General Pillar

Investor Due Diligence for a Series A AWS Startup: What Gets Flagged

Series A technical DD now includes a structured review of cloud infrastructure. AWS environments with IAM debt, encryption gaps, unattributable cost, and absent monitoring are flagged — and affect deal terms. This guide explains what reviewers look for and how to get ahead of it.

May 23, 202610 min read#aws#due diligence#series a#infrastructure#well-architected

A Series A investor receives your pitch deck, your financials, and your data room. Increasingly, they also receive access to your AWS environment — either directly or via a technical DD firm engaged to assess infrastructure risk. According to a Fortinet 2026 cloud security survey, 70% of organisations identify misconfigured cloud services as a major risk — a number that sophisticated investors and their technical advisors are now quoting back to founders during DD.

This has changed the nature of Series A technical due diligence. Ten years ago, technical DD meant reviewing code quality and architecture diagrams. Today it includes cloud infrastructure posture: IAM configuration, encryption coverage, cost attribution, observability, and the maturity of your infrastructure-as-code practices. These are no longer soft questions — they produce specific findings that affect deal terms, warranties, and in some cases whether the round closes on schedule.

This guide explains what DD reviewers actually look for, which findings carry the most weight, and how to run a pre-DD infrastructure review — ideally 60 to 90 days before you expect to enter the process — so that you arrive with a clear picture and a remediation narrative, not a list of surprises.

Why technical due diligence now includes cloud infrastructure

Three changes have made infrastructure review a standard part of Series A DD over the past three to four years.

Cloud breaches are now common enough to be a known risk category. Infrastructure misconfiguration appears in a growing share of disclosed security incidents, and investors are aware of this. An environment with unresolved High-severity findings is a contingent liability. Investors who are buying equity are also implicitly buying that liability — and sophisticated ones price it in.

Compliance requirements have moved earlier in the company lifecycle. SOC 2 Type II, ISO 27001, and HIPAA BAAs are now common requirements at Series A customers rather than Series B. If your infrastructure does not meet the preconditions for these certifications — encryption at rest, audit logging, access controls — your ability to close enterprise deals is constrained. That is a revenue risk, and revenue risk shows up in DD.

Terraform and IaC have made infrastructure reviewable at scale. If your environment is defined in Terraform, a technical DD firm can run a structured assessment in hours rather than days. This has lowered the cost of infrastructure DD to the point where it is now standard — not exceptional — for deals above $5M.

What DD teams look for in an AWS environment

A typical infrastructure DD review covers five areas. The first two — IAM and encryption — carry the most weight because they represent current risk. The remaining three — cost, observability, and IaC maturity — represent operational risk that affects scalability and investor confidence in the team.

IAM configuration and identity hygiene

IAM is the first area reviewed and the most consequential. The reason is straightforward: IAM misconfiguration determines the blast radius of any other security failure. An attacker who gains access to an overly-permissive role does not just compromise one service — they compromise everything that role can access.

DD reviewers look for four IAM signals:

  • 1.Static access keys on IAM users — every key is a long-lived credential that can be phished, leaked via source control, or extracted from a compromised CI/CD system. Each key is a named finding.
  • 2.Wildcard permissions — any role policy with Action: "*" or Resource: "*". These exist in many startup environments as a "we'll lock it down later" shortcut that never gets addressed. They are the single most common blocker in infrastructure DD.
  • 3.IMDSv1 on EC2 instances — the absence of http_tokens = "required" in Terraform metadata_options. This is the pattern behind the most well-documented AWS infrastructure breach of the last decade and is trivial to find in Terraform.
  • 4.No MFA enforcement — IAM users with console access and no MFA requirement. For a company that stores customer data, this is a direct compliance gap.
iam-audit.sh✗ Before
# List all IAM users — DD reviewers count static access keys as liabilitiesaws iam list-users   --query 'Users[*].{User:UserName,Created:CreateDate,PasswordLastUsed:PasswordLastUsed}'   --output table# Find users with active access keys (each is a long-lived, rotatable credential)for user in $(aws iam list-users --query 'Users[*].UserName' --output text); do  keys=$(aws iam list-access-keys --user-name "$user"     --query 'AccessKeyMetadata[?Status==`Active`].AccessKeyId' --output text)  [ -n "$keys" ] && echo "$user: $keys"done# Check for any policies with wildcard actions — blast-radius riskaws iam list-policies --scope Local   --query 'Policies[*].{Name:PolicyName,Arn:Arn}' --output table

DD reviewers run checks equivalent to these. Run them yourself first — the output should contain no active access keys in CI and no wildcard policies in production.

Encryption and data protection

Encryption findings carry weight proportional to what the affected storage contains. An unencrypted S3 bucket that holds static marketing assets is a lower-severity finding than an unencrypted RDS instance that holds customer PII. DD reviewers assess both the configuration and the data classification — and if you cannot answer “what data is in this bucket” during DD, that is itself a finding.

The minimum acceptable encryption posture for a Series A startup handling customer data: S3 buckets with server-side encryption enabled (SSE-KMS for any bucket containing PII or regulated data), public access blocks at the bucket level, RDS with StorageEncrypted = true, EBS volumes encrypted, and no secrets stored in Terraform variables. The S3 encryption guide covers the distinction between SSE-S3, SSE-KMS, and what the Well-Architected Security pillar requires for each data classification tier.

encryption-audit.sh✗ Before
# Check S3 buckets for server-side encryption configurationaws s3api list-buckets --query 'Buckets[*].Name' --output text |   tr '	' '' | while read bucket; do    enc=$(aws s3api get-bucket-encryption --bucket "$bucket" 2>/dev/null       --query 'ServerSideEncryptionConfiguration.Rules[0].ApplyServerSideEncryptionByDefault.SSEAlgorithm'       --output text 2>/dev/null || echo "NONE")    echo "$bucket: $enc"  done# Check RDS instances for encryption at restaws rds describe-db-instances   --query 'DBInstances[*].{ID:DBInstanceIdentifier,Encrypted:StorageEncrypted,Engine:Engine,MultiAZ:MultiAZ}'   --output table

Run before DD. Every bucket showing 'NONE' and every RDS instance with Encrypted: false is a finding that will appear in a DD report.

Cost transparency and attribution

Cost structure matters to investors for two reasons. First, it is a proxy for operational discipline — an environment with tagged resources and a predictable cost trend signals that the team understands what they are running and why. Second, it is a forward-looking risk: a cost structure that cannot be attributed to services and environments will not scale cleanly and will create surprises at the post-close financial review.

The specific signals DD reviewers look at:

  • 1.Tagging coverage — what percentage of EC2, RDS, and S3 resources have Name and Environment tags. Resources without Environment tags cannot be attributed to prod vs. staging cost, which makes the cost model opaque.
  • 2.Cost trend — the 90-day AWS Cost Explorer trend. Is it flat, growing proportionally with revenue/usage, or growing faster than either? Faster-than-usage growth without explanation is flagged.
  • 3.NAT Gateway spend — this appears unexpectedly large in many startup environments because most S3 and DynamoDB traffic routes through a NAT Gateway instead of VPC endpoints. It is a cost efficiency finding, not a security finding, but it signals infrastructure that was not designed for cost awareness.
  • 4.Reserved Instance or Savings Plan coverage — for a company at Series A run rate, 0% RI coverage on baseline EC2 and RDS is a missed optimisation that implies the infrastructure has not been reviewed from a cost perspective.

Observability and incident response

Investors ask one implicit question about observability: if something goes wrong at 2am on a Sunday, will the team know within 15 minutes? The infrastructure signals that answer that question:

  • 1.GuardDuty enabled in every account and region with workloads — this is the baseline runtime threat detection signal. An environment without GuardDuty has no automated detection for credential abuse, unusual API patterns, or instance compromise.
  • 2.CloudTrail enabled as a multi-region trail — every API call recorded, logs stored in a centralised bucket, not the same account as the workloads.
  • 3.CloudWatch alarms on critical services — error rate, latency P95, CPU. Alarms that go to an SNS topic connected to PagerDuty or Opsgenie, not to a Slack channel that no one monitors at night.
  • 4.Log retention policy — CloudWatch log groups should have a retention period set. Indefinite retention is both a cost problem and a signal that the team has not thought about what logs are for.

Terraform and infrastructure-as-code maturity

Infrastructure defined in Terraform is reviewable, auditable, and reproducible. Infrastructure created manually through the AWS console is none of those things — and DD reviewers will note the proportion of your environment that falls outside Terraform state. Console-created resources are an operational risk (no version control, no review process, no reproducibility in a disaster recovery scenario) and a governance risk (no record of who created what and when).

The IaC maturity signals DD reviewers assess:

  • 1.Coverage — what percentage of production resources are in Terraform state. Everything outside state is invisible to any automated review tool.
  • 2.Module structure — monolithic modules with mixed environments (prod, staging, dev in one state file) are a blast-radius risk and a signal of infrastructure that grew without architectural review.
  • 3.CI integration — whether Checkov, tfsec, or Trivy is integrated into the CI pipeline and blocking deployments on High findings. Advisory-only integration (fails don't block) is a weaker signal.
  • 4.State storage — whether state is in S3 with DynamoDB locking or stored locally. Local state means the last developer to run terraform apply owns the truth about production infrastructure.

What DD reviewers find in Terraform — and what they want to see

The single most common finding in Series A infrastructure DD is an IAM role policy with wildcard permissions. It appears in Terraform as Action: "*", it passes many linter checks, and it represents a maximum blast-radius condition that is usually a shortcut from early-stage development that was never revisited.

The fix is straightforward — but the remediation requires understanding what each role actually needs access to, which is often undocumented. That work takes time. Running this review 60 to 90 days before DD gives you the time to do it properly.

iam-roles.tf✗ Before
# DD finding: IAM role with wildcard — blast-radius riskresource "aws_iam_role_policy" "app_policy" {  name = "app-policy"  role = aws_iam_role.app.id  policy = jsonencode({    Statement = [{      Effect   = "Allow"      Action   = "*"           # Flags immediately in any DD review      Resource = "*"    }]  })}

The wildcard IAM policy is the single most common finding in infrastructure DD.

iam-roles.tf✓ After
# What DD reviewers want to see: least-privilege, service-specific scoperesource "aws_iam_role_policy" "app_policy" {  name = "app-policy"  role = aws_iam_role.app.id  policy = jsonencode({    Statement = [      {        Effect = "Allow"        Action = [          "s3:GetObject",          "s3:PutObject",        ]        Resource = "${aws_s3_bucket.app_data.arn}/*"      },      {        Effect   = "Allow"        Action   = ["secretsmanager:GetSecretValue"]        Resource = aws_secretsmanager_secret.app_credentials.arn      }    ]  })}

Least-privilege: permissions scoped to specific actions and specific resource ARNs — the pattern DD reviewers want to see.

The findings that affect deal terms

Not all infrastructure findings are equal in DD. Some are noted and remediated post-close. Others affect deal terms directly.

High — may affect warranties or closing conditions

  • ·Hardcoded credentials in source control (current or in git history)
  • ·Wildcard IAM permissions on any role that accesses customer data
  • ·Unencrypted storage containing PII or regulated data
  • ·No CloudTrail — means there is no audit record of any action in the account

Medium — noted in DD report, remediation plan requested

  • ·Static IAM access keys in CI pipelines (not rotated on a documented schedule)
  • ·EC2 instances without IMDSv2 enforcement
  • ·Production RDS without Multi-AZ
  • ·No GuardDuty — no runtime threat detection signal

Low — operational maturity concerns

  • ·Incomplete tagging coverage — cost attribution is opaque
  • ·Linter in CI but non-blocking — findings are advisory only
  • ·CloudWatch log groups without retention policy
  • ·Monolithic Terraform module covering prod and staging in one state file

How to get ahead of DD with a Well-Architected review

The most effective pre-DD approach is a structured Well-Architected review against the four pillars most relevant to a technical DD assessment: Security, Reliability, Cost Optimization, and Operational Excellence. Conducted 60 to 90 days before you expect to enter DD, it gives you:

  • 1.A complete findings list you own before the investor does — no surprises.
  • 2.Time to remediate the highest-severity findings before DD begins.
  • 3.A before/after narrative: "We identified N findings in our Q1 review. X are remediated; Y are scheduled in Q3." This is materially more credible than a clean scan run the week before DD.
  • 4.Documentation that satisfies the DD requirement without requiring an investor-side technical review team to generate the findings themselves — which compresses the DD timeline.

The Terraform Architecture Review guide covers the full six-step process for conducting a review yourself — including how to evaluate each WAF pillar and produce a stakeholder-ready report. If you need a structured external assessment to put in your data room, ArchGuard produces a PDF report that maps findings to WAF pillars with severity ratings and HCL remediation examples — the format that DD reviewers expect to see.

The pre-DD infrastructure checklist

Use this as a self-assessment 60 to 90 days before you expect DD to begin. Every item below has been flagged in at least one Series A infrastructure review. Items in the IAM and encryption sections are the highest-priority — start there.

IAM and identity

Zero IAM users with active static access keys in CI pipelines — replace with OIDC
No IAM role policies with Action: "*" or Resource: "*" in production
MFA enforced on all IAM users with console access
EC2 instances use IMDSv2 (http_tokens = "required" in metadata_options)
No hardcoded credentials in Terraform variables, tfvars, or .env files

Encryption

All S3 buckets: server-side encryption configured (SSE-KMS for sensitive data)
All S3 buckets: public access block enabled at bucket level
All RDS instances: StorageEncrypted = true
All EBS volumes attached to production EC2: encrypted
Secrets in AWS Secrets Manager or SSM Parameter Store (SecureString) — not variables

Reliability

Production RDS: multi_az = true
Production RDS: backup_retention_period ≥ 7
No single-instance EC2 serving production traffic without an Auto Scaling Group
ALBs configured across at least two availability zones
Lambda functions processing critical operations have a dead-letter queue configured

Cost and observability

All production resources tagged with at minimum: Name, Environment, Service
CloudTrail enabled as a multi-region trail in all accounts
GuardDuty enabled in every region with active workloads
CloudWatch alarms configured for error rates, latency, and CPU on critical services
Monthly cost trend attributable by service and environment

Infrastructure-as-code maturity

Production infrastructure managed in Terraform — not created manually through the console
Terraform state stored remotely in S3 with DynamoDB locking
Linter (Checkov, tfsec, or Trivy) integrated into CI and failing builds on High findings
Module structure separates production, staging, and dev environments
Well-Architected review conducted and findings documented with remediation status

For a new CTO or VP Engineering running this review as part of an onboarding audit rather than pre-DD preparation, the New CTO’s AWS Infrastructure Audit covers the same areas in a first-30-days context, with specific commands and a three-phase structure suited to an inherited environment.

Frequently asked questions

What do investors check during technical due diligence on AWS infrastructure?

Technical DD teams reviewing AWS infrastructure typically assess five areas: IAM hygiene (least-privilege roles, no static access keys, MFA enforced); encryption (data at rest and in transit, customer-managed KMS keys for sensitive workloads); cost structure (tagged resources, predictable cost trend); observability (GuardDuty, CloudTrail, alerting in place); and infrastructure-as-code maturity (Terraform coverage, linter in CI, remote state). Each gap represents either a security risk or an operational risk that affects the ability to scale.

Can infrastructure issues block a Series A round?

Infrastructure issues rarely block a round outright, but they affect deal terms, valuation adjustments, and post-close requirements. Common outcomes include: a remediation plan required as a condition of closing; additional representations and warranties around security posture; an extended DD timeline; or a reduced round size to fund remediation. Undisclosed issues — particularly hardcoded credentials or unencrypted regulated data — represent liability that investors are now inheriting, and sophisticated investors price that in.

What is the AWS Well-Architected Framework and why do investors care about it?

The AWS Well-Architected Framework (WAF) is Amazon's structured set of best practices covering Security, Reliability, Cost Optimization, Operational Excellence, Performance Efficiency, and Sustainability. Investors care because it is a vendor-recognised, publicly documented standard. A company that presents a WAF-aligned audit with findings and a remediation plan demonstrates that its infrastructure has been reviewed against a known standard — a materially different answer than 'we use Checkov in CI,' because Checkov evaluates individual resource configurations, not architectural soundness across the full stack.

How far in advance should a founder run a pre-DD infrastructure review?

At least 60 to 90 days before you expect to enter DD. The review itself takes hours to days depending on Terraform coverage. But the remediation work — eliminating static IAM access keys, adding Multi-AZ to production databases, migrating secrets to Secrets Manager, implementing a tagging strategy — takes multiple engineering sprints. Starting 90 days out gives you time to remediate the most consequential findings and present a before/after picture to investors.

What Terraform patterns do DD reviewers flag most often?

The five most common Terraform findings in Series A DD: (1) IAM roles with wildcard actions — Action: "*" or Resource: "*" in any role policy; (2) IMDSv1 on EC2 instances — the absence of http_tokens = "required" in metadata_options; (3) S3 buckets without server-side encryption or without public-access blocks; (4) RDS instances without multi_az = true for production databases; and (5) secrets in Terraform variables or tfvars files rather than in AWS Secrets Manager. The first and fifth are the most common blockers because they represent both a current risk and an indicator of IAM hygiene culture.

Is a linter scan enough to satisfy technical DD on AWS infrastructure?

No. A linter evaluates individual Terraform resource configurations against deterministic rules. It answers 'is this configuration valid?' — not 'is this architecture sound for a production workload?' Common findings that pass all linter checks but are still flagged in DD: an IAM role whose permissions are individually valid but collectively grant access to the entire production account; RDS instances with encryption enabled but no automated backups; Lambda functions without dead-letter queues processing financial transactions. DD reviewers apply architectural context that linters cannot.

Pre-DD Infrastructure Review

Get a DD-Ready Well-Architected Report for Your AWS Environment

Upload your Terraform and get a structured PDF report — findings mapped to WAF pillars with severity, blast-radius context, and HCL remediation examples. The format DD reviewers expect to see in the data room.

View PricingSee the Methodology

Includes findings across Security, Reliability, Cost Optimization, and Operational Excellence pillars.