Cloud Scanner · AzureLens & AWSLens

Your cloud,
fully audited.

Built by cloud engineers who've audited hundreds of Azure and AWS environments. Every wasted dollar, security gap, and reliability issue — surfaced with expert remediation guidance on every finding.

Book a Demo See how it works
CloudRetina · AzureLens · Production (3 subscriptions)
AzureLens · Production · 3 subscriptions · 18 resource groups $1,840 / mo identified
High Severity
8
Security Gaps
11
Reliability
6
Est. Savings
$1,840
CRIT Key Vault 'kv-prod-secrets' has purge protection disabled Security Key Vault
CRIT Storage account 'stproddata01' allows HTTP — secure transfer not enforced Security Storage
HIGH Subnet 'snet-app' has no Network Security Group attached Security Network
HIGH VM 'vm-legacy-01' running Windows Server 2012 R2 — end of support Security Compute
MED SQL Database 'db-analytics' — no geo-redundant backup storage Reliability SQL
CloudRetina · AWSLens · Multi-Account (4 accounts)
AWSLens · us-east-1 · us-west-2 · 4 accounts · 61 resources $2,310 / mo identified
High Severity
5
Security Gaps
9
Reliability
4
Est. Savings
$2,310
CRIT S3 bucket 'prod-customer-data' — public access block disabled Security S3
CRIT IAM user 'deploy-bot' has AdministratorAccess policy attached Security IAM
HIGH Security Group 'sg-web-prod' allows unrestricted SSH from 0.0.0.0/0 Security EC2
HIGH RDS instance 'db-prod-01' has no automated backups enabled Reliability RDS
MED 14 unattached EBS volumes — $180/mo in idle storage Waste EBS
39+ Azure checks per scan
49+ AWS checks per scan
3 Categories, Waste · Security · Reliability
Read-only Zero write access. Zero exposure.
Products

Expert-level analysis for Azure and AWS

Purpose-built by cloud engineers for each platform. The same checks our team runs on client environments, available to you on demand.

AzureLens
Microsoft Azure scanner

Deep configuration analysis across all your Azure subscriptions. Surfaces security misconfigurations, exposed resources, encryption gaps, and reliability risks - with a clear remediation path for each finding.

  • NSG rules with open inbound access (0.0.0.0/0)
  • Storage accounts without HTTPS enforcement
  • Key Vault purge protection and public network access
  • SQL Database Transparent Data Encryption
  • VMs running end-of-life operating systems
  • App Services with deprecated runtimes or weak TLS
  • Subnets with no Network Security Group attached
  • 14 Azure resource types with one-click deletion from dashboard
Book a Demo - AzureLens
AWSLens
Amazon Web Services scanner

Comprehensive AWS environment scanning across IAM, EC2, S3, RDS, Lambda and more. Identifies publicly exposed resources, overly permissive policies, unencrypted data stores, and monitoring blind spots.

  • Root account MFA and active access keys
  • IAM password policy and access keys older than 90 days
  • EC2 instances with IMDSv1 enabled (SSRF risk)
  • RDS instances - public access and storage encryption
  • GuardDuty and CloudTrail enabled per region
  • KMS CMK rotation and SQS encryption
  • Lambda deprecated runtimes and ECR scan-on-push
  • 9 AWS resource types with one-click deletion (EBS, ENI, NAT, S3, and more)
Book a Demo - AWSLens
How it works

Three steps to full visibility

No agents. No complex setup. Read-only credentials are all that's needed.

Step 01

Connect your credentials

Paste your Client ID and Client Secret for Azure, or your Access Key for AWS. Only read permissions are used - the scanner never writes or modifies anything in your environment.

Step 02

Run the scan

CloudRetina enumerates every resource in your subscriptions or accounts and runs all checks concurrently. The scanner handles everything, no manual resource selection, no missed corners, no configuration required.

Step 03

Review, export, and remediate

Every finding is tagged by severity and category, Security, Reliability, or Waste. Each comes with an expert-written remediation step. Export a full PDF or CSV report, or use one-click remediation to act directly from the dashboard.

Coverage

What gets checked

Every check maps to a real-world attack vector, compliance requirement, or cost leak. Items marked deletable can be removed directly from the dashboard with one confirmed click.

AzureLens

Azure Coverage

39+ checks
Security — Networking
  • NSG rules allowing unrestricted inbound access (0.0.0.0/0)
  • Subnets with no Network Security Group attached
  • Redis Cache non-TLS port (6379) enabled
  • Cosmos DB public network access without VNet restriction
Security — Data & Encryption
  • Storage account HTTPS enforcement and minimum TLS version
  • SQL Database Transparent Data Encryption (TDE) disabled
  • SQL Database auditing not configured
  • App Service HTTPS-only and TLS version enforcement
  • Key Vault purge protection disabled
  • Key Vault public network access unrestricted
Security — Compute & Runtime
  • VMs running end-of-life OS (Windows Server 2008/2012, CentOS)
  • App Service deprecated Python or PHP runtime versions
Reliability
  • SQL Database configured for local-only backup (no geo-redundancy)
Cost Waste & One-click Deletion
  • Unattached managed disksdeletable
  • Stopped (deallocated) virtual machinesdeletable
  • Unused public IP addressesdeletable
  • Old disk snapshotsdeletable
  • Unused load balancersdeletable
  • Unused network interface cards (NICs)deletable
  • Empty resource groupsdeletable
  • Unused storage accountsdeletable
  • Unused Network Security Groupsdeletable
  • Unused Application Gatewaysdeletable
  • Unused Azure Firewallsdeletable
  • Unused Azure Bastion hostsdeletable
  • Stopped container instancesdeletable
  • Old custom VM imagesdeletable
AWSLens

AWS Coverage

49+ checks
Security — Identity & Access (IAM)
  • Root account MFA missing or active access keys present
  • IAM password policy — length, complexity, expiry requirements
  • IAM access keys older than 90 days still active
  • IAM policies with wildcard Action or Resource (*)
Security — Networking & Compute
  • EC2 instances with IMDSv1 enabled (SSRF credential theft risk)
  • Default VPC security group with inbound or outbound rules
  • VPC Flow Logs not enabled
  • Load balancer access logging disabled
Security — Data & Encryption
  • RDS storage encryption disabled or publicly accessible
  • SQS queue server-side encryption not configured
  • KMS customer-managed key automatic rotation disabled
  • S3 versioning and server access logging not enabled
  • Secrets Manager secrets without automatic rotation
Security — Monitoring & Runtime
  • CloudTrail not enabled or not actively logging
  • GuardDuty not enabled in one or more regions
  • Lambda functions using deprecated runtimes (Python 3.6/3.7, Node 12)
  • ECR repositories with image scan-on-push disabled
Reliability
  • RDS automated backup retention below 7 days
Cost Waste & One-click Deletion
  • Unattached EBS volumesdeletable
  • Old EBS snapshotsdeletable
  • Empty S3 bucketsdeletable
  • Unused Elastic Network Interfaces (ENIs)deletable
  • Unused Security Groupsdeletable
  • Unused VPCsdeletable
  • Idle NAT Gatewaysdeletable
  • Unused Load Balancer Target Groupsdeletable
  • Unused ECR repositoriesdeletable
Built for teams

Built for cloud professionals

Whether you're an in-house cloud team running quarterly audits or an MSP delivering cloud management at scale, CloudRetina Cloud Scanner gives you expert-level insight on demand.

Multi-tenant scanning

Manage scans across multiple Azure subscriptions or AWS accounts from a single CloudRetina login. Save credential profiles for each client and scan with one click.

Cost savings identification

Every scan surfaces idle resources, orphaned storage, stopped VMs, and unused IPs, with an estimated monthly cost attached. See exactly what you're overspending on before you fix a single thing.

PDF & CSV reporting

Generate a professional PDF report or full CSV export from every scan. Formatted, prioritised, and ready to share with clients, leadership, or your compliance team.

One-click remediation

For supported resource types - orphaned disks, unused IPs, stopped VMs - CloudRetina can delete the waste directly from the dashboard with a single confirmed click.

Security & privacy

Security built in by engineers who know better

We've audited enough cloud environments to know exactly what credential mishandling looks like. We built CloudRetina to the standard we'd hold anyone else to.

Read-only access

The scanner only reads resource configurations via the cloud API. It never creates, modifies, or deletes resources. Azure requires the Reader role; AWS requires SecurityAudit.

Credentials encrypted at rest

Service principal secrets and AWS access keys are stored encrypted using AES-256. They are never logged, never shared, and can be revoked from your cloud console at any time.

No data retained

Scan results and credential profiles are deleted when you cancel. We do not sell, share, or analyse your cloud data for any purpose other than generating your findings report.

FAQ

Common questions

Read-only access to your cloud environment. For Azure, a service principal with the built-in Reader role at the subscription scope. For AWS, an IAM user or role with the managed SecurityAudit policy. No write permissions are ever required or used.
No. The scanner is entirely read-only. It reads resource configurations via the cloud provider API and produces a findings report. It never creates, modifies, or deletes any resources. The optional one-click remediation feature in the dashboard requires you to explicitly confirm each deletion.
Credentials are stored encrypted at rest using AES-256. They are never logged, shared, or retained after you cancel your subscription. You can also revoke them from your cloud console at any time as an additional safeguard.
Yes. Both AzureLens and AwsLens support scanning multiple subscriptions or accounts. You can save separate credential profiles for each in the dashboard and scan any of them with one click. There are no per-subscription or per-account charges.
CloudRetina is a standalone, cross-cloud tool that's simpler to set up and gives you a unified view across Azure and AWS from a single dashboard. Native tools like Defender for Cloud and Security Hub are deeply integrated but require separate configuration per platform and don't give you cross-cloud comparison. Many customers use CloudRetina alongside native tools.
Book a short demo via the button above. We'll walk you through the setup, run a live scan on your environment during the call, and get you fully onboarded. There's no lengthy sales process - most customers are up and running the same day.

See your cloud posture in under an hour.

Book a short demo and we'll run a live scan on your environment during the call. No commitment required.

Book a Demo support@cloudretina.com