
| prod-london-marketing-bp-bastion-runner | i-044fc6ebf4e63626a |
t3.medium | running | 18.169.170.30 | 10.0.1.127 | vpc-09d8b1476c0b5456c | sg-04e379307b7387df4 | ami-0a0ff88d0f3f85a14 | london-kp | - | 1 | required | Environment=prodApplication=marketing-bpLocation=londonManagedBy=terraformMap-migrated=migS0EK6JMBZC |
EBS Volumes
| Name | Volume ID | Size (GiB) | Type | State | Encrypted | IOPS | Attached Instance | Device | AZ | Tags |
|---|---|---|---|---|---|---|---|---|---|---|
| - | vol-07bf96b6c0971cf60 |
30 | gp3 | in-use | No | 3000 | i-03dc16a80ffd6c5af | /dev/sda1 | eu-west-2a | - |
| - | vol-0e02d7b79f8686f0a |
30 | gp3 | in-use | No | 3000 | i-044fc6ebf4e63626a | /dev/sda1 | eu-west-2a | - |
ECS Clusters
| Cluster Name | Status | Running Tasks | Pending Tasks | Active Services | Container Instances |
|---|---|---|---|---|---|
| prod-london-wordpress-cluster | ACTIVE | 1 | 0 | 1 | 0 |
| prod-london-marketing-bp-cluster | ACTIVE | 1 | 0 | 1 | 0 |
ECS Services
| Service Name | Status | Desired | Running | Launch Type | Task Definition | Load Balancers | Security Groups |
|---|---|---|---|---|---|---|---|
| prod-london-affantage-service | ACTIVE | 1 | 1 | FARGATE | prod-london-affantage-task:28 | 1 target groups | sg-065432a80b590bb4f |
| vegarstarsngpasko-service | ACTIVE | 1 | 1 | FARGATE | vegarstarsngpasko-task:1 | 1 target groups | sg-0f97e5edb7d09ef7f |
ECS Task Definitions (Active)
| Family | Rev | CPU | Memory | Containers | Task Role | Privileged | Env Vars | Secrets | Log Config |
|---|---|---|---|---|---|---|---|---|---|
| prod-london-affantage-task | 28 | 512 | 1024 | 1 | Yes | No | 2 | 3 | awslogs:/ecs/affantage |
| vegarstarsngpasko-task | 1 | 512 | 1024 | 1 | Yes | No | 2 | 3 | awslogs:/ecs/vegarstarsngpasko |
Container Configuration Detail
⚠️ Plaintext environment variables should be avoided for sensitive data. Use Secrets Manager or SSM Parameter Store. log_router containers are excluded.
| Task Definition | Container | Image | Log Config | Plaintext Env Vars | Secrets (SSM/SM) |
|---|---|---|---|---|---|
| prod-london-affantage-task:28 | affantage | public.ecr.aws/docker/library/wordpress:latest | awslogs:/ecs/affantage | WORDPRESS_CONFIG_EXTRAWORDPRESS_DB_NAME | WORDPRESS_DB_USERWORDPRESS_DB_HOSTWORDPRESS_DB_PASSWORD |
| vegarstarsngpasko-task:1 | vegarstarsngpasko | public.ecr.aws/docker/library/wordpress:latest | awslogs:/ecs/vegarstarsngpasko | WORDPRESS_CONFIG_EXTRAWORDPRESS_DB_NAME | WORDPRESS_DB_USERWORDPRESS_DB_HOSTWORDPRESS_DB_PASSWORD |
RDS Instances
| DB Identifier | Engine | Class | Status | Storage | Encrypted | Multi-AZ | Public | Backup | Delete Prot. | Tags |
|---|---|---|---|---|---|---|---|---|---|---|
| prod-london-marketing-bp-db | mysql 8.0.42 | db.t4g.micro | available | 20 GiB | No | No | No | 7d | Yes | Environment=prodManagedBy=terraformApplication=marketing-bpLocation=londonMap-migrated=migS0EK6JMBZCName=prod-london-marketing-bp-db |
| prod-london-wordpress-db | mysql 8.0.42 | db.t4g.micro | available | 20 GiB | No | No | No | 7d | Yes | Environment=prodManagedBy=terraformApplication=wordpressLocation=londonMap-migrated=migS0EK6JMBZCName=prod-london-wordpress-db |
Lambda Functions
| Function Name | Runtime | Memory | Timeout | VPC | Last Modified | Tags |
|---|---|---|---|---|---|---|
| aws-controltower-NotificationForwarder | python3.13 | 128 MB | 60s | No VPC | 2025-08-21 | aws:cloudformation:logical-id=ForwardSnsNotificationaws:cloudformation:stack-id=arn:aws:cloudformation:eu-west-2:876052953768:stack/StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-a9e61bf3-7ee8-4998-b2d6-31368b453e64/c0ce3160-2aae-11f0-a398-06a6d0170387aws:cloudformation:stack-name=StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-a9e61bf3-7ee8-4998-b2d6-31368b453e64 |
AWS Amplify Apps
| App Name | App ID | Platform | Repository | Default Domain | Production Branch | Branches | Created | Tags |
|---|---|---|---|---|---|---|---|---|
| marketing-bp-site-generator | d3vbw4yv5phsc7 |
WEB_COMPUTE | https://github.com/bwgservices/marketing-bp-site-generator | d3vbw4yv5phsc7.amplifyapp.com | main | 1 | 2025-11-07 | - |
Amplify Branches
| App Name | Branch Name | Stage | Framework | Auto Build | Basic Auth | Total Jobs |
|---|---|---|---|---|---|---|
| marketing-bp-site-generator | main | PRODUCTION | Next.js - SSR | Yes | No | 0 |
CloudWatch Log Groups
Total Log Groups: 5
Without Retention Policy: 1
| Log Group Name | Retention (Days) | Stored Size |
|---|---|---|
/aws/amplify/d3vbw4yv5phsc7 |
Never Expire | 189.7 KB |
/aws/lambda/aws-controltower-NotificationForwarder |
14 | 0 B |
/ecs/affantage |
30 | 26.66 MB |
/ecs/vegarstarsngpasko |
30 | 26.7 MB |
StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-d38d5337-5b89-49dc-b5e5-2a7fb89b360c-VPCFlowLogsLogGroup-dwGMjotTEdX5 |
90 | 0 B |
Application & Network Load Balancers
| Name | Type | Scheme | State | DNS Name | VPC | AZs | Listeners | Target Groups | Tags |
|---|---|---|---|---|---|---|---|---|---|
| prod-london-wordpress-alb | APPLICATION | internet-facing | active | prod-london-wordpress-alb-1925402593.eu-west-2.elb.amazonaws.com | vpc-02ba26ed1849bbfbd | 2 | HTTP:80, HTTPS:443 | 1 | Environment=prodManagedBy=terraformApplication=wordpressLocation=londonMap-migrated=migS0EK6JMBZC |
| prod-london-marketing-bp-alb | APPLICATION | internet-facing | active | prod-london-marketing-bp-alb-814721849.eu-west-2.elb.amazonaws.com | vpc-09d8b1476c0b5456c | 2 | HTTPS:443, HTTP:80 | 1 | Environment=prodManagedBy=terraformApplication=marketing-bpLocation=londonMap-migrated=migS0EK6JMBZC |
Target Groups
| Load Balancer | Target Group Name | Protocol | Port | Target Type | Health Check |
|---|---|---|---|---|---|
| prod-london-wordpress-alb | prod-london-affantage-tg | HTTP | 80 | ip | HTTP:/wp-login.php |
| prod-london-marketing-bp-alb | vegarstarsngpasko-tg | HTTP | 80 | ip | HTTP:/wp-login.php |
Security Groups (In Use)
| Name | Group ID | VPC | Used By | Inbound Ports | Outbound Ports | Open to Internet | Tags |
|---|---|---|---|---|---|---|---|
| prod-london-marketing-bp-alb-sg | sg-03c34be4cc5fad073 |
vpc-09d8b1476c0b5456c | APPLICATION(1) | tcp:443, tcp:80 | All | Yes | Environment=prodLocation=londonApplication=marketing-bpManagedBy=terraformMap-migrated=migS0EK6JMBZC |
| prod-london-wordpress-bastion-sg | sg-09e4ab5bfdc422447 |
vpc-02ba26ed1849bbfbd | EC2(1) | All | All | Yes | Location=londonMap-migrated=migS0EK6JMBZCManagedBy=terraformEnvironment=prodApplication=wordpress |
| prod-london-marketing-bp-ecs-sg | sg-0f97e5edb7d09ef7f |
vpc-09d8b1476c0b5456c | ECS(1) | tcp:80 | All | No | Location=londonManagedBy=terraformMap-migrated=migS0EK6JMBZCApplication=marketing-bpEnvironment=prod |
| prod-london-marketing-bp-bastion-sg | sg-04e379307b7387df4 |
vpc-09d8b1476c0b5456c | EC2(1) | All | All | Yes | Application=marketing-bpLocation=londonEnvironment=prodMap-migrated=migS0EK6JMBZCManagedBy=terraform |
| prod-london-marketing-bp-db-sg | sg-0bffa147f29a2ad60 |
vpc-09d8b1476c0b5456c | RDS(1) | tcp:3306 | All | No | Environment=prodManagedBy=terraformMap-migrated=migS0EK6JMBZCApplication=marketing-bpLocation=london |
| prod-london-wordpress-ecs-sg | sg-065432a80b590bb4f |
vpc-02ba26ed1849bbfbd | ECS(1) | tcp:80 | All | No | Map-migrated=migS0EK6JMBZCManagedBy=terraformApplication=wordpressLocation=londonEnvironment=prod |
| prod-london-wordpress-alb-sg | sg-0a0265b33bfd7f436 |
vpc-02ba26ed1849bbfbd | APPLICATION(1) | tcp:443, tcp:80 | All | Yes | Application=wordpressEnvironment=prodLocation=londonManagedBy=terraformMap-migrated=migS0EK6JMBZC |
| prod-london-wordpress-db-sg | sg-0bcd7b7431b9813da |
vpc-02ba26ed1849bbfbd | RDS(1) | tcp:3306 | All | No | ManagedBy=terraformEnvironment=prodMap-migrated=migS0EK6JMBZCLocation=londonApplication=wordpress |
Security Group Rules Detail
| Security Group | Direction | Protocol | Port Range | Source/Destination |
|---|---|---|---|---|
prod-london-marketing-bp-alb-sg sg-03c34be4cc5fad073 |
Inbound | tcp | 80 | 0.0.0.0/0 |
prod-london-marketing-bp-alb-sg sg-03c34be4cc5fad073 |
Inbound | tcp | 443 | 0.0.0.0/0 |
prod-london-wordpress-bastion-sg sg-09e4ab5bfdc422447 |
Inbound | All | All | 0.0.0.0/0 |
prod-london-marketing-bp-ecs-sg sg-0f97e5edb7d09ef7f |
Inbound | tcp | 80 | sg: sg-03c34be4cc5fad073 |
prod-london-marketing-bp-bastion-sg sg-04e379307b7387df4 |
Inbound | All | All | 0.0.0.0/0 |
prod-london-marketing-bp-db-sg sg-0bffa147f29a2ad60 |
Inbound | tcp | 3306 | 10.0.0.0/16 |
prod-london-wordpress-ecs-sg sg-065432a80b590bb4f |
Inbound | tcp | 80 | sg: sg-0a0265b33bfd7f436 |
prod-london-wordpress-alb-sg sg-0a0265b33bfd7f436 |
Inbound | tcp | 80 | 0.0.0.0/0 |
prod-london-wordpress-alb-sg sg-0a0265b33bfd7f436 |
Inbound | tcp | 443 | 0.0.0.0/0 |
prod-london-wordpress-db-sg sg-0bcd7b7431b9813da |
Inbound | tcp | 3306 | 10.0.0.0/16 |
prod-london-marketing-bp-alb-sg sg-03c34be4cc5fad073 |
Outbound | All | All | 0.0.0.0/0 |
prod-london-wordpress-bastion-sg sg-09e4ab5bfdc422447 |
Outbound | All | All | 0.0.0.0/0 |
prod-london-marketing-bp-ecs-sg sg-0f97e5edb7d09ef7f |
Outbound | All | All | 0.0.0.0/0 |
prod-london-marketing-bp-bastion-sg sg-04e379307b7387df4 |
Outbound | All | All | 0.0.0.0/0 |
prod-london-marketing-bp-db-sg sg-0bffa147f29a2ad60 |
Outbound | All | All | 0.0.0.0/0 |
prod-london-wordpress-ecs-sg sg-065432a80b590bb4f |
Outbound | All | All | 0.0.0.0/0 |
prod-london-wordpress-alb-sg sg-0a0265b33bfd7f436 |
Outbound | All | All | 0.0.0.0/0 |
prod-london-wordpress-db-sg sg-0bcd7b7431b9813da |
Outbound | All | All | 0.0.0.0/0 |
Compliance Findings
Network & Security (Section 5.2)
4
Open Security Groups (0.0.0.0/0)
0
EC2 Without IMDSv2
Yes
CloudTrail Enabled
Data Protection (Section 5.4)
2
Unencrypted EBS Volumes
2
Unencrypted RDS
0
SQS Without Encryption
Logging & Monitoring (Section 5.3)
1
Log Groups (No Retention)
RDS Standards (Section 7)
0
Public RDS Instances
2
RDS Without Multi-AZ
0
RDS Without Backups
Lambda Standards (Section 7)
0
Lambda Default Timeout (3s)
1
Lambda Without DLQ
SQS Standards (Section 7)
0
SQS Without DLQ
ECS Standards (Section 7)
4
Plaintext Env Vars
0
Privileged Containers
📍 Region: eu-central-1
Lambda Functions
| Function Name | Runtime | Memory | Timeout | VPC | Last Modified | Tags |
|---|---|---|---|---|---|---|
| acma_blocks_scanner | nodejs22.x | 128 MB | 3s | No VPC | 2025-08-18 | brand=all |
CloudWatch Log Groups
Total Log Groups: 1
Without Retention Policy: 1
| Log Group Name | Retention (Days) | Stored Size |
|---|---|---|
/aws/lambda/acma_blocks_scanner |
Never Expire | 6.22 KB |
Compliance Findings
Network & Security (Section 5.2)
0
Open Security Groups (0.0.0.0/0)
0
EC2 Without IMDSv2
Yes
CloudTrail Enabled
Data Protection (Section 5.4)
0
Unencrypted EBS Volumes
0
Unencrypted RDS
0
SQS Without Encryption
Logging & Monitoring (Section 5.3)
1
Log Groups (No Retention)
RDS Standards (Section 7)
0
Public RDS Instances
0
RDS Without Multi-AZ
0
RDS Without Backups
Lambda Standards (Section 7)
1
Lambda Default Timeout (3s)
1
Lambda Without DLQ
SQS Standards (Section 7)
0
SQS Without DLQ
ECS Standards (Section 7)
0
Plaintext Env Vars
0
Privileged Containers