Assessments

Security Posture Review

A read-only review of how your AWS environment is actually configured: identities, network exposure, data protection, and audit trail — verified from the account, not from interviews. Built for the moment a customer’s security questionnaire lands and “we think it’s fine” stops being an answer.

From $6,000 fixed Two weeks Read-only access

The five places AWS security actually fails

  • Identity — the IAM credential report read line by line: long-lived keys, dormant users, missing MFA, over-broad roles, and how humans and CI actually authenticate
  • Boundaries — account separation, organization structure, and whether a mistake in staging can reach production
  • Network exposure — security groups, public endpoints, and every path from the internet to something that matters, pulled from Config
  • Data protection — encryption at rest and in transit, S3 bucket posture, KMS key policies, and where the crown-jewel data actually lives
  • Audit and detection — CloudTrail coverage and integrity, Config recording, GuardDuty and Security Hub state, and whether the logs would survive the incident they exist to explain

The mechanics

One 45-minute kickoff, a read-only IAM role from our snippet (SecurityAudit + ViewOnlyAccess, external ID, expiry), one interview with whoever runs the platform, and the findings walkthrough — under three hours of your team’s calendar.

From $6,000 fixed for a single AWS organization payer with up to two member accounts; $1,500 per additional account, confirmed in the scoping call. Half the base fee ($3,000) credits toward the full Architecture Assessment (at its standard rate) if you upgrade within 90 days.

Deliverables, not impressions

Scored findings register Security findings scored impact × likelihood with the evidence source named per finding — CSV with resource IDs plus the written report.
Remediation plan Now / Next / Later, sequenced, effort-rated — the “Now” items chosen so the gaps a security reviewer flags first close first.
Questionnaire mapping Findings translated to SOC 2 control areas and CAIQ-style questions, so evidence collected once answers the questionnaire that triggered this.
Evidence appendix The queries and sources behind every finding — your team can re-run them after remediation and watch the register close.

Two weeks, start to walkthrough

  1. 1
    Days 1–2 — access and collection

    Read-only role live; credential report, Config snapshots, CloudTrail and detection-service state collected.

  2. 2
    Days 3–8 — verification

    The five scope areas worked against the evidence; one platform interview for the why.

  3. 3
    Days 9–10 — report and walkthrough

    Register, remediation plan, and mapping delivered; 60-minute walkthrough; access revoked.

Book this one when

  • A customer or partner sent a security questionnaire and the honest answers are unknown
  • SOC 2 is on next quarter’s calendar and you want the AWS-side gaps closed before the auditor finds them
  • You inherited an AWS account and nobody can say with confidence what is exposed

Facing an enterprise security review specifically? The security-review page walks through that scenario end to end. Need the fixes implemented afterwards? That is the Security Baseline Sprint — a separate fixed-scope engagement, never an obligation.

Frequently asked questions

Is this a penetration test?

No. A pentest attacks your applications from outside to find exploitable paths. This review reads your configuration from inside — IAM, network rules, encryption, logging — and finds the structural gaps a pentest report usually traces back to. Many customers need the configuration review first; if you need a pentest, we will say so and you should buy it from a firm that does them daily.

How does this relate to the full Architecture Assessment?

This is the security pillar of the Well-Architected Framework taken alone, at full depth, in half the time and at a lower price. The full assessment covers all six pillars — reliability, cost, operations, performance, and sustainability alongside security. If the trigger is a security questionnaire, start here; half the base fee credits toward the full review at its standard rate if you upgrade within 90 days.

What access do you need?

Read-only: the AWS-managed SecurityAudit and ViewOnlyAccess policies on a role you create from our snippet, with an external ID and an expiry date. No agents, no write access, one-action revocation.

What does it cost?

From $6,000, fixed — a single organization payer plus up to two member accounts, with additional accounts at $1,500 each, confirmed in the 30-minute scoping call. If the findings convince you to run the full six-pillar Architecture Assessment within 90 days, half of the base fee ($3,000) credits toward it at its standard rate.

Know what a reviewer would find — first

Thirty minutes to scope it, a written fixed price within 24 hours, and a start date you can plan around.

Book the Scoping Call

Prefer email? Send the details instead →