← Articles

April 15, 2026 · plainfra

What a plainfra AWS Infrastructure Health Report Looks Like

Every week, plainfra scans your connected AWS accounts and delivers a health report by email as a PDF. This page walks through a real example — a production account for a fictional Australian logistics company — so you know exactly what you're getting before you sign up.

Download the full sample report (PDF, 17 KB) →

The scenario

Meridian Logistics Pty Ltd is an Australian supply-chain SaaS company with around 120 staff. Their production AWS account runs the customer-facing application: EC2 instances behind a load balancer, a PostgreSQL RDS database, CloudFront for delivery, and S3 for storage. Monthly spend is around $9,240.

This is their weekly health report for 15 April 2026.

Overall status: RED

Every plainfra report opens with a single RAG status — RED, AMBER, or GREEN — that reflects the most serious finding in the account that week. RED means there is at least one issue requiring immediate attention. In this case, there are two.

Critical findings

1. ACM certificate expires in 11 days — auto-renewal not enabled

The TLS certificate for app.meridianlogistics.com.au expires on 26 April 2026. The certificate was issued for a 12-month term with DNS validation configured, but auto-renewal was never enabled in ACM. The certificate will not renew itself.

This finding was first raised last week at 18 days remaining. It is now at 11 days with no action taken.

Business impact: When the certificate lapses, all HTTPS traffic to the customer-facing application fails immediately. Browsers show a security warning and block access by default. Recommended action: Open ACM in the AWS Console, select the certificate, and enable DNS auto-renewal. Estimated time: 20 minutes. No downtime required.

2. PostgreSQL port 5432 open to the public internet

Security group sg-0a4f2c1d, attached to the primary RDS instance, has an inbound rule allowing TCP 5432 from 0.0.0.0/0. This has been the case since 22 March 2026 — three consecutive weekly reports with no remediation.

Business impact: The production PostgreSQL database is directly reachable from anywhere on the internet. A single weak or reused password on any database user could result in a full data breach. Recommended action: Remove the 0.0.0.0/0 inbound rule and replace it with the application subnet CIDR. No downtime required.

Warnings

RDS storage at 87% — autoscaling disabled. Growing at ~10 GB/week. At current rate, storage exhaustion in 6–7 weeks. Enabling autoscaling takes a few minutes with no downtime. 3 IAM users with console access have no MFA. dev-ops-james has AdministratorAccess. A stolen password gives full console access with no second factor. No CloudWatch alarms on RDS. No alerts configured for CPU, storage, or connections. Storage exhaustion will not trigger any notification.

Cost summary: $9,240/month

Exact billed 30-day total from AWS Cost Explorer: EC2 $4,100 · RDS $2,850 · Data Transfer $890 · CloudFront $720 · S3 $430.

The report checks Savings Plan and Reserved Instance coverage before quoting any savings estimates — so figures reflect what you would actually recover, not what the on-demand list price implies.

Prior-period tracking

Each finding includes context from the previous report. The ACM certificate moved from 18 days to 11 days remaining between reports. The PostgreSQL security group has been open for three consecutive reports. This longitudinal view turns a scan into an audit trail.

Download

Download sample report — production account, RED status (PDF, 17 KB) →

Also available: sandbox account sample (AMBER status) and the five-account cross-account report example.

Start a free trial → 50K tokens, 48 hours, no credit card. Or try the interactive demo first.