TITAN AI - AWS Live Scan AWS-20260426-132246

Reachability + Blast Radius

ATTACK PATHS COMPUTED	3
DOWNSTREAM RESOURCES AT RISK	3
COMPOUND-RISK RESOURCES	0

RESOURCES WITH MULTIPLE FINDINGS

FID

c8e6c9320831

P1 CRITICAL IAM open

Root user MFA is DISABLED

RESOURCE	root-account/450367038821
HIPAA / NIST CITATION	NIST 800-53 IA-2(1), CIS AWS 1.5, SOC2 CC6.1
RECOMMENDATION	Enable MFA on the root account immediately.
PRIORITY	P1 · Fix in 24 hours — risk score 75/100
RISK FACTORS	PHI exposure · Exploit-in-wild · Business-critical
MITRE ATT&CK	`T1078.004 - Valid Accounts: Cloud Accounts`
ATTACK PATH	`Phish/Steal → Root Console → ALL AWS Resources`
PATH LENGTH	1 hops
BLAST RADIUS	1 entire_aws_account(s): 450367038821
DETECTED AT	2026-04-26T13:21:23.4232800-05:00
FIX APPLIED	False

REMEDIATION PLAYBOOK · OWNER: Security + IAM admin · ESTIMATED EFFORT: 30 minutes

Enable MFA on the root account via AWS console (only the root user can enable root MFA - cannot be delegated)
Delete any active root access keys: aws iam delete-access-key --user-name --access-key-id
For IAM users without MFA: aws iam enable-mfa-device --user-name --serial-number --authentication-code-1 --authentication-code-2
Add an SCP / IAM Boundary policy that denies actions when MFA is not present
Re-scan to verify root MFA enabled and no root keys

FID

7202c3054e22

P2 HIGH IAM open

IAM user iam-titandemo-260426-1311 has no MFA device

RESOURCE	user/iam-titandemo-260426-1311
HIPAA / NIST CITATION	CIS AWS 1.10, NIST 800-53 IA-2
RECOMMENDATION	Require MFA on all human IAM users.
PRIORITY	P2 · Fix in 72 hours — risk score 50/100
RISK FACTORS	PHI exposure · Business-critical
MITRE ATT&CK	`T1078.004 - Valid Accounts: Cloud Accounts`
ATTACK PATH	`Phish/Steal → User Console → User-Authorized Resources`
PATH LENGTH	1 hops
BLAST RADIUS	1 iam_user(s): iam-titandemo-260426-1311
DETECTED AT	2026-04-26T13:21:45.5419317-05:00
FIX APPLIED	False

REMEDIATION PLAYBOOK · OWNER: Security + IAM admin · ESTIMATED EFFORT: 30 minutes

Enable MFA on the root account via AWS console (only the root user can enable root MFA - cannot be delegated)
Delete any active root access keys: aws iam delete-access-key --user-name --access-key-id
For IAM users without MFA: aws iam enable-mfa-device --user-name --serial-number --authentication-code-1 --authentication-code-2
Add an SCP / IAM Boundary policy that denies actions when MFA is not present
Re-scan to verify root MFA enabled and no root keys

FID

d121cfd943f3

P1 HIGH S3 open

S3 bucket s3-titandemo-260426-1311-450367038821 lacks full Public Access Block

RESOURCE	s3://s3-titandemo-260426-1311-450367038821
HIPAA / NIST CITATION	HIPAA 164.312(a)(1), CIS AWS 2.1.5, NIST 800-53 AC-3
RECOMMENDATION	Enable all 4 Public Access Block settings (Block Public ACLs / Policy / Ignore / Restrict).
PRIORITY	P1 · Fix in 24 hours — risk score 75/100
RISK FACTORS	Internet-facing · PHI exposure · Business-critical
MITRE ATT&CK	`T1530 - Data from Cloud Storage`
ATTACK PATH	`Internet → S3 Public Endpoint → Bucket Objects`
PATH LENGTH	1 hops
BLAST RADIUS	1 s3_bucket(s): s3-titandemo-260426-1311-450367038821
DETECTED AT	2026-04-26T13:22:20.4147149-05:00
FIX APPLIED	False

REMEDIATION PLAYBOOK · OWNER: Storage Owner + Privacy · ESTIMATED EFFORT: Same day

Enable Public Access Block on the bucket: aws s3api put-public-access-block --bucket NAME --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
Enable default encryption: aws s3api put-bucket-encryption --bucket NAME --server-side-encryption-configuration with SSEAlgorithm AES256
Audit S3 access logs for last 90 days for anonymous reads
If anonymous access detected on PHI/PII bucket: trigger HIPAA breach assessment
Enable Macie for ongoing PII/PHI classification on the bucket

AWS-20260426-132246