What AWS gets right (and where Indian SaaS companies trip)
AWS provides excellent security primitives. Most security incidents involving AWS-hosted Indian companies are not AWS failures — they're misconfiguration. The same 12 configuration issues account for over 80% of findings in our audit history:
- Overly permissive IAM policies (
:wildcards) - Public S3 buckets containing internal data
- Security groups open to 0.0.0.0/0 on non-public ports
- Lack of MFA on IAM users with high-privilege access
- CloudTrail not enabled across all regions
- EBS volumes unencrypted at rest
- RDS instances publicly accessible
- Long-lived access keys (older than 180 days)
- Default VPC still in use for production
- KMS keys without rotation
- Inadequate logging on Lambda functions handling PII
- Bucket policies allowing cross-account access without explicit need
What's in scope
A standard AWS audit covers:
IAM and identity — Users, roles, policies, MFA enforcement, access key age, role chaining, AssumeRole conditions, IAM Access Analyzer findings, identity federation.
Network — VPC architecture, subnet segmentation, security groups, NACLs, Internet Gateway exposure, VPC peering, Transit Gateway, VPN/Direct Connect, Route 53 misconfigurations.
Data — S3 bucket policies, encryption at rest, EBS/RDS encryption, DynamoDB encryption, Secrets Manager usage, KMS key policies, data residency.
Logging and monitoring — CloudTrail organization-wide coverage, log retention, Config rules, GuardDuty enabled, Security Hub standards, VPC Flow Logs.
Compute and serverless — EC2 instance metadata version, Lambda function permissions, ECS/EKS security, IMDSv2 enforcement, OS patch levels, AMI source verification.
Application services — API Gateway throttling, WAF rules, Cognito MFA, SNS encryption, SQS encryption.
Incident response readiness — IAM emergency break-glass procedures, snapshot/backup testing, log preservation, multi-region readiness.
Each finding is mapped to AWS Well-Architected Security Pillar control + CIS AWS Foundations Benchmark control number.
The 5-day delivery
Day 1: Onboarding and read-only access
- ReadOnlyAccess + Audit-specific role granted to Bachao.AI
- AWS Config rules enabled if not present
- Initial automated scan kickoff
- 280+ automated configuration checks
- IAM policy analysis (over-permissive policies flagged)
- Identity federation review
- Access key age and rotation review
- VPC architecture review
- Security group + NACL analysis
- S3 bucket-level policy review
- KMS + Secrets Manager usage analysis
- CloudTrail completeness check
- GuardDuty + Security Hub status
- Custom Config rules review
- Compliance mapping (CIS, AWS Well-Architected, customer-specific framework like DPDP/SEBI if applicable)
- Findings prioritised by severity (Critical / High / Medium / Low)
- Remediation steps with example IAM policy / CFN template / Terraform
- Customer briefing call (90 minutes)
- Final report delivered
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanPricing
| Scope | Fee |
|---|---|
| Single AWS account (< 50 services in use) | ₹2L |
| Multi-account (organization with 2–5 accounts) | ₹4L |
| Enterprise organization (6+ accounts) | ₹8L |
| AWS audit + remediation execution | Quote (typically +50–100% of audit) |
After the audit
For most clients, the audit is paired with one of:
- One-time remediation sprint (4 weeks, Bachao engineers execute fixes)
- DevSecOps retainer (ongoing config monitoring + new-service review)
- Cloud Security Posture Management (monthly continuous monitoring)
Related: Case Study: Bengaluru SaaS Closed 47 AWS Misconfigs in 2 Weeks · Cloud Security for Indian Fintech
