Skip to content
All case studies
SecurityDigital health

Closed 12 audit findings before pen-test.

Health-tech client needed to ship the audit. We instrumented CloudTrail, tightened S3, and resolved every critical inside two sprints.

ClientSeries A health-tech
Duration4 weeks · 1 engineer
Regionus-east-1
CategorySecurity
Closed 12 audit findings before pen-test.
12 / 12Critical findings closed
4 weeksCalendar time
100%S3 buckets with TLS-only policy
HIPAAPosture confirmed by external pen-test
THE PROBLEM

What we walked into.

A pre-pen-test review surfaced 12 critical findings: public S3 buckets, missing CloudTrail in two regions, IAM users with console access bypassing SSO, and KMS keys without rotation. Pen-test was four weeks out.

Engineering team of six had no security engineer. They had been quietly punting on these for six months because they did not know where to start.

THE APPROACH

How we shipped it.

01

Triage by blast radius

Ranked all 12 findings by what a determined attacker could do, not by report severity. Two findings (S3 misconfig, console-access bypass) jumped to the top. Started there.

02

S3 hardening as the foundation

Enforced TLS-only bucket policies, enabled S3 Public Access Block at the account level, and turned on default encryption. Caught and remediated two buckets that had been public for over a year.

03

Region-complete logging

Multi-region CloudTrail with a single S3 destination, log file integrity validation on, and CloudTrail logs sent to a separate logging account isolated from engineering. Same for GuardDuty.

04

SSO-only access, IAM users gone

Removed every IAM user with console access. Federated all human access through the existing SSO provider. Service accounts now use IAM Roles Anywhere where third parties needed access.

STACK

AWS services in this engagement

IAMIAM
S3S3
CloudTrailCloudTrail
GuardDutyGuardDuty
Secrets ManagerSecrets Manager
OrganizationsOrganizations
THE OUTCOME

What shipped.

Pen-test came back clean on all 12 originally-flagged areas. Two new lower-severity findings surfaced, both closed within the same sprint as the report.

The client now has a quarterly check-in playbook from the engagement. They have run it twice on their own since.

MORE CASE STUDIES
Security

Hardened 47 IAM roles in 11 days.

Series B fintech needed audit-ready IAM before SOC 2. We refactored every role into least-privilege Terraform modules.

Platform

Cut cloud spend 38% in 6 weeks.

Multi-region platform was burning compute. We re-sized the fleet, moved to Graviton, and added a savings plan model that paid back in 21 days.

Architecture

Migrated from Heroku to a cloud platform in 9 weeks.

B2B platform hit Heroku ceilings. We landed them on ECS with managed Postgres, zero downtime, and a runbook the team actually uses.

WANT SOMETHING SIMILAR?

Tell us what you're trying to ship.

A 30-minute scoping call with the engineers who would do the work.

Book a 30-min callSee more case studies