The challenge
A 22-person SaaS startup with real customers: and an AWS environment that had never been reviewed
The founding team had moved fast. Their AWS environment was built by engineers focused on shipping features, not on security hygiene. S3 buckets were created with public access because it was easier during development: and never locked down. IAM roles were granted AdministratorAccess because it was quicker than figuring out exactly what was needed. The root account was used daily, had no MFA, and was shared among three people.
A prospective enterprise customer sent over a security questionnaire as part of their vendor due diligence process. The deal was significant: but the questionnaire asked about CloudTrail, S3 encryption, IAM least privilege, and network security group policies. The CEO forwarded it to the engineering lead, who replied in four words: "We can't answer this." They engaged garrisonOne the following day.
3 public S3 buckets: one with customer data
Buckets created during development with public access never restricted: one contained production customer files
AdministratorAccess on services needing read-only
19 IAM roles granted full admin permissions: none scoped to minimum required access for their function
Root account used daily with no MFA
AWS root credentials shared among three engineers and used for routine tasks: no MFA, no audit trail
No CloudTrail: no audit log anywhere
No API activity logging enabled: there was no record of any action taken in the AWS environment
Overly permissive security groups on RDS
Database security group allowed inbound access from 0.0.0.0/0: the production database internet-accessible
RDS encryption not enabled
Production database running without encryption at rest: customer data stored unencrypted on disk
Our findings
What the CIS AWS assessment uncovered
garrisonOne ran a full AWS environment assessment against the CIS AWS Foundations Benchmark: covering IAM configuration, S3 security, CloudTrail and logging, network security, RDS configuration, and root account controls.
3
S3 buckets with public access: one containing live customer-uploaded files
19
IAM roles with AdministratorAccess or overly broad permissions for their actual function
0
Regions with CloudTrail enabled: zero API activity logging across the entire AWS account
Open
RDS security group: production database accessible from any IP on the internet
The public S3 bucket containing customer data was the immediate disclosure-level finding. The bucket had been created for a file upload feature and was left public. While there was no evidence of unauthorised access, the exposure had existed for approximately 14 months. The bucket was locked down the same day it was identified, and the CTO was briefed before the formal report was issued.
What we did
A four-phase cloud security assessment with hands-on hardening
Scoped to deliver both a security baseline and enterprise questionnaire readiness: assessment and remediation running in parallel to meet the deal timeline.
Phase 1
Cloud Inventory & Risk Discovery
Full inventory of all AWS resources across all regions: EC2 instances, S3 buckets, RDS databases, Lambda functions, IAM roles, security groups, and VPC configurations. Identified all publicly accessible resources, all root account activity, and all logging gaps. Immediate disclosure issued for the public S3 bucket containing customer data.
Phase 2
CIS AWS Benchmark Assessment
Scored the full environment against CIS AWS Foundations Benchmark v2.0: 58 controls across identity, logging, monitoring, networking, and storage. Mapped all failures to the enterprise security questionnaire requirements to show exactly which questionnaire items were currently unaddressable and which could be answered with planned remediation evidence.
Phase 3
Hands-On AWS Hardening
Applied all critical and high remediations directly in the AWS environment. Closed all three public S3 buckets and applied S3 Public Access Block at account level. Reduced all 19 overprivileged IAM roles to least-privilege policies based on actual CloudTrail access analysis. Enabled MFA on root account, configured MFA delete on S3, enabled CloudTrail in all regions with log integrity validation, restricted RDS security groups to application tier only, and enabled RDS encryption via snapshot restore.
Phase 4
Enterprise Questionnaire Support & Security Baseline Documentation
Completed the enterprise security questionnaire responses alongside the CTO: mapping each question to implemented controls with supporting evidence. Delivered a written AWS security baseline document covering all implemented controls, configuration rationale, and ongoing maintenance requirements. Provided guidance on AWS Security Hub and GuardDuty as continuous monitoring tools for the team to enable post-engagement.
Key deliverables
-
CIS AWS Foundations Benchmark assessment report: full scoring across 58 controls with evidence and remediation mapping
-
Immediate remediation of all critical findings: S3 buckets secured, IAM roles scoped, RDS locked down, CloudTrail enabled
-
19 least-privilege IAM policies: custom policies replacing AdministratorAccess based on actual service usage analysis
-
CloudTrail enabled across all regions with S3 log bucket, log file integrity validation, and CloudWatch alerting configured
-
Enterprise security questionnaire: completed responses with supporting evidence, ready for submission to prospective customer
-
AWS security baseline document: implemented controls, configuration rationale, and ongoing maintenance guidance for the engineering team
Outcomes
Enterprise deal unlocked: and a real security foundation built to last
The enterprise security review was passed within the deal timeline. The prospective customer received a completed questionnaire backed by genuine control implementation: not aspirational answers. The startup closed the contract and used the security baseline as the foundation for all future customer due diligence. The CTO described it as the best investment they'd made that quarter.
Passed
Enterprise security review: deal closed
Questionnaire submitted with genuine control evidence: customer security team approved within one week.
3
Public S3 buckets fully secured
All buckets restricted: S3 Public Access Block applied at account level to prevent future misconfiguration.
Least privilege
All 19 IAM roles rescoped
Custom least-privilege policies replacing AdministratorAccess: based on actual service usage, not estimates.
Full trail
CloudTrail active across all regions
Complete API audit log from day one of enablement: log integrity validation and CloudWatch alerting configured.
Encrypted
RDS database encryption at rest
Production database migrated to encrypted storage: customer data encrypted at rest for the first time.
Documented
Security baseline for future reviews
Written security baseline covering all controls: reusable as evidence for future customer due diligence.
"We thought we were going to lose the deal. garrisonOne came in, told us exactly what was wrong, fixed most of it themselves, and helped us fill out the questionnaire with real answers. We passed the review and closed the contract. I genuinely don't know what we would have done otherwise."
: CEO, B2B SaaS Startup
