Database Security & Backup Audit

No. We use a read-only IAM Role (AWS), App Registration (Azure), or Service Account (GCP) scoped strictly to database describe / list APIs (rds:Describe*, dynamodb:Describe*, sql:Read, spanner:Read), KMS, Secrets Manager / Key Vault / Secret Manager describe, backup describe, and CloudTrail / Activity Log / Cloud Audit Log read. The role explicitly cannot run SELECT, cannot connect to any database endpoint, cannot pull snapshots, and has zero write permissions. We provide the policy JSON in advance for your security team to review.

All major managed and self-managed engines: PostgreSQL, MySQL, MariaDB, SQL Server, and Oracle on RDS / Aurora / Cloud SQL / Azure SQL / on EC2 / on VMs / on Kubernetes; Aurora Serverless v2 and Aurora Global; DynamoDB, Cosmos DB, Firestore, Cloud Spanner; warehouses Redshift, Synapse, BigQuery, Snowflake; search OpenSearch and Elasticsearch; document MongoDB Atlas and DocumentDB; wide-column Cassandra and Amazon Keyspaces; and caches Redis / ElastiCache / Memorystore / Azure Cache for Redis.

Ransomware-resistance is scored explicitly. We check whether backups are immutable (AWS Backup Vault Lock in compliance mode, Azure Backup immutable vault, GCP Backup and DR Service with Object Lock), whether they live in a separate account or subscription with break-glass access only, whether MFA-delete is enforced on backup buckets, retention vs RPO targets, cross-region copies, and most importantly whether restore tests are actually executed and the last successful restore date. The most common gap we find is backups that exist but have never been restore-tested.

Yes - through your existing in-environment tooling. We review findings from Amazon Macie, Microsoft Purview, GCP Sensitive Data Protection (DLP), and any DSPM platform you run (Wiz, Orca, Prisma Cloud, BigID, Securiti) and map sensitive data to specific tables and columns, then check that those targets have appropriate encryption, IAM authentication, RLS, audit logging, and immutable backups. We never read row contents ourselves; the audit consumes the aggregate classification metadata your tools already produce.

Those tools produce raw findings; this audit interprets them. Native posture tools flag issues but do not score ransomware-resistance, do not validate restore-test evidence, do not model cross-engine privilege escalation, and do not produce a prioritised, copy-pasteable remediation backlog. A senior database-security engineer triages every finding, removes false positives, combines signals across AWS RDS Recommendations, Inspector, Trusted Advisor, Macie, Azure Defender, Purview, GCP SCC, DLP, Prowler, ScoutSuite, and Steampipe, and produces an action-ready plan rather than a 5,000-line raw report.

Yes. Every finding is mapped to specific controls in the CIS Database Benchmarks (per engine), PCI-DSS Requirements 3 (encryption) and 8 (authentication), HIPAA Security Rule §164.312 Technical Safeguards, GDPR Article 32 (security of processing), SOC 2 CC6 (logical access), and NIST 800-53 - so the report drops directly into your compliance evidence pack alongside your SOC 2, ISO 27001, HIPAA, or PCI audit.

No. The audit is fully read-only against describe / list APIs at a controlled rate. We never connect to any database endpoint, run queries, take snapshots, or modify configuration. Where your CSPM / SIEM (Wiz, Orca, Prisma Cloud, Defender, Sentinel, Security Hub) might flag the read activity we can pre-coordinate with your detection team, but in practice the API calls look identical to a normal admin running aws rds describe-db-instances.

Typical turnaround is 1-2 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your security, platform, and DBA leads. Larger estates with hundreds of database instances across multiple engines and clouds can take a little longer; we confirm the timeline as soon as we see the scope.