Cloud Risk &
Governance Report
December 2025
Report Scope
The objectives of the report were to establish:
- 1.Infrastructure DR readiness - How ready is Customer X to recover from a cloud infrastructure resource deletion?
- 2.Governance Posture - How frequently is Customer X's engineering team making risky manual infrastructure changes?
- 3.Security & Compliance Exposure - How secure and compliant is Customer X's existing cloud deployments?
- 4.Cost control - How much of Customer X's cloud footprint lacks accountability when it comes to cost?
20
AWS Accounts
1
Cloudflare Accounts
1
OKTA Accounts
31,700
Could Resources in Total
The main findings
from the DR Report
DR Risk per environment
- 52% of Prod resources are not DR-Ready
Governance Posture
- 313 of drifts identified in prod accounts
- 238 ClickOps identified in the last 7 days
- 18 distinct stakeholders performed console ops
Security Exposure
- 1 in 4 resources have a security vulnerability identified
- 64% of Security misconfigurations associated with resources unmanaged by IaC
Compliance Exposure
- 37% compliant against NIST framework
- 75% compliant against PCI
Cost Posture
- $1.3M of annual costs are ‘unmanaged' & not benchmarked against desired state
deep dive analysis
Below is a deeper analysis of the findings
Only 31% of resources are managed by IaC and ready for DR, meaning No backup in place for 2 out of every 3 resources in the event of deletion, risking SLAs
Only 56% of Production Route 53 configurations are managed by IaC and ready for DR
A lack of an established ‘golden path’ for infra delivery encourages unsupervised operations:
- 313 Drifts identified - leads to operational instability, and represent security, audit and compliance risk.
- 238 of Console Operations over the last 7 days
- ClickOps Performed by 18 unique users
- 1 in 4 of all resources were found to have security misconfigurations including 134 Critical severity and 2.204 high severity vulnerabilities
- Security misconfiguration profile:
- 64% of resources with Critical Security misconfigurations are unmanaged by IaC
- 182 out of 288 NIST Controls Failed
- 275 out of 1,497 PCI 4.0 Controls Failed
- $114K worth of monthly cost is not managed by IaC, and therefore are not benchmarked against a desired state. Said resources represent potential cost overruns
- Below is a list of the unmanaged-by-IaC resources with the highest associated cost:
Success with ControlMonkey
Pillar | Desired Outcome | How |
Enabling infra change management autonomy | Enhance DevOps productivity by up to 30% through frictionless infra change management process | Full infrastructure change management suite including managed infra pipelines, automated PR reviews and full collaboration space |
DR Readiness | 90%+ IaC coverage in production accounts | Daily backup of your entire cloud configuration or Import unmanaged resources to Terraform |
Drift detection and mitigation | Drifts identified in near real time, with details of who did what | Near-real time drift detection allows Cloud teams to be proactive with taking corrective actions before they cause operational issues and introduce risk |
Security Vulnerabilities | Reduced security misconfigurations by up to 50% | All deployments validated against pre-defined security policies |
Unsupervised Manual Operations | Reduce to less than 5% in production | Import of resources to Terraform and providing robust and easy-to-use automation, engineers won’t need to use the console directly. |
Case Studies
“What used to take 1-2 hours now takes just 10 minutes, freeing our team to focus on innovation instead of manual processes. This level of efficiency has not only accelerated our deployments but also reinforced governance and compliance across the board”
-Faheem Memon, Senior SRE Manager
“I can come to my boss and tell him 100% of our cloud is backed up.
Doing this ourselves would have taken quarters of effort for just a fraction of the value we get from their platform”
- Ben Apprederisse, Platform Technical Lead
"We achieved a 100% SOC 2 compliance acceptance rate. Compliance is now built into our infrastructure delivery process and proactively enforced"
- Ed Haynes, Principal Platform Engineer
“What once took days of back-and-forth communication with DevOps now only takes a few minutes. We removed all friction by making the process fully automated and self-served, but the real gem is that our data is entirely secure.”
-Jonathann Zenou, Director of DevSecOps
"ControlMonkey helped us discover which resources were not managed by IaC and easily migrate them into Terraform with a single click. ControlMonkey shortened our migration project timeline by 53% and saved valuable DevOps hours"
-Ron Gruner, VP R&D (Granulate)
Let's Keep in Touch
