What this looks like in the scanner
securecompass.io/public-exposure-scanner
High
prod-operations-dashboard
CloudWatch dashboard has public sharing enabled - accessible without authentication
High
/aws/lambda/prod-api
CloudWatch log group resource policy allows logs:PutLogEvents from any AWS account
Medium
/ecs/prod-web-service
CloudWatch log group stores application logs without KMS encryption
What does Amazon CloudWatch public exposure mean?
CloudWatch dashboards can be shared publicly via sharing links. Log groups with overly permissive resource policies can allow external accounts to write or read log data.
Why it matters
CloudWatch logs contain operational data that can reveal infrastructure details, application behavior, error messages with stack traces, and potentially sensitive data logged by applications.
How to check manually
- 1Check for shared CloudWatch dashboards (sharing settings)
- 2Review CloudWatch Logs resource policies for external access
- 3Verify log group encryption is enabled
- 4Check for sensitive data in log streams
Quick check with AWS CLI
List CloudWatch dashboards and check sharing status
aws cloudwatch list-dashboards --query "DashboardEntries[].DashboardName" --output textCheck log group resource policies for external access
aws logs describe-resource-policies --query "resourcePolicies[].{Name:policyName,Policy:policyDocument}"Find log groups without encryption
aws logs describe-log-groups --query "logGroups[?!kmsKeyId].{Name:logGroupName,RetentionDays:retentionInDays}"Common misconfigurations
Dashboard shared publicly without authentication
Log group resource policy allowing cross-account writes from any account
Log groups without encryption enabled
Application logs containing credentials or PII
Check all 22 resource types at once
Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.
Scan My Account