Avinteli Logo
CLOUD SECURITY AWS SECURITY

AWS Security Due Diligence for M&A: Infrastructure and Data Protection

Part 2 - Comprehensive framework for evaluating AWS security during M&A due diligence to security gaps related to Infrastructure and Data Protection.

Cover for AWS Security Due Diligence: Infrastructure and Data Protection
Sheldon Sides avatar
Sheldon Sides
LinkedIn

13 min read

When acquiring a company with critical workloads running on AWS, infrastructure security controls represent the second line of defense that can make or break your investment. While Part 1 of the series AWS Security Due Diligence for Acquisitions (M&A): Account and Identity Assessment Guide - Part 1 focused on account and identity controls, infrastructure protection reveals whether you’re inheriting robust, defensible systems or acquiring a security liability that could expose your entire organization to risk.

Poor infrastructure security creates hidden attack vectors that sophisticated threat actors will exploit to move laterally through your AWS environments, exfiltrate sensitive data, and establish persistent access. During M&A due diligence, these vulnerabilities often remain invisible until after closing, when integration efforts expose weaknesses that require costly remediation or, worse, result in data breaches that trigger regulatory penalties and customer trust issues.

In my experience conducting AWS security assessments for enterprises, infrastructure protection gaps are among the most expensive to remediate post-acquisition. Unlike identity issues that can be resolved through policy changes, infrastructure vulnerabilities often require fundamental architecture redesigns, network segmentation projects, and comprehensive data protection implementations that can delay integration by months and cost millions in remediation efforts.

Note: This is part 2 of a three-part series covering AWS security due diligence for M&A:

In this post, I will cover the critical infrastructure and data security controls that M&A teams must evaluate before closing acquisition that have critical business workloads running on AWS, including network protection, compute security, and data protection strategies. I will also provide specific red flags, assessment questions, and remediation cost estimates to help acquirers identify infrastructure vulnerabilities that could impact deal value or create post-acquisition integration challenges.

INFO

Note: Infrastructure security assessments typically require 3-5 days for organizations with standard network architectures, but can extend to 2-3 weeks for complex environments with multiple VPCs, hybrid connectivity, and extensive data classification requirements. The timeline depends on network complexity, data volume, and the depth of security analysis required for your specific deal.

Network and Compute Security Protection

Network and compute security controls work together to create layered defenses that prevent unauthorized access and limit attack propagation. During M&A due diligence, these controls reveal whether a company has built defensible infrastructure or created vulnerable attack surfaces.

Network Architecture and Segmentation

Companies should design networks to contain threats and control traffic flow between system components and environments. If a company is not properly segmenting its AWS networks and not implementing network security controls, it is highly likely they have security gaps in their network infrastructure.

Essential network security practices:

  • VPCs properly configured with private and public subnets
  • Security groups acting as virtual firewalls with restrictive rules
  • Network ACLs providing additional subnet-level protection
  • Network segmentation separating different application tiers
  • Web Application Firewall (WAF) protecting internet-facing applications

Deal-impacting red flags:

  • All resources placed in public subnets with direct internet access
  • Security groups allowing unrestricted access (0.0.0.0/0) on sensitive ports such as RDP (3389) or SSH (22)
  • No network segmentation between production and development environments
  • Missing WAF protection for customer-facing applications
  • Overly permissive network ACL rules that bypass security group restrictions

Companies with poor network design create easy paths for attackers to move laterally between systems and access sensitive data.

Financial impact considerations:

  • Network redesign costs typically range from $300K to $1.5M for enterprise environments
  • Regulatory compliance violations (PCI, HIPPA, etc) for unsegmented networks can result in fines up to $10M
  • Data breach containment becomes impossible without proper network segmentation
  • Integration delays of 4-8 months when fundamental network changes are required

Questions to ask during assessment:

  • Can you provide network diagrams showing traffic flow between environments?
  • What controls prevent lateral movement between production and development environments?
  • How do you monitor and log network traffic for security analysis?
  • Are customer data systems isolated from corporate networks?

Remote Access and Connectivity Security

When secure remote access is set up properly, it ensures that only authorized users can reach internal systems while maintaining comprehensive audit trails. If a company allows unrestricted remote access from external systems, this opens them up to data breaches that sophisticated attackers can easily exploit.

Best practices to verify:

  • VPN or AWS Systems Manager Session Manager for secure remote access
  • No direct SSH/RDP access from the internet
  • Bastion hosts properly configured and monitored if used
  • AWS PrivateLink for secure service-to-service communication
  • Regular review and cleanup of remote access permissions

Warning signs during assessment:

  • Direct internet access to internal servers through SSH or RDP
  • Shared credentials for remote access across multiple users
  • No logging or monitoring of remote access sessions
  • Bastion hosts with IAM Roles attached that have excessive permissions or poor security configuration
  • VPN access granted without time limitations or regular review

When companies allow unrestricted remote access, they create direct attack vectors that can bypass other security controls. Unrestricted remote access is one of the easiest ways for attackers to access AWS accounts and move laterally within the environment.

Compute Security and Vulnerability Management

Organizations should harden applications and servers against attacks and maintain current security updates and patches. Attackers often gain access to servers running in a company’s AWS account by exploiting known security vulnerabilities in software running on servers.

Security configuration requirements:

  • Operating systems hardened according to security benchmarks (CIS or NIST)
  • Regular patching schedule for operating systems and applications using services such as AWS Systems Manager Patch Manager
  • Take advantage of services like GuardDuty Malware Protection for EC2 to protect EC2 instances from malware
  • Disabled unnecessary services and ports access
  • Security monitoring agents installed and properly configured

Container and serverless security:

  • Container images scanned for vulnerabilities before deployment using services such as Amazon Inspector
  • Application dependencies regularly updated and patched
  • Secure coding practices followed during development
  • Input validation and output encoding implemented throughout applications
  • API security controls properly configured and monitored

Assessment red flags that impact deal value:

  • Systems running outdated operating systems or applications with known vulnerabilities
  • No regular patching process or significant patch delays (30+ days behind)
  • Default configurations used without security hardening
  • Containers deployed without vulnerability scanning or security reviews
  • Applications with high-severity security vulnerabilities in production

Companies neglecting basic system maintenance and security create easy targets for automated attacks and expose sensitive data to unauthorized access.

M&A risk assessment:

If an organization has poor compute security they may already be compromised without their knowledge. Many times these hidden breaches can come up post-acquisition, which can create liability issues and regulatory compliance problems that significantly impact deal value.

Validation during due diligence:

  • Request vulnerability scan reports from the past 6 months
  • Review patch management procedures and compliance metrics
  • Verify security configuration standards and implementation
  • Assess integration complexity with your existing security tools

Data Protection and Classification Strategy

Data protection controls ensure sensitive information remains confidential and complies with regulatory requirements. Poor data protection creates the highest-value targets for attackers and the most significant liability risks for acquirers.

Data Classification and Discovery

Organizations need insights into their entire AWS environment and the data contained within it to protect their data and satisfy various compliance demands. When an organization does not know who has access to its data and where all of the data resides in various systems, this opens it up to costly data breaches.

Essential data classification practices:

  • Comprehensive data discovery across all AWS services and accounts
  • Clear data classification scheme (public, internal, confidential, restricted)
  • Automated data classification tools deployed and properly configured
  • Regular data inventory updates and classification reviews
  • Integration between data classification and protection controls

Data handling requirements:

  • Documented data retention and disposal policies
  • Clear data ownership and stewardship assignments
  • Data processing agreements for third-party integrations
  • Geographic data residency controls where required by regulation such as with GDPR
  • Data lineage tracking for sensitive information flows

Deal-breaking warning signs:

  • No data classification program or incomplete data inventory
  • Sensitive data stored without proper identification or protection
  • Unclear data ownership leading to compliance gaps
  • No documented data handling procedures
  • Missing data residency controls for regulated industries

Due diligence implications:

Companies without proper data classification cannot demonstrate compliance with privacy regulations like GDPR, CCPA, or industry standards like PCI-DSS and HIPAA. This creates immediate regulatory exposure and potential fines that can significantly impact deal economics.

Questions to ask during assessment:

  • Can you provide a complete inventory of sensitive data across all systems?
  • What data classification scheme do you use and how is it enforced?
  • How do you ensure compliance with data residency requirements?
  • What procedures exist for data subject requests and data deletion?

Data Protection at Rest and in Transit

When companies transmit and store data between systems, it should be protected with strong encryption. Many times, when data breaches occur, the data is not encrypted at rest, which makes it easy for attackers to sell the data or use it in future phishing attacks.

Encryption at rest requirements:

  • Encryption is enabled for all databases, storage systems, and backup repositories
  • Strong encryption algorithms meeting current security standards (AES-256)
  • Proper key management using AWS KMS or Hardware Security Modules
  • Regular rotation of encryption keys with documented procedures
  • Separation of encryption keys from the data they protect

Encryption in transit requirements:

  • All data communication encrypted using TLS 1.2 or higher
  • API communications secured with proper authentication and encryption
  • Database connections encrypted between applications and data stores
  • File transfers protected with secure protocols (SFTP, HTTPS)
  • Internal service communication encrypted within VPCs

Key management best practices:

  • Centralized key management system with proper access controls
  • Separation of duties for key management operations
  • Secure key backup and recovery procedures
  • Comprehensive audit logging for all key usage and management activities
  • Regular review of key access permissions and usage patterns

Assessment red flags that create immediate liability:

  • Unencrypted databases or storage systems containing sensitive data
  • Data transmitted in clear text over networks
  • Encryption keys stored with the data they protect
  • No key rotation procedures or outdated encryption algorithms
  • Weak key management practices with shared or default keys

Financial impact considerations:

  • Data breach costs average $4.45M globally, with unencrypted data increasing costs by 40%
  • Regulatory fines for unencrypted sensitive data can reach $50M+ under GDPR
  • Emergency encryption implementation can cost $500K to $2M depending on data volume
  • Compliance violations may require immediate remediation before deal closing

Backup and Recovery Security

Backup systems require security controls to prevent data loss and ensure recovery capabilities during security incidents. There is nothing worse than having a disaster incident and then discovering that the backups aren’t available like you thought because they were never tested.

Secure backup practices:

  • Regular automated backups with encryption enabled
  • Backup data stored in separate accounts or regions
  • Access controls preventing unauthorized backup modification or deletion
  • Regular testing of backup restoration procedures
  • Immutable backup storage to prevent ransomware damage

Recovery planning essentials:

  • Documented recovery procedures for different disaster scenarios
  • Recovery time and point objectives clearly defined and tested
  • Regular testing of recovery procedures under realistic conditions
  • Cross-region backup strategies for geographic disaster protection
  • Integration between backup systems and incident response procedures

M&A risk assessment:

Companies with inadequate backup security may lose critical data during incidents or find their backups compromised along with production systems. This creates business continuity risks that can disrupt post-acquisition integration and operations.

Validation during due diligence:

  • Request backup and recovery test results from the past year
  • Verify backup encryption and access control implementation
  • Review recovery time objectives and test whether they’re realistic
  • Assess backup security integration with overall incident response plans

Schedule Free Cloud Security Assessment Consultation

From the Field

During my time at AWS conducting infrastructure security assessments, I’ve consistently found that companies with strong foundational controls (covered in - AWS Security Due Diligence for Acquisitions (M&A): Account and Identity Assessment Guide - Part 1) but weak infrastructure protection face the highest remediation costs post-acquisition. Network security gaps and unencrypted data create systemic vulnerabilities that require architectural changes rather than simple policy updates.

The most successful acquisitions I’ve observed implemented comprehensive infrastructure security assessments early in due diligence, allowing time to negotiate appropriate deal terms and plan realistic integration timelines. Organizations that discovered infrastructure vulnerabilities after closing faced emergency remediation costs that often exceeded 10% of the deal value and delayed integration by 6-12 months.

That’s why thorough infrastructure protection assessment should be a non-negotiable component of your AWS security due diligence process. The insights gained from evaluating network security, compute protection, and data encryption will help you avoid costly surprises and negotiate from a position of strength.

Download Free Cloud Security Assessment Checklist Guide

At Avinteli, we specialize in comprehensive AWS infrastructure security assessments for M&A due diligence, helping acquirers identify critical vulnerabilities and understand remediation costs before closing deals. Our experience evaluating complex enterprise environments ensures you get the detailed technical analysis needed to make informed acquisition decisions and plan successful integrations.

In Part 3 of this series (AWS Security Due Diligence for Acquisitions (M&A): Application Security and Response Guide), we’ll examine application security and incident response capabilities that complete the security assessment framework for AWS-focused acquisitions.

Other Blogs

  • About Author

    Sheldon Sides

    LinkedIn

    Sheldon is Founder and Chief Solutions Architect at Avinteli. Before founding Avinteli, he led Global Security and Compliance at Amazon Web Services (AWS) for Public Sector Partners and Global ISV Partners. Prior to his leadership role, he served as a Senior Security Solutions Architect at AWS, where he conducted comprehensive security assessments and guided Fortune 500 companies through complex, enterprise-scale AWS cloud implementations. His deep cloud security expertise and hands-on assessment experience help organizations identify critical vulnerabilities, close security gaps, accelerate their secure cloud adoption, and design and develop cloud-native solutions.

#cloud security #awssecurity

Share this post!

Back to all posts