Securing a SaaS Startup's AWS Infrastructure
A 15-person B2B SaaS startup needed to harden their AWS environment and pass a SOC 2 readiness review before closing their Series A.
The Challenge
The startup had built their product fast — a single AWS account with broad IAM permissions, no network segmentation, unencrypted RDS instances, and S3 buckets with overly permissive policies. Their lead investor required evidence of a security audit and a SOC 2 readiness assessment before finalizing the round. The engineering team was small and fully focused on product development with no security expertise in-house.
Services Used
Our Approach
- 1
Performed a comprehensive AWS security audit covering IAM policies, VPC configuration, S3 bucket policies, RDS encryption, CloudTrail logging, and security group rules.
- 2
Identified 31 findings including 8 critical issues: root account without MFA, wildcard IAM policies, public S3 buckets, unencrypted database volumes, and missing CloudTrail logging.
- 3
Redesigned the AWS environment with multi-account structure, least-privilege IAM roles, VPC segmentation with private subnets, and encryption at rest and in transit.
- 4
Implemented infrastructure-as-code using Terraform to ensure all security configurations are version-controlled and reproducible.
- 5
Conducted an external penetration test against the production application, identifying 4 web application vulnerabilities including an IDOR and a missing rate limit on the authentication endpoint.
- 6
Delivered a SOC 2 readiness report mapping all findings and remediations to the Trust Services Criteria.
Results
8
Critical Findings Fixed
31
Total Findings Remediated
Passed
SOC 2 Readiness
4 weeks
Time to Complete
“CitrusCS took our AWS environment from 'startup chaos' to audit-ready in a month. The Terraform setup means we won't drift back into bad habits, and the pentest caught real vulnerabilities our automated scanners missed.”
— Small Business Client