Infrastructure Security Audit Before Launch: What a DevOps Engineer Checks for Your SaaS in 2026

Check 1: IAM Least-Privilege Audit

Audit every IAM user, role, and policy attached to the AWS account for the product. Identify: users with AdministratorAccess who are not the account owner, service roles with overly broad permissions (S3:* when only s3:GetObject and s3:PutObject are needed), old developer access keys that have not been used in 90 days.

Pass criteria: no service role has permissions beyond what is needed for its documented function. No unused access keys are active. MFA is enabled on all IAM users with console access.

Check 2: Network Exposure Assessment

Map every resource with a public IP or public DNS endpoint: EC2 instances, RDS instances, Elasticache clusters, S3 buckets, ALBs, API Gateways. For each: confirm that public exposure is intentional and that security groups or bucket policies restrict access appropriately.

Pass criteria: no RDS or Elasticache instance is publicly accessible. No S3 bucket is publicly readable unless it is specifically a public asset bucket (CDN origin). EC2 instances only have ports open that are required for their function.

Check 3: Secrets and Credentials Scan

Scan the entire codebase (including historical commits) for hardcoded credentials using TruffleHog or GitHub secret scanning. Check CI/CD environment variables for long-lived AWS access keys. Verify that application configuration reads secrets from AWS Secrets Manager or Parameter Store, not from environment variables or .env files.

Pass criteria: no credentials found in source code or CI/CD environment variables. All application secrets loaded from a managed secrets service at runtime.

Check 4: Encryption at Rest and in Transit

Confirm that: all RDS databases have encryption at rest enabled, all S3 buckets have server-side encryption enabled, all EBS volumes are encrypted, all ALB listeners redirect HTTP to HTTPS, all application endpoints use TLS 1.2 or higher, and ACM certificates are not expired and have auto-renewal configured.

Pass criteria: no data store is unencrypted. No HTTP endpoint accepts data without redirecting to HTTPS.

Check 5: Logging and Monitoring

Confirm that: AWS CloudTrail is enabled in all regions, CloudWatch Logs are configured for the application, VPC Flow Logs are enabled, ALB access logs are enabled, and there is at least one alert configured for suspicious activity (failed login rate, unusual API call patterns, unexpected egress traffic).

Pass criteria: all API and infrastructure activity is logged. At least one alerting rule is configured and tested.

Check 6: Edge Security (WAF and CloudFront)

Confirm whether an AWS WAF WebACL is associated with the CloudFront distribution or ALB. If not, assess whether the application's threat model requires WAF before launch (SaaS products exposed to the internet with login endpoints should have at minimum the IP Reputation List and Core Rule Group enabled).

Pass criteria for launch: WAF enabled with IP Reputation List and Core Rule Group. ALB is not directly accessible from the internet (CloudFront-only origin access configured).

Check 7: Database Security

Confirm: RDS instance is in a private subnet, security group restricts database port (5432, 3306, 27017) to the application security group only, automated backups are enabled with appropriate retention, point-in-time recovery is enabled, database credentials are managed in Secrets Manager with rotation configured.

Pass criteria: no database is accessible from outside the application security group. Automated backups enabled and tested (restore procedure documented).

Check 8: Dependency Vulnerability Scan

Run a full SCA (Software Composition Analysis) scan across all application dependencies. Identify critical and high CVEs in the dependency tree. Prioritise remediation of critical CVEs in packages that handle user input or authentication.

Pass criteria: no critical CVEs in dependencies that handle authentication, session management, or user input. High CVEs in non-critical paths have a documented remediation timeline.

Check 9: Container and Kubernetes Security (if applicable)

If the product runs on Kubernetes: confirm Pod Security Standards are enforced on production namespaces, network policies are in place, no containers run as root in production, RBAC is scoped to least privilege, and secrets are loaded from Vault or Secrets Manager rather than Kubernetes Secrets.

Pass criteria: no container running as root in production. No wildcard RBAC bindings. Network policies separating namespaces.

Check 10: Backup and Recovery Test

Confirm that: automated backups are enabled for all stateful services, a restore procedure exists and is documented, and the restore has been tested within the last 30 days. A backup that has never been tested is not a backup.

Pass criteria: automated backups enabled. Restore procedure documented. At least one successful restore test completed and documented.

Audit scope

Cost at $22/hour

What is delivered

Small SaaS (1-5 services, single AWS account)

3 to 5 days: $528 to $880

Full 10-check audit, findings report, remediation plan, critical issue fix verification

Medium SaaS (5-15 services, multi-environment)

5 to 8 days: $880 to $1,408

Full audit + remediation of critical findings + baseline security documentation

Large SaaS / pre-SOC 2 audit (15+ services, Kubernetes)

8 to 14 days: $1,408 to $2,464

Comprehensive audit + Kubernetes checks + SOC 2 readiness mapping + all critical fixes

Audit + full security hardening (WAF, K8s security, IaC)

14 to 20 days: $2,464 to $3,520

Audit findings + implementation of all critical and high remediations

Monthly retainer (post-launch ongoing security)

$3,200/month

Continuous security: quarterly audits, vulnerability monitoring, incident response