Startup security has a reputation for being expensive, which lets everyone off the hook. In practice, the problems I find in early-stage AWS accounts are rarely exotic and almost never need budget. They need an afternoon and an owner. Here are the five I find most, in roughly the order I find them.
1. Long-lived access keys in CI
An IAM user called ci-deploy, created in 2023, with admin rights and an access key that has never been rotated, pasted into your pipeline's environment variables. If that key leaks, someone owns your cloud. OIDC federation between your CI provider and AWS removes the standing key entirely, takes an hour or two to set up, and costs nothing.
2. Everyone is an admin
It made sense when there were three of you. Now there are twelve, everyone still has AdministratorAccess, and half the logins have no MFA. The fix is boring and known: SSO, groups with least-privilege policies, MFA enforced. Nobody enjoys the week you tighten it. Everybody enjoys not being the headline.
3. Secrets living in environment variables and repos
Database passwords in a .env committed "temporarily". API keys in plain text in task definitions. Every one of these is readable by anyone who can read the repo or the console. Secrets Manager or Parameter Store costs next to nothing and turns a sprawling secret-leak surface into one auditable place.
4. Logging that no human will ever see
CloudTrail is on, because it's on by default. And that's where it ends: no GuardDuty, no alerts, nothing wired to a place a person actually looks. An intrusion isn't a movie moment, it's a quiet series of API calls, and the difference between a bad day and a catastrophic quarter is whether anything told you in week one. Detection with alerts that reach a phone is a one-day job.
5. The security group that's open "for now"
Port 22 or 5432 open to 0.0.0.0/0 because someone needed to debug something in 2024. Internet-facing databases still get found and raked by scanners within hours. Audit your security groups quarterly; it takes twenty minutes and the finding is nearly always there.
The pattern
Notice what's missing from the list: zero-days, nation states, anything requiring a security team. Startup security failures are ownership failures. Someone senior looks, fixes, and keeps looking. That's the whole discipline at this stage.
Want your account looked at properly? That's the SecOps service: findings ranked by real risk, critical fixes done. Get in touch.