July 9, 2026

Preparing AWS Evidence for a Security Questionnaire

What enterprise security reviewers actually ask about your AWS environment, which artifacts answer each question, and how to close the gaps before you reply.

An enterprise prospect likes the product. Procurement is fine with the pricing. Then their security team sends a spreadsheet — anywhere from 80 to 300 questions — and the deal stops until it comes back. If you run on AWS, most of the evidence those questions need already exists in your account. The work is knowing which artifact answers which question, and finding out — before your customer does — which controls are actually off.

What reviewers actually ask

The questionnaire might be a SIG Lite, a CAIQ, or a homegrown spreadsheet, but the questions cluster into five areas:

Take them one at a time.

Encryption at rest and in transit

At rest, the answer lives in three places. EBS default encryption is a per-region account setting — check it, because it only applies to volumes created after you turn it on. S3 has encrypted all new object uploads with SSE-S3 since January 2023, but reviewers often ask about customer-managed keys, so know which buckets use SSE-KMS and why. RDS encryption is set at instance creation and shows up plainly in `describe-db-instances`.

In transit: ACM-issued certificates on your load balancers and CloudFront distributions, a modern TLS security policy on each listener, and — for the strong answer — S3 bucket policies that deny requests without `aws:SecureTransport`.

Good evidence here is AWS Config managed rules such as `encrypted-volumes` and `rds-storage-encrypted`, exported as a compliance report. Config output beats console screenshots — it covers every resource, not just the one you photographed.

Access control

Reviewers ask three things: is MFA enforced, is access individual, and is it least-privilege.

Logging and audit trail

CloudTrail's console event history keeps 90 days of management events. That is not an audit trail, and reviewers know it. The answer they want is a multi-region trail delivering to S3, log file validation enabled so you can prove the logs were not altered, and a retention period that matches whatever number your questionnaire answer states.

Two adjacent gaps to check: CloudWatch Logs groups with no retention policy (they default to never-expire, which sounds fine until the question is "what is your retention policy" and the honest answer is "accidental"), and GuardDuty findings that route to nowhere. Detection nobody reads does not count as monitoring.

Backup and recovery

"We have snapshots" is not a backup answer. The strong version is an AWS Backup plan: defined schedule, defined retention, backups in a vault, and — the question that catches almost everyone — a tested restore with a date on it. AWS Backup's restore testing feature can automate this on a schedule; even one documented manual restore beats an untested pile of snapshots. State RPO and RTO figures your configuration actually delivers, not the ones you would like.

Vendor management

For an AWS-hosted product, AWS is your key subprocessor, and AWS Artifact is the answer: self-service downloads of AWS's SOC 2 reports and ISO 27001 certificates, ready to attach. Be careful with the shared responsibility model — AWS's audits cover the cloud itself. Pasting the AWS SOC 2 report as if it covered your application is a mistake reviewers catch immediately, and it costs credibility across the whole questionnaire.

Closing the usual gaps fast

Some gaps close in an afternoon:

Others take weeks, and the answer should say so. Encrypting an existing unencrypted RDS instance is not a checkbox — it is snapshot, copy-with-encryption, restore, and a cutover window. Unwinding years of over-broad IAM policies is a project, not a task.

True beats aspirational

Security questionnaires get attached to contracts. Your answers become representations you have made to a customer, and they resurface at the worst possible moment — after an incident, during renewal, in front of their auditor. A documented "partial — remediation scheduled for Q4" is a fine answer. A "yes" you cannot evidence is a liability. The test for every row: if the reviewer replies "show me," can you? If not, fix the control or fix the answer.

Facing a questionnaire right now? Uptempo Cloud's fixed-price AWS security review — from $8,500, read-only access — produces the findings, remediation roadmap, and evidence your answers need.