AWS Security Review
$3,500 flat1 weekRead-only accessAuditor-ready report

AWS security review, in one week.

The AWS gaps auditors find first: misconfigured IAM, public S3 buckets, missing KMS rotation, GuardDuty turned off, audit logs in the wrong account.

A 1-week productized engagement. We get read-only IAM access, run a focused security review across IAM, S3, KMS, GuardDuty, networking, and logging, and deliver a written report with prioritized findings and remediation guidance. The artifact your SOC 2, HIPAA, or PCI auditor will request.

Book the kickoff callAsk a question first
Coverage

What the review covers.

Eight focus areas. The same controls AWS publishes guidance for and the same gaps SOC 2, HIPAA, and PCI auditors actually open findings on.

IAM access management

Principal inventory, role-based access mapping, MFA enforcement on all admin identities, IAM Access Analyzer findings review, root account hygiene, service control policies, dormant key cleanup. The single most-common SOC 2 finding category.

S3 exposure and bucket policy

Public bucket detection, bucket policy analysis, ACL review, default encryption verification, replication and versioning posture, lifecycle and retention policies. Public S3 buckets are the highest-impact, lowest-friction breach pattern in AWS.

KMS key management

Customer-managed key inventory, rotation policy review, key policy review, AWS-managed vs customer-managed split, audit of which services use which keys. Encryption-at-rest evidence for SOC 2 C1.1 and HIPAA technical safeguards comes from here.

GuardDuty and detection

GuardDuty enablement and finding review, Security Hub configuration, AWS Config rules, alarm and notification routing, detection coverage gap analysis. SOC 2 CC7.2 and CC7.3 evidence.

VPC and networking

Default VPC exposure, security group review, internet-facing resource inventory, NACL configuration, transit gateway and peering hygiene, VPN and Direct Connect posture, VPC flow log enablement.

CloudTrail and audit logging

Multi-region trail enablement, log file integrity validation, log destination security (the audit-account pattern most companies miss), data event capture configuration, S3 server access logging, retention alignment with compliance requirements.

Secrets and credentials

Secrets Manager inventory and rotation review, Parameter Store usage audit, hardcoded credential scan in IaC, IAM access key inventory and age analysis, third-party tool credential storage review.

Incident detection and response

EventBridge rule review for security-relevant events, alarm-to-on-call routing, IR playbook validation against AWS-specific scenarios (compromised credentials, exposed S3, ransomware on EC2). Tied to your overall IR readiness.

Process

Five business days, kickoff to readout.

01

Day 1

Kickoff and access

60-minute kickoff call. We confirm scope, IAM role provisioning, primary contacts, and any specific concerns or upcoming audits driving the review.

02

Days 2-3

Automated scanning

AWS Config, Security Hub, GuardDuty, IAM Access Analyzer, internal IAM mapping tooling. We extract the data; no production data is read.

03

Days 3-4

Manual review

Configuration review on the highest-risk surfaces. IAM principal-by-principal walk-through. Manual S3 bucket policy review. KMS and CloudTrail spot checks.

04

Day 5 morning

Report drafting

Findings written up with severity ratings (Critical, High, Medium, Low), specific resource references, and remediation steps. Critical findings already escalated by this point.

05

Day 5 afternoon

Executive readout

30-minute presentation to your engineering and security leadership. We walk through the report, prioritize remediation, and answer questions in real time. The deck is yours.

$3,500 flat.

Fixed price, fixed timeline, fixed deliverables. Includes the report, the executive readout, and 30 days of follow-up Slack or email support to clarify findings as you remediate. Embedded vCISO retainer clients get this as a recurring quarterly review at no extra cost.

Book the kickoff callSee retainer pricing

Not ready to talk? Score your SOC 2 readiness.

Twenty questions, a scored PDF in your inbox, a realistic timeline to audit. Free.

Start the scorecard
FAQ

Common questions about the AWS Security Review.

What is the deliverable?

A written AWS security review report with prioritized findings, severity ratings, remediation guidance for each, and a 30-minute executive readout call. Findings are tied to specific AWS resources (IAM principals, S3 buckets, KMS keys) and include the actual configuration changes needed to remediate. The report is the artifact your auditor will ask for during SOC 2, HIPAA, or PCI fieldwork.

How long does it take?

One business week from kickoff to delivered report. Day 1: kickoff call and read-only IAM access provisioning. Days 2-4: automated scanning and manual review across IAM, S3, KMS, GuardDuty, networking, and logging. Day 5: report delivery and 30-minute readout. We have done this engagement enough times to ship reliably in five days.

Do you need production access?

Read-only IAM access only. We use least-privilege roles scoped to security review (no read of customer data, no write anywhere). The role definition is published in our scoping doc so your team can audit it before granting access. Most clients provision the role on day one of the engagement.

How does this fit with SOC 2 readiness?

The AWS Security Review covers the cloud security control evidence your SOC 2 auditor will request: IAM access management (CC6.1, CC6.2), encryption at rest and in transit (CC6.7), system monitoring (CC7.1, CC7.2), and incident detection (CC7.3). Many SOC 2 Sprint clients add the AWS Security Review as a focused deeper review of cloud controls. Both can run in parallel.

Do you do GCP or Azure too?

Not as a productized standalone yet. We can include GCP or Azure review as part of an Embedded vCISO retainer engagement. AWS is productized because the demand is concentrated there: most B2B SaaS, healthtech, and fintech companies we work with are AWS-primary.

How much does it cost?

$3,500 flat for the standalone 1-week engagement. Included as a recurring quarterly review for Embedded vCISO retainer clients. The Sprint version of this work (focused subset, paired with SOC 2 readiness) is part of the $2,500 SOC 2 Sprint.

What tools do you use?

AWS Config, Security Hub, IAM Access Analyzer, GuardDuty, CloudTrail, and a set of internal tooling we have built for IAM principal mapping and S3 policy analysis. We do not require you to install anything. The review uses AWS-native tooling that is already in your account or can be enabled in minutes.

What if you find a critical issue?

You hear from us within hours, not at end of week. Critical findings (publicly accessible S3 buckets with sensitive data, exposed admin access keys, IAM principals with full administrator access from the internet) get reported the moment we find them. The full report still ships at end of week, but you can start remediation immediately.