Find out what your AWS account actually exposes — then decide what’s worth fixing first.
This page covers two things. First, a complimentary one-hour AWS Security Posture Session: you run the open-source Prowler scanner in your own AWS account beforehand, under a read-only role you create and control, and a senior AWS engineer helps you triage and prioritize what it finds — live, on the call. Second, a paid, scoped Consulting engagement that turns a fuller scan into a written, prioritized remediation backlog. Neither tier is an audit, a penetration test, a certification, or a compliance guarantee — both are a point-in-time, scope-bounded read of configuration.
Complimentary, request-based — not schedulable from a live calendar today. Never an audit, penetration test, or compliance guarantee.
This fits if…
- You control an AWS account (or several) and want a structured read of misconfiguration risk — public exposure, IAM over-permission, logging gaps, unencrypted resources, and similar.
- An engineer on your side can create a read-only IAM role and run a command-line tool in your account under your own credentials.
- You want prioritization help, not just a raw findings list: which items are urgent, which are noise, and what order to fix them in.
- You're deciding between handling it yourselves, a scoped remediation project, or ongoing security attention inside Support and Advisory.
This doesn't fit if…
You want Uptempo to run the scan inside your account — the free tier is built specifically so that never happens. You need a penetration test, a compliance audit, or a certification letter — this is configuration observation, not adversarial testing or a controls audit. You want a guarantee the environment is "secure" or "compliant" afterward — no tier makes that claim. You want a free written report — the free Session is verbal; a written, prioritized deliverable is the paid depth.
Two tiers, visibly different in what you get
Scroll sideways to compare
Field | Tier 1 — AWS Security Posture Session (complimentary) | Tier 2 — paid depth (scoped Consulting engagement) |
|---|---|---|
Duration | One hour, Pacific business hours | Per SOW |
Who runs the tool | You do — before the session, your engineer runs the open-source Prowler scanner (or an equivalent you already use) against your own AWS account, under a read-only IAM role your team creates and owns, following the scanner's own public upstream documentation. Uptempo never receives a credential, role, or console login for this tier. | Depends on what's agreed in scope; any Uptempo-operated scanning is a separate, explicitly disclosed capability, not assumed by default. |
What happens | You share the scan output on your screen. A senior AWS engineer triages the highest-severity findings, explains what each one actually means, flags likely false positives, and points at the handful of items worth prioritizing first. | Structured evidence collection across the account and region scope you define, analysis against a named framework lens (for example, the CIS AWS Foundations Benchmark), and a delivered findings register with prioritized, scope-bounded recommendations. |
If you haven't run the scan | The session degrades gracefully to a live walkthrough of your console instead — IAM, public exposure, and logging are the highest-signal areas to look at together. | N/A |
What you get | The scan output you generated and the spoken interpretation and priorities from the call. Nothing written or retained by Uptempo. | A written, prioritized findings register. |
Commercial status | Complimentary ($0), request-based | Scoped Consulting engagement, no standard public price |
Scheduling | Request-based, not a live calendar booking. Cannot use the Free AWS Assessment scheduler — that calendar is identity-bound to a different offer. | Scoped after the free tier or independently. |
The free tier's defining property is that Uptempo never touches your account — that's what lets it exist as a genuine no-cost session. The paid depth's defining property is a written deliverable and a broader, structured evidence pass. The dividing line is who runs the tool and whether the output is spoken or written — not "the free one is worse," but a different, honestly bounded product.
How the free session actually runs
- Request.
Tell us what you're trying to find out and roughly how large your account is — this is a request, not a live booking, until a dedicated scheduling event exists.
- Before the call.
We point you to the scanner project's own public upstream documentation for creating a read-only IAM role and running an open-source scanner against your own account, under your own credentials — never an Uptempo-published or Uptempo-hosted setup guide.
- Did the scan complete?
If you have output ready, the hour starts with your findings. If a large account means a full scan won't finish in time, the hour becomes a live console walkthrough instead.
- On the call.
A senior AWS engineer sorts what you're looking at by severity, separates likely false positives from things worth acting on, and maps the top few items to a rough order of operations.
- After the call.
You keep your scan output and the priorities discussed. Honest outcomes: a scoped Consulting remediation project, ongoing attention inside Support and Advisory, a backlog your own team runs with, or no further engagement.
Reading a security scan honestly
What a tool like this actually checks. An open-source AWS configuration scanner runs a large number of read-only checks across IAM, storage, networking, and logging — is a role over-permissioned, is a bucket public when it shouldn't be, is an access key old, is logging turned on where it matters. It calls read-only AWS APIs, under a role that can only look, never change anything. It's licensed as open-source software (Apache License 2.0) — you're running a public, independently maintained project under your own account, not renting an Uptempo tool.
Severity is not the same as exploitability. A scanner assigns a severity label based on the nature of the misconfiguration itself — not whether anyone could actually reach it. A "critical" IAM finding on a role nothing ever assumes is a lower real-world priority than a "medium" finding on a resource sitting directly in front of the internet. Part of the triage on the call is reordering by reachability, not just by the tool's label.
False positives are the normal case, not the exception. A bucket that's intentionally public because it serves a static website is not a finding; a control that's deliberately disabled for a documented reason isn't either. Filtering known-benign patterns and corroborating anything high-severity against what you actually know about the account is part of the job.
Remediation-prioritization logic. The rough order that tends to hold up: internet-reachable and high-severity first, then broad IAM over-permission with wide blast radius, then logging or visibility gaps that would slow down noticing a real incident, then everything else roughly in order of how many resources it touches. A framework for a conversation, not a formula that replaces judgment about your specific environment.
The honest limit. A configuration scan tells you about the account as it's set up right now. It doesn't tell you whether an attacker has already been inside, whether your incident-response process works, or whether you meet a specific regulatory framework's full requirements — the line between this session and an audit, a penetration test, or a certification.
What we can see, and what we can't
No Uptempo access to your AWS account in the free tier — no role assumed, no console login, no credential of any kind, and no artifact ingested or stored by Uptempo. The read-only IAM role you create is yours; you can revoke it the moment the call ends. Your scan output belongs to you before, during, and after the session.
Both tiers exclude: an audit; a penetration test; a certification or compliance attestation; assurance that the environment is "secure" or "compliant"; a guaranteed or estimated dollar figure tied to risk; and implementation of fixes inside the free session. The free tier specifically excludes an Uptempo-run scan, a written report, data retention by Uptempo, and any credential or role handover. Cancellation: reschedule or cancel by email, no fee, no obligation.
This is a request, not a booking
This session cannot use the existing one-hour Free AWS Assessment scheduler — that calendar is identity-bound to a different offer. Until a dedicated scheduling event exists, every request goes through the contact form (select "AWS Security Posture Session") or email hello@uptempocloud.com directly. Reschedule or cancel any time before a time is confirmed — no fee, no obligation.
Frequently asked questions
Do you run the scan in our account?
No, not in the free session. You create and control a read-only role and run the tool yourself. Uptempo interprets what you find.
Is this a penetration test or an audit?
No. It’s a point-in-time read of configuration. It doesn’t test whether an attack would succeed, and it isn’t a compliance audit against a specific regulatory framework.
What if we haven’t run a scanner before the call?
The session becomes a live walkthrough of high-signal areas in your console instead — you still leave with prioritized findings.
What do we get in writing?
Nothing, in the free session — that’s what keeps it genuinely free. A written, prioritized findings register is the paid depth.
Where this connects
AWS Migration Strategy Workshop · AWS Cost and Cloud Health Assessment · Assessments hub · Consulting · Security and Trust
Request a Security Posture Session
A complimentary hour to triage a scan you run yourself. Request-based — Uptempo replies with available times after confirming fit.
Request a session Not there yet? Book the free hour