Security Review Checklist

Pull the current user list from Okta / Google Workspace SSO and reconcile against HRIS active employees. Flag any orphaned accounts from departed engineers — GitHub org, AWS console, k8s RBAC, and vendor SaaS each have to be checked. This is a SOC 2 CC6.1 control; auditors will ask for the evidence.

Confirm hardware-key or TOTP MFA is enforced for AWS root, IAM admin roles, GitHub org owners, and production database accounts. SMS-only MFA is no longer acceptable post-NIST SP 800-63B revision.

Run IAM Access Analyzer or equivalent against production AWS / GCP roles. Look for wildcard * actions, over-broad resource scopes, and unused permissions older than 90 days. CloudTrail-driven access advisor data shows what's actually used.

Cross-check People Ops termination list against deactivation logs in Okta, GitHub, AWS SSO, PagerDuty, and any SaaS not covered by SCIM. SCIM consolidates most accounts but never all of them.

Disable each orphaned account, rotate any shared credentials they had access to, and file a remediation ticket linking back to the offboarding gap. Auditors want the corrective action documented, not just the disable.

Confirm RDS, S3 buckets, EBS volumes, and any self-hosted Postgres / MySQL have KMS-backed encryption enabled. Default-deny S3 bucket policies should reject unencrypted PutObject calls.

Run SSL Labs or testssl.sh against the public ALBs and CloudFront distributions. TLS 1.0/1.1 must be disabled; HSTS should be set with a non-trivial max-age. PCI DSS 4.0 explicitly requires TLS 1.2 or higher.

Run gitleaks or trufflehog across the org. GitHub secret scanning catches known token formats but misses custom API keys. Any hit needs the secret rotated and history rewritten with git-filter-repo — rotation alone leaves the secret in history.

For each leaked credential: rotate at the issuer, audit usage logs for unauthorized access during the exposure window, then BFG / git-filter-repo to scrub history. File a SEV3 ticket if customer data could have been accessed.

Restore the latest production RDS snapshot into a non-prod environment and run schema + row-count checks. A green backup metric for 18 months means nothing if the restore script depends on a credential that rotated. SOC 2 CC9.1 expects evidence of a tested restore.

Look for any 0.0.0.0/0 ingress on ports other than 80/443 on public-facing ALBs. SSH (22), RDP (3389), and database ports must be locked to bastion / Tailscale CIDR ranges. CSPM tools (Wiz, Lacework, Prisma Cloud) automate this but manual eyes catch the edge cases.

Confirm AWS WAF / Cloudflare rules cover the OWASP Top 10 patterns and that rate limits on auth endpoints are tight enough to defeat credential stuffing. Check for any rules in count-only mode that should be blocking.

Check ACM cert expirations and Let's Encrypt ACME automation status. The classic outage is the renewal job that broke 30 days ago, with alerts going to a deprecated Slack channel. Verify the alert routes to a monitored channel.

Run Semgrep / CodeQL / SonarQube against main and triage any new high or critical findings. Focus on OWASP Top 10 patterns: injection, broken auth, IDOR, SSRF. False-positive rate is high — tag and suppress with rationale rather than ignoring.

Pull Snyk / Dependabot / Renovate output. Triage anything CVSS 7.0+; majors that require breaking changes need a tracked remediation ticket, not a wontfix. Don't let the queue pile up — that's how Log4Shell-style criticals catch teams off guard.

List flags older than 6 months in LaunchDarkly / Unleash / Statsig. Each stale flag is a code path that escapes the test matrix. Assign each one a named owner with a kill-or-keep decision; the unowned ones quietly become security gaps.

Manual review of session handling, password reset flow, and authorization checks on tenant-scoped endpoints. IDOR (insecure direct object reference) is the most common finding — verify object ownership is checked on every read/write, not just at the route boundary.

Check that production AMIs / container base images are within the current patch window. Trivy or Grype against the registry catches outdated base layers. SOC 2 CC7.1 expects critical patches applied within 30 days of release.

Audit ClusterRoleBindings for over-broad access, especially anything bound to cluster-admin. Confirm Pod Security Standards (restricted) is enforced on production namespaces and that no pods run as root unnecessarily.

Pull CloudTrail console-login events and SSM Session Manager logs for the past quarter. Any non-break-glass production SSH should have a linked incident ticket. Routine console debugging is a SOC 2 audit finding every time.

For office locations with on-prem servers or sensitive equipment, pull badge logs and reconcile against active employees. For cloud-only shops, review the SOC 2 reports from AWS / GCP / Azure as the evidence chain for physical controls.

Pull MDM (Kandji, Jamf, Intune) reports showing FileVault / BitLocker enabled, screen lock under 15 minutes, and OS within a current major version. Any device flagged non-compliant for more than 7 days needs a follow-up ticket.

Capture the security lead's sign-off, attach the consolidated evidence package, and route open remediation items into Jira / Linear with owners and due dates. Vanta / Drata / Secureframe customers can attach this as the quarterly control evidence.