Case Study: Bengaluru SaaS Closed 47 AWS Misconfigs in 2 Weeks

The situation

A Bengaluru-based B2B SaaS company (we'll call them "AnalyticsCo") was deep in Series B due diligence when their investor's technical reviewer flagged "AWS security posture below acceptable threshold." The investor requested a formal security audit and remediation plan as a closing condition.

AnalyticsCo's profile:

1. 45 employees, ~280 enterprise customers
2. AWS-only, 3 accounts (prod, staging, dev)
3. ~120 EC2 instances, 12 RDS, 47 S3 buckets, 4 Lambda functions
4. No dedicated security engineer
5. Series B closing target: 8 weeks
6. Existing SOC 2 Type I from 18 months prior (Type II planned)

The audit (Week 1)

The Bachao.AI 5-day audit ran the same week as the engagement letter signed. Results:

1. IAM user with AdministratorAccess + no MFA — the original CTO's IAM user from company founding, still active, no MFA. (Resolved in 30 minutes of the audit briefing.)
2. 3 S3 buckets publicly readable, 1 contained 6 months of customer support attachments — including some attachments with customer PII. (Resolved in 2 hours; data audit confirmed scope.)
3. CloudTrail not enabled in 2 of 3 accounts — staging + dev accounts had no audit log retention. (Resolved in 4 hours.)
4. Database service account with s3:* on all buckets — over-permissive, allowed lateral pivot if compromised. (Resolved in 6 hours after IAM policy refactor.)
5. Default VPC still in use for production — production EC2 instances in default VPC alongside dev resources. (Required 2-week migration window.)
6. Lambda function with PII data flow had no encryption + 90-day log retention only — DPDP Section 8(4) implication. (Resolved in 3 days.)
7. Long-lived access keys (4+ years old) on 12 IAM users — including users who had left the company. (Resolved in 1 week with key rotation + IAM cleanup.)
8. No GuardDuty enabled — no anomaly detection on AWS API calls. (Resolved in 2 hours.)

The 2-week sprint (Week 2-3)

Bachao.AI engineers worked alongside AnalyticsCo's DevOps lead for 2 weeks. Pattern:

Week 2 (Critical + 5 High closures):

1. Day 8: All 8 Critical findings resolved
2. Day 9–10: 5 of 14 High findings resolved (S3 bucket policies, security groups, KMS key rotation)
3. Day 10–12: Default VPC migration planning
4. Day 13–14: Default VPC migration executed (4 hours of partial-service window over a Sunday)

1. Day 15–17: 9 remaining High findings (CloudTrail enrichment, GuardDuty alert routing, RDS encryption, EBS volume encryption sweep)
2. Day 18–21: 19 Medium findings (KMS key rotation, IMDSv2 enforcement, ECR image scanning, RDS deletion protection, etc.)

The investor's response (Week 7)

Bachao.AI delivered a closure evidence package to AnalyticsCo:

1. Original audit report (47 findings)
2. Closure log (47 findings closed/accepted with rationale)
3. AWS Config dashboard screenshot showing compliance posture
4. Updated security policy documents (Acceptable Use, Access Control, Data Classification)

What it cost

What AnalyticsCo's CTO said

"We had 'AWS security' on our to-do list for 8 months. We never had the bandwidth. Bachao came in, found 47 things we didn't know we'd done wrong, and fixed 41 of them in 2 weeks alongside our DevOps lead. The reason it worked: Bachao engineers wrote the actual IAM policy changes and Terraform — they didn't just write a report and walk away. We retained them on a quarterly review cadence after Series B closed."

Pattern this engagement followed

This is a common shape for Bachao.AI cloud security engagements:

1. Triggering event (investor diligence, SOC 2 audit, customer questionnaire, regulator)
2. Existing AWS footprint that's grown organically without security review
3. No dedicated security engineer on the customer side
4. Time pressure aligning with the audit + remediation

Schedule the AWS audit scoping call →

Related: AWS Security Audit Methodology · Cloud Security for Indian Fintech