CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
SaaS · Cloud Security
India · Startup · 2025

Wildcard IAM on a single Lambda role gave admin-equivalent reach — closed pre-Series-C diligence

A Series-B B2B SaaS team in Bangalore needed an AWS audit before a Series-C technical-diligence call. Within day three Macksofy showed how a Lambda execution role with a wildcard IAM policy could be escalated to admin-equivalent — fixed inside a week with IaC guardrails added.

SaaSAWSCloud SecurityIAMBangaloreSeries-CTerraform
Talk to a senior consultantSee the Cloud Security service
Engagement summary
Client
B2B SaaS Startup (Bangalore)
Sector
SaaS
Region
India
Engagement
Cloud Security
Year
2025
Duration
8 working days
1
Critical IAM finding
fixed in 4 days
0
Series-C blocking findings
240
GuardDuty alerts triaged
8d
Total engagement
The challenge

What the client was up against.

Pre-diligence pressure, real estate

The team had 47 microservices, 19 CI/CD pipelines and 380+ IAM roles across four AWS accounts. The investor's technical diligence partner had a hard checklist — and 'your Lambdas can become admin' was very much on it.

Speed-built infrastructure

Most IAM policies had been written in the first six months of the company's life and had never been re-scoped. The classic startup pattern: convenient policies that grew teeth over time.

Approach

How we ran the engagement, phase by phase.

Phase 01

01 · IAM blast-radius mapping

  • Pulled every IAM policy across four AWS accounts via read-only role
  • Used IAM-graph + custom queries to map effective permissions per principal
  • Flagged every role with iam:PassRole, sts:AssumeRole and wildcard actions
Phase 02

02 · Lambda + ECS task-role review

  • Audited every Lambda execution role and ECS task role for blast-radius
  • Tested escalation paths — could this Lambda assume any admin-tier role?
  • Identified the wildcard-IAM Lambda role: full admin escalation possible
Phase 03

03 · S3 + KMS + Secrets Manager

  • Bucket policies + ACLs reviewed; cross-account access exposed three buckets
  • KMS key policies audited for cross-account decrypt grants
  • Secrets Manager rotation status mapped for all 142 secrets
Phase 04

04 · GuardDuty + CloudTrail posture

  • Confirmed CloudTrail multi-region trail with log-file validation
  • Reviewed GuardDuty findings backlog (240+ unaddressed)
  • Built a ranked remediation list with concrete IaC patches
Phase 05

05 · IaC guardrails + retest

  • Shipped Terraform modules with deny-by-default IAM patterns
  • Added Service Control Policies at the AWS Organisation root
  • Live-retested all critical / high findings within 30 days
Findings

What we surfaced — severity, title, real-world impact.

Critical

Lambda execution role with iam:* on Resource:*

A bookkeeping-style Lambda had an inherited wildcard IAM policy. Anyone with code-deploy on that Lambda could escalate to admin-equivalent across the account.

High

Three S3 buckets cross-account readable

Customer-export buckets allowed cross-account reads from a stale third-party vendor account that the client had ended a relationship with 14 months prior.

High

KMS key with overly broad cross-account decrypt

A multi-tenant KMS key allowed decrypt by 'Principal: *' inside a condition that didn't actually constrain the source — defeating the cross-account control.

Medium

240+ ignored GuardDuty findings

No triage process — findings included three high-severity port-scan and brute-force events older than 90 days.

Outcome

What changed for the client.

Series-C diligence cleared on first pass

Macksofy's report and IaC patches landed in time for the diligence call. The diligence partner's checklist came back with zero blocking findings — no extra audit cycle, no delayed close.

IaC guardrails now company-wide

The deny-by-default Terraform modules we shipped became the company's IAM standard. Every new service launches with scoped policies and SCP-enforced boundaries.

GuardDuty backlog cleared in ten days

We delivered a triage runbook the platform team adopted; the 240-finding backlog cleared in ten days, and the team now treats new high-severity GuardDuty findings as a paged event.

We were three weeks from diligence and we knew our IAM was a mess. Macksofy didn't just point at things — they shipped Terraform modules our team kept using. Series-C closed on schedule.
VP Engineering · B2B SaaS Startup (Bangalore)
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.