01
Account read-through.
CloudTrail, Config, IAM Access Analyzer, GuardDuty, Inspector. We look at what AWS already knows about your account before we ask you anything.
SERVICE · 02 OF 04
Architecture review, written down.
We read your account, your bill, your repos, your runbooks. You get a written brief in plain English with a prioritised fix list — and a path to SOC 2, HIPAA, or PCI when that’s on the table.
WHAT'S INCLUDED
Three things every engagement ships.
02
Risk-ranked findings.
Every finding has a severity, an estimated effort, and a sentence on why it matters. No CVSS-only outputs.
03
Compliance path.
If you’re heading for SOC 2 Type II, HIPAA, or PCI DSS, we map findings to the actual control families — not generic checklists.
OUR APPROACH
We audit four planes.
Identity & access
- →IAM policy least-privilege review
- →Cross-account trust paths
- →SSO and root-account hygiene
- →Long-lived access key inventory
Network & data
- →Public surface area and ingress
- →KMS key inventory and rotation
- →Encryption-at-rest coverage
- →S3 bucket policies and access logging
Build & deploy
- →CI runner permissions
- →Secrets in pipelines (or out of them)
- →Image signing and SBOM
- →Deploy approval and audit trail
Operational readiness
- →Logging, retention, and search
- →Backup and recovery testing
- →Incident-response runbook coverage
- →On-call rotation and escalation paths
PACKAGES
Pick the shape that fits.
Targeted review
$5,500
- →Pick one pillar (IAM, network, data, ops)
- →Written brief with fix list
- →Includes 30-min walkthrough
Full review
$14k
- →Six Well-Architected pillars covered
- →Risk-ranked remediation backlog
- →Compliance gap mapping
- →60-min team walkthrough
Review + remediate
from $28k
- →Everything in Full review
- →Top-tier remediations shipped
- →CI/CD + Config rule baseline
- →Re-audit on completion
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.