Security Posture Review
A read-only review of how your AWS environment is actually configured: identities, network exposure, data protection, and audit trail — verified from the account, not from interviews. Built for the moment a customer’s security questionnaire lands and “we think it’s fine” stops being an answer.
The five places AWS security actually fails
- Identity — the IAM credential report read line by line: long-lived keys, dormant users, missing MFA, over-broad roles, and how humans and CI actually authenticate
- Boundaries — account separation, organization structure, and whether a mistake in staging can reach production
- Network exposure — security groups, public endpoints, and every path from the internet to something that matters, pulled from Config
- Data protection — encryption at rest and in transit, S3 bucket posture, KMS key policies, and where the crown-jewel data actually lives
- Audit and detection — CloudTrail coverage and integrity, Config recording, GuardDuty and Security Hub state, and whether the logs would survive the incident they exist to explain
The mechanics
One 45-minute kickoff, a read-only IAM role from our snippet (SecurityAudit + ViewOnlyAccess, external ID, expiry), one interview with whoever runs the platform, and the findings walkthrough — under three hours of your team’s calendar.
From $6,000 fixed for a single AWS organization payer with up to two member accounts; $1,500 per additional account, confirmed in the scoping call. Half the base fee ($3,000) credits toward the full Architecture Assessment (at its standard rate) if you upgrade within 90 days.
Deliverables, not impressions
Two weeks, start to walkthrough
-
1
Days 1–2 — access and collection
Read-only role live; credential report, Config snapshots, CloudTrail and detection-service state collected.
-
2
Days 3–8 — verification
The five scope areas worked against the evidence; one platform interview for the why.
-
3
Days 9–10 — report and walkthrough
Register, remediation plan, and mapping delivered; 60-minute walkthrough; access revoked.
Book this one when
- A customer or partner sent a security questionnaire and the honest answers are unknown
- SOC 2 is on next quarter’s calendar and you want the AWS-side gaps closed before the auditor finds them
- You inherited an AWS account and nobody can say with confidence what is exposed
Facing an enterprise security review specifically? The security-review page walks through that scenario end to end. Need the fixes implemented afterwards? That is the Security Baseline Sprint — a separate fixed-scope engagement, never an obligation.
Frequently asked questions
Is this a penetration test?
No. A pentest attacks your applications from outside to find exploitable paths. This review reads your configuration from inside — IAM, network rules, encryption, logging — and finds the structural gaps a pentest report usually traces back to. Many customers need the configuration review first; if you need a pentest, we will say so and you should buy it from a firm that does them daily.
How does this relate to the full Architecture Assessment?
This is the security pillar of the Well-Architected Framework taken alone, at full depth, in half the time and at a lower price. The full assessment covers all six pillars — reliability, cost, operations, performance, and sustainability alongside security. If the trigger is a security questionnaire, start here; half the base fee credits toward the full review at its standard rate if you upgrade within 90 days.
What access do you need?
Read-only: the AWS-managed SecurityAudit and ViewOnlyAccess policies on a role you create from our snippet, with an external ID and an expiry date. No agents, no write access, one-action revocation.
What does it cost?
From $6,000, fixed — a single organization payer plus up to two member accounts, with additional accounts at $1,500 each, confirmed in the 30-minute scoping call. If the findings convince you to run the full six-pillar Architecture Assessment within 90 days, half of the base fee ($3,000) credits toward it at its standard rate.
Know what a reviewer would find — first
Thirty minutes to scope it, a written fixed price within 24 hours, and a start date you can plan around.
Book the Scoping Call