An enterprise prospect likes the product. Procurement is fine with the pricing. Then their security team sends a spreadsheet — anywhere from 80 to 300 questions — and the deal stops until it comes back. If you run on AWS, most of the evidence those questions need already exists in your account. The work is knowing which artifact answers which question, and finding out — before your customer does — which controls are actually off.
What reviewers actually ask
The questionnaire might be a SIG Lite, a CAIQ, or a homegrown spreadsheet, but the questions cluster into five areas:
- Encryption — data at rest and in transit
- Access control — who can touch production, and how
- Logging and audit trail — can you reconstruct what happened
- Backup and recovery — can you restore, and have you proven it
- Vendor management — who your providers are and how you vet them
Take them one at a time.
Encryption at rest and in transit
At rest, the answer lives in three places. EBS default encryption is a per-region account setting — check it, because it only applies to volumes created after you turn it on. S3 has encrypted all new object uploads with SSE-S3 since January 2023, but reviewers often ask about customer-managed keys, so know which buckets use SSE-KMS and why. RDS encryption is set at instance creation and shows up plainly in `describe-db-instances`.
In transit: ACM-issued certificates on your load balancers and CloudFront distributions, a modern TLS security policy on each listener, and — for the strong answer — S3 bucket policies that deny requests without `aws:SecureTransport`.
Good evidence here is AWS Config managed rules such as `encrypted-volumes` and `rds-storage-encrypted`, exported as a compliance report. Config output beats console screenshots — it covers every resource, not just the one you photographed.
Access control
Reviewers ask three things: is MFA enforced, is access individual, and is it least-privilege.
- The IAM credential report is one API call and answers most of it: every user, password age, access key age, MFA status. If it shows a 700-day-old access key, fix that before you attach the report.
- IAM Identity Center tied to your identity provider answers the joiner/leaver question — access ends when the HR record does.
- IAM Access Analyzer external-access findings show what is shared outside your account. Zero unexplained findings is an answer you can attach.
- The root account gets its own question. The right answer: MFA on, no access keys, used only for tasks that require it.
Logging and audit trail
CloudTrail's console event history keeps 90 days of management events. That is not an audit trail, and reviewers know it. The answer they want is a multi-region trail delivering to S3, log file validation enabled so you can prove the logs were not altered, and a retention period that matches whatever number your questionnaire answer states.
Two adjacent gaps to check: CloudWatch Logs groups with no retention policy (they default to never-expire, which sounds fine until the question is "what is your retention policy" and the honest answer is "accidental"), and GuardDuty findings that route to nowhere. Detection nobody reads does not count as monitoring.
Backup and recovery
"We have snapshots" is not a backup answer. The strong version is an AWS Backup plan: defined schedule, defined retention, backups in a vault, and — the question that catches almost everyone — a tested restore with a date on it. AWS Backup's restore testing feature can automate this on a schedule; even one documented manual restore beats an untested pile of snapshots. State RPO and RTO figures your configuration actually delivers, not the ones you would like.
Vendor management
For an AWS-hosted product, AWS is your key subprocessor, and AWS Artifact is the answer: self-service downloads of AWS's SOC 2 reports and ISO 27001 certificates, ready to attach. Be careful with the shared responsibility model — AWS's audits cover the cloud itself. Pasting the AWS SOC 2 report as if it covered your application is a mistake reviewers catch immediately, and it costs credibility across the whole questionnaire.
Closing the usual gaps fast
Some gaps close in an afternoon:
- Turn on EBS default encryption in every region you use.
- Create or repair the multi-region CloudTrail with log file validation.
- Set retention on every CloudWatch Logs group.
- Enforce MFA and delete the stale access keys the credential report surfaced.
- Run one restore test and write down what happened.
Others take weeks, and the answer should say so. Encrypting an existing unencrypted RDS instance is not a checkbox — it is snapshot, copy-with-encryption, restore, and a cutover window. Unwinding years of over-broad IAM policies is a project, not a task.
True beats aspirational
Security questionnaires get attached to contracts. Your answers become representations you have made to a customer, and they resurface at the worst possible moment — after an incident, during renewal, in front of their auditor. A documented "partial — remediation scheduled for Q4" is a fine answer. A "yes" you cannot evidence is a liability. The test for every row: if the reviewer replies "show me," can you? If not, fix the control or fix the answer.
Facing a questionnaire right now? Uptempo Cloud's fixed-price AWS security review — from $8,500, read-only access — produces the findings, remediation roadmap, and evidence your answers need.