Security Review Checklist

Pull the current user list from Okta / Google Workspace SSO and reconcile against HRIS active employees. Flag any orphaned accounts from departed engineers — GitHub org, AWS console, k8s RBAC, and vendor SaaS each have to be checked. This is a SOC 2 CC6.1 control; auditors will ask for the evidence.

Confirm hardware-key or TOTP MFA is enforced for AWS root, IAM admin roles, GitHub org owners, and production database accounts. SMS-only MFA is no longer acceptable post-NIST SP 800-63B revision.

Run IAM Access Analyzer or equivalent against production AWS / GCP roles. Look for wildcard * actions, over-broad resource scopes, and unused permissions older than 90 days. CloudTrail-driven access advisor data shows what's actually used.

Cross-check People Ops termination list against deactivation logs in Okta, GitHub, AWS SSO, PagerDuty, and any SaaS not covered by SCIM. SCIM consolidates most accounts but never all of them.

Confirm RDS, S3 buckets, EBS volumes, and any self-hosted Postgres / MySQL have KMS-backed encryption enabled. Default-deny S3 bucket policies should reject unencrypted PutObject calls.

Run SSL Labs or testssl.sh against the public ALBs and CloudFront distributions. TLS 1.0/1.1 must be disabled; HSTS should be set with a non-trivial max-age. PCI DSS 4.0 explicitly requires TLS 1.2 or higher.

Run gitleaks or trufflehog across the org. GitHub secret scanning catches known token formats but misses custom API keys. Any hit needs the secret rotated and history rewritten with git-filter-repo — rotation alone leaves the secret in history.

For each leaked credential: rotate at the issuer, audit usage logs for unauthorized access during the exposure window, then BFG / git-filter-repo to scrub history. File a SEV3 ticket if customer data could have been accessed.

Look for any 0.0.0.0/0 ingress on ports other than 80/443 on public-facing ALBs. SSH (22), RDP (3389), and database ports must be locked to bastion / Tailscale CIDR ranges. CSPM tools (Wiz, Lacework, Prisma Cloud) automate this but manual eyes catch the edge cases.

Confirm AWS WAF / Cloudflare rules cover the OWASP Top 10 patterns and that rate limits on auth endpoints are tight enough to defeat credential stuffing. Check for any rules in count-only mode that should be blocking.

Run Semgrep / CodeQL / SonarQube against main and triage any new high or critical findings. Focus on OWASP Top 10 patterns: injection, broken auth, IDOR, SSRF. False-positive rate is high — tag and suppress with rationale rather than ignoring.

Pull Snyk / Dependabot / Renovate output. Triage anything CVSS 7.0+; majors that require breaking changes need a tracked remediation ticket, not a wontfix. Don't let the queue pile up — that's how Log4Shell-style criticals catch teams off guard.

List flags older than 6 months in LaunchDarkly / Unleash / Statsig. Each stale flag is a code path that escapes the test matrix. Assign each one a named owner with a kill-or-keep decision; the unowned ones quietly become security gaps.

Check that production AMIs / container base images are within the current patch window. Trivy or Grype against the registry catches outdated base layers. SOC 2 CC7.1 expects critical patches applied within 30 days of release.

Audit ClusterRoleBindings for over-broad access, especially anything bound to cluster-admin. Confirm Pod Security Standards (restricted) is enforced on production namespaces and that no pods run as root unnecessarily.

For office locations with on-prem servers or sensitive equipment, pull badge logs and reconcile against active employees. For cloud-only shops, review the SOC 2 reports from AWS / GCP / Azure as the evidence chain for physical controls.

Pull MDM (Kandji, Jamf, Intune) reports showing FileVault / BitLocker enabled, screen lock under 15 minutes, and OS within a current major version. Any device flagged non-compliant for more than 7 days needs a follow-up ticket.