AWS Security Checklist: 58 Checks Every Team Should Run Before a SOC 2 Audit

Hamza Imran — Thu, 23 Apr 2026 13:24:11 +0000

I Got Tired of $10k AWS Security Audits — So I Built My Own

A few months ago I was helping a startup prepare for SOC 2. Their security consultant quoted $15,000 for an AWS security audit — two weeks timeline and a PDF report at the end.
I looked at what they were actually checking — IAM configs, open security groups, unencrypted S3 buckets, CloudTrail logging. Standard stuff that any engineer could verify. Nothing that justified $15,000 and two weeks.
So I spent a few weekends building it myself. The result is DevForge Audit — 58 automated security checks across your entire AWS account, a full PDF report with severity scores and fix recommendations, done in 5 minutes. Free to try.

What It Checks
Here are all 58 checks it runs automatically across your AWS account:
IAM

Root account MFA enabled
Password policy strength
Users without MFA
Access key rotation (90 days)
Inactive users with active credentials
AdministratorAccess directly attached
Wildcard trust principals

Public access blocks
Encryption at rest
Versioning enabled
Access logging

EC2 / VPC

SSH/RDP open to the internet
All-traffic security groups
EBS encryption
Unused Elastic IPs
VPC Flow Logs enabled

RDS

Encryption at rest
Public accessibility
Multi-AZ enabled
Automated backups
Deletion protection
Secrets Manager rotation

CloudTrail

Multi-region trail
KMS encryption
Log file validation
CloudWatch integration

CloudWatch / SNS

Billing alarm configured
Root account usage alarm
Unauthorized API calls alarm
SNS subscriptions confirmed

Secrets Manager

Rotation enabled
Not rotated in 90+ days
Plaintext credentials in SSM Parameter Store
Unused secrets

ECS / EKS

Privileged containers
Plaintext secrets in environment variables
Public IP on tasks
EKS public API endpoint
Kubernetes version up to date

GuardDuty

Enabled in all regions
S3 and EKS protection enabled
Active critical findings

Every finding maps to a SOC 2 Trust Service Criteria so you know exactly what to fix before your audit.

How It Works
No credentials needed. You deploy a read-only IAM role in your account via CloudFormation — takes 30 seconds. Paste the Role ARN, enter your email, and hit run.
Lambda assumes the role, runs all 58 checks, and generates a PDF report with severity scores and fix recommendations. Done in 5 minutes.
Temporary credentials expire after 15 minutes. Delete the CloudFormation stack anytime to revoke access permanently.

Why I Built It This Way
A few things were non-negotiable for me:

Read-only access only — uses sts:AssumeRole with ExternalId, SecurityAudit and ReadOnlyAccess managed policies, zero write permissions
No credential storage — temporary STS credentials expire after 15 minutes
No account needed — paste an ARN, get a report, done
SOC 2 mapped — every finding tied to a specific Trust Service Criteria so it's actually useful for compliance prep

What's Next

More checks — Lambda functions, WAF, AWS Organizations
Continuous monitoring mode — weekly automated audits with score tracking over time
Dashboard to track your score over time

Try It
👉 DevForge — free, takes 5 minutes.
Would love feedback from the community — especially if you spot any checks I'm missing or have dealt with SOC 2 compliance yourself. Drop it in the comments.

DEV Community: Hamza Imran

AWS Security Checklist: 58 Checks Every Team Should Run Before a SOC 2 Audit