1. Introduction

Manual infrastructure auditing is one of the most labor-intensive activities in enterprise cloud security. A typical audit cycle involves inventorying cloud resources, checking each resource against security benchmarks (CIS, NIST, SOC 2), documenting findings, and producing remediation recommendations. For large-scale environments with tens of thousands of resources, this process can take weeks and produces point-in-time snapshots that are already outdated upon delivery.

Existing automated tools (AWS Config, CloudSploit, Prowler) address part of this challenge by running predefined rules against cloud resource configurations. However, these rule-based approaches have fundamental limitations: they check individual resources in isolation, miss complex misconfiguration chains, cannot detect novel vulnerability patterns, and generate high volumes of low-priority alerts that overwhelm security teams.

We present a hybrid auditing system that combines traditional rule-based checks with machine learning models. Our key innovation is a graph neural network (GNN) that models infrastructure as a dependency graph, enabling detection of vulnerability chains that span multiple resources. For example, a publicly accessible S3 bucket may not be flagged by rule-based tools if its bucket policy is correct — but the GNN can detect that the bucket is referenced by a Lambda function with an overly permissive IAM role, creating an indirect attack path.

2. System Architecture

The auditing system consists of four modules: Discovery, Rule Engine, ML Analyzer, and Remediation Planner.

2.1 Discovery Module

The discovery module inventories all cloud resources across configured accounts and providers (AWS, Azure, GCP) using provider APIs. Resources are enriched with configuration details, network connectivity, IAM permissions, and tags. The output is a comprehensive resource graph where nodes represent resources and edges represent relationships (references, network access, IAM trust).

2.2 Rule Engine

The rule engine executes deterministic policy checks based on industry benchmarks. We implement 340+ rules covering CIS Benchmarks for AWS/Azure/GCP, NIST 800-53 controls, and custom organizational policies. Rules are defined as code (Open Policy Agent / Rego) and version-controlled alongside infrastructure templates.

# OPA rule: Detect unencrypted S3 buckets
package cloud.s3

deny[msg] {
    bucket := input.resources[_]
    bucket.type == "aws_s3_bucket"
    not bucket.config.server_side_encryption_configuration
    msg := sprintf(
        "S3 bucket '%s' does not have encryption enabled [HIGH]",
        [bucket.name]
    )
}

2.3 ML Analyzer

The ML analyzer operates on the resource dependency graph constructed by the discovery module. We employ a Graph Attention Network (GAT) with 4 attention heads and 3 message-passing layers. The model is trained on labeled audit data from historical engagements where human auditors identified misconfiguration chains. The model outputs a risk score for each resource and each edge in the graph, highlighting high-risk dependency paths.

2.4 Remediation Planner

The remediation planner aggregates findings from both the rule engine and ML analyzer, deduplicates overlapping findings, and produces a prioritized remediation plan. Priority is determined by a composite score incorporating vulnerability severity (CVSS), exposure (public vs. internal), data sensitivity of affected resources, and the blast radius estimated by the GNN.

3. Evaluation Results

We evaluated the system across 8 enterprise environments over 6 months. Environments ranged from 2,000 to 12,000 cloud resources, spanning all three major cloud providers.

Metric	Manual Audit	Rules Only	Rules + ML (Ours)
Vulnerability Detection Rate	62%	79%	94%
False Positive Rate	8%	22%	11%
Audit Duration	3-4 weeks	2-4 hours	2-4 hours
Dependency Chain Detection	Limited	None	87%
Remediation Plan Quality*	4.2/5	2.8/5	4.1/5

Remediation Plan Quality was rated by senior security engineers on a 5-point scale for actionability, accuracy, and prioritization.

The ML-augmented system detects 94% of vulnerabilities — a 50% improvement over manual audits and 19% over rule-based tools alone. The GNN component adds particular value in detecting dependency chain vulnerabilities, identifying 87% of multi-resource attack paths that rule-based tools miss entirely.

Key Result: The hybrid system reduces audit time from 3-4 weeks to 2-4 hours while simultaneously improving detection rate from 62% to 94%. For one financial services client, this enabled a shift from quarterly audits to continuous weekly monitoring with the same team.

4. Conclusion

Automated infrastructure auditing with ML augmentation delivers substantial improvements in both speed and detection quality. The graph-based approach to modeling infrastructure dependencies is critical for detecting the complex, multi-resource misconfiguration chains that are increasingly the primary attack vector in cloud environments. Our system enables a shift from periodic, point-in-time audits to continuous, real-time compliance monitoring.

Future work will extend the GNN model to support cross-cloud dependency chains, integrate with SOAR platforms for automated remediation execution, and explore the use of LLMs for generating human-readable audit narratives from structured findings.

References

CIS. (2023). CIS Benchmarks for AWS, Azure, and GCP. Center for Internet Security.
Veličković, P., et al. (2018). Graph Attention Networks. ICLR 2018.
Open Policy Agent. (2023). Policy-Based Control for Cloud Native Environments. OPA Documentation.
NIST. (2020). Security and Privacy Controls for Information Systems. NIST SP 800-53 Rev. 5.
Kipf, T., & Welling, M. (2017). Semi-Supervised Classification with Graph Convolutional Networks. ICLR 2017.

Automated Infrastructure Auditing Using Machine Learning

Abstract