v0.1.0 — initial release

First public release of the opinionated AWS security baseline for seed-stage startups.

What's in v0.1.0

12 AWS security controls every 5-engineer seed startup should turn on this afternoon, plus a deliberately-curated skip list of the 80 CIS controls you can defer until Series A.

Controls: IAM password policy, root usage / no-MFA / trail-tamper alarms, multi-region CloudTrail with KMS encryption + log file validation, S3 account-level public access block, GuardDuty with HIGH/CRITICAL EventBridge filter, Security Hub + AWS Foundational Best Practices, IAM Access Analyzer, default EBS encryption, default-VPC Flow Logs, AWS Config recorder (high-blast-radius types), Cost Anomaly Detection, AWS Budgets monthly cap with 80% / 100% threshold alerts.

Total runtime cost at startup scale: ~10–40 USD/month. Less than one engineer's lunch.

What's included

• ~22 AWS resources across IAM, KMS, S3, CloudTrail, GuardDuty, Security Hub, Access Analyzer, EBS, VPC, Config, Cost Explorer, Budgets, SNS, CloudWatch
• Two examples: greenfield + brownfield-with-existing-CloudTrail
• Per-control deep-dive docs (docs/controls.md) with rationale, AWS doc citations, "what breaks if you skip", "when to graduate off"
• CI: terraform fmt, terraform validate, tflint, tfsec
• OpenSSF Scorecard analysis
• Dependabot for Terraform providers + GitHub Actions
• All Actions pinned to commit SHA (supply-chain hardening)

Get started

5-minute quickstart and full module reference are in the README.

Maintained by

MatrixGard — fractional DevSecOps for pre-seed and seed startups across India, Singapore, UAE, UK, and US. Issues, PRs, and questions welcome.

License: MIT.