April 4, 2026 · Tim Fraser, Cloud Operations Lead

How to Answer Client Security Questionnaires About Your AWS Setup

You've just won a deal — almost. The client's security team has sent over a spreadsheet with 150 questions about your infrastructure, data handling, and incident response. They need it back by Friday.

If you run on AWS, you've seen this before. Every B2B company selling to enterprises eventually faces a client security questionnaire. They range from a simple 20-question form to a 400-row spreadsheet covering everything from physical data centre security to employee background checks.

Most of the AWS-related questions are the same across questionnaires. Here's how to answer the common ones — and how to stop dreading them.

The questions that always come up

"Where is our data stored?"

The client wants to know the geographic location and the provider. A good answer: "All data is stored in AWS's ap-southeast-2 region (Sydney, Australia). Data at rest is stored in Amazon S3 and Amazon RDS. No data is replicated to regions outside Australia."

Adjust for your actual regions and services. The key is being specific — "in the cloud" is not an acceptable answer.

"Who has access to our data?"

This is really two questions: which people and which systems. For people, describe your IAM setup: "Access to production systems is restricted to [N] engineers via IAM roles with least-privilege policies. All console access requires multi-factor authentication. Access is reviewed quarterly."

For systems, list the services that touch customer data and explain how they authenticate — IAM roles, not long-lived credentials.

"Is our data encrypted?"

Cover both states. "Data is encrypted at rest using AES-256 via AWS-managed keys (SSE-S3 for object storage, RDS encryption for databases). Data in transit is encrypted using TLS 1.2 or higher for all public endpoints and internal service communication."

If you use KMS with customer-managed keys, mention it — it's a stronger answer.

"Do you perform regular security audits?"

This is where most companies stumble. The honest answer for many teams is "we check things when we remember to." Auditors and security teams want to hear about a defined process with regular cadence.

A strong answer: "We perform continuous automated security monitoring of our AWS environment on a weekly basis, covering IAM configuration, network security, encryption status, and resource exposure. Findings are triaged and remediated based on severity."

"What is your incident response process?"

They want to know you have a plan and have practiced it. Describe your process: detection (how you know something happened), containment (how you stop the damage), investigation (how you find the root cause), remediation (how you fix it), and communication (how you notify affected parties).

If you've never written this down, now is the time. It doesn't need to be 50 pages — a single page covering those five steps for your most likely incidents is enough.

"Do you have logging and monitoring in place?"

"AWS CloudTrail is enabled across all regions for API-level audit logging. Logs are stored in a dedicated S3 bucket with versioning and integrity validation enabled. VPC Flow Logs capture network-level traffic. CloudWatch alarms monitor for critical security events including root account usage, IAM policy changes, and security group modifications."

"How do you manage vulnerabilities and patching?"

Describe your update process. If you're using managed services (RDS, Lambda, Fargate), mention that AWS handles the underlying OS patching. For EC2 instances or containers you manage, describe your patching cadence.

"Can you provide evidence of your security controls?"

This is the question that separates prepared companies from scrambling ones. The client wants documentation — screenshots, reports, export logs — that prove your answers are real and not aspirational.

Why questionnaires take so long

The questions themselves aren't hard. What makes them painful is gathering the evidence. To answer "is all data encrypted at rest?" with confidence, someone needs to check every S3 bucket, every RDS instance, every EBS volume, every DynamoDB table. Manually, that takes hours of clicking through the AWS console.

Then multiply by every question that requires checking your actual configuration. "Who has access?" means reviewing every IAM user, role, and policy. "Are security groups locked down?" means checking every security group in every region.

For a team without dedicated security staff, a single questionnaire can consume a week of engineering time.

How plainfra turns days into minutes

plainfra connects to your AWS account with read-only access, so you can ask the questions directly and get answers immediately.

"Are all my S3 buckets encrypted?" — plainfra checks every bucket and tells you. "Which IAM users don't have MFA?" — answered in seconds. "Do I have any security groups open to the internet?" — full scan, every region, prioritised results.

Instead of spending a day in the console gathering evidence, you ask plainfra the same questions the client is asking you. Copy the answers into the questionnaire. Move on.

But the real advantage comes from the weekly health reports. When you've been receiving weekly security scans for months, answering "do you perform regular security audits?" becomes trivially easy. You have timestamped evidence of continuous monitoring — not a one-off check performed the night before the questionnaire was due.

The next time a client security questionnaire lands in your inbox, it's a two-hour task instead of a two-day scramble. And the answers are backed by evidence you can actually produce.