I Got Tired of $10k AWS Security Audits — So I Built My Own
A few months ago I was helping a startup prepare for SOC 2. Their security consultant quoted $15,000 for an AWS security audit — two weeks timeline and a PDF report at the end.
I looked at what they were actually checking — IAM configs, open security groups, unencrypted S3 buckets, CloudTrail logging. Standard stuff that any engineer could verify. Nothing that justified $15,000 and two weeks.
So I spent a few weekends building it myself. The result is DevForge Audit — 58 automated security checks across your entire AWS account, a full PDF report with severity scores and fix recommendations, done in 5 minutes. Free to try.
What It Checks
Here are all 58 checks it runs automatically across your AWS account:
IAM
Root account MFA enabled
Password policy strength
Users without MFA
Access key rotation (90 days)
Inactive users with active credentials
AdministratorAccess directly attached
Wildcard trust principals
S3
Public access blocks
Encryption at rest
Versioning enabled
Access logging
EC2 / VPC
SSH/RDP open to the internet
All-traffic security groups
EBS encryption
Unused Elastic IPs
VPC Flow Logs enabled
RDS
Encryption at rest
Public accessibility
Multi-AZ enabled
Automated backups
Deletion protection
Secrets Manager rotation
CloudTrail
Multi-region trail
KMS encryption
Log file validation
CloudWatch integration
CloudWatch / SNS
Billing alarm configured
Root account usage alarm
Unauthorized API calls alarm
SNS subscriptions confirmed
Secrets Manager
Rotation enabled
Not rotated in 90+ days
Plaintext credentials in SSM Parameter Store
Unused secrets
ECS / EKS
Privileged containers
Plaintext secrets in environment variables
Public IP on tasks
EKS public API endpoint
Kubernetes version up to date
GuardDuty
Enabled in all regions
S3 and EKS protection enabled
Active critical findings
Every finding maps to a SOC 2 Trust Service Criteria so you know exactly what to fix before your audit.
How It Works
No credentials needed. You deploy a read-only IAM role in your account via CloudFormation — takes 30 seconds. Paste the Role ARN, enter your email, and hit run.
Lambda assumes the role, runs all 58 checks, and generates a PDF report with severity scores and fix recommendations. Done in 5 minutes.
Temporary credentials expire after 15 minutes. Delete the CloudFormation stack anytime to revoke access permanently.
Why I Built It This Way
A few things were non-negotiable for me:
Read-only access only — uses sts:AssumeRole with ExternalId, SecurityAudit and ReadOnlyAccess managed policies, zero write permissions
No credential storage — temporary STS credentials expire after 15 minutes
No account needed — paste an ARN, get a report, done
SOC 2 mapped — every finding tied to a specific Trust Service Criteria so it's actually useful for compliance prep
What's Next
More checks — Lambda functions, WAF, AWS Organizations
Continuous monitoring mode — weekly automated audits with score tracking over time
Dashboard to track your score over time
Try It
👉 DevForge — free, takes 5 minutes.
Would love feedback from the community — especially if you spot any checks I'm missing or have dealt with SOC 2 compliance yourself. Drop it in the comments.
Top comments (0)