Technology Risk Assessment
Executive Summary
Acme Commerce's technology foundation supports the business case in two of four dimensions, but carries material pre-close risk in security and moderate risk in cloud cost structure.
The security finding requires immediate attention: 17 API keys and database credentials are committed directly into production code, including a Stripe live secret key and an AWS IAM user with S3 full-access.
Cloud infrastructure is running at approximately 137% of what it should cost for the workload profile. $280K–$340K in annualized savings are identifiable with no functional changes to the product.
Key Findings
Includes a Stripe live API secret key, AWS IAM user credentials with full S3 access, and a production PostgreSQL password across multiple repositories.
Payment processing, inventory decrement, email dispatch, and fraud checks live in one synchronous call chain with no retry logic.
Underutilized EC2, oversized RDS, cold data sitting in Standard S3, and oversized ElasticSearch relative to workload.
Deprecated endpoints, stale feature flags, and low test coverage materially increase change risk and slow new-hire ramp time.
Cloud Cost Analysis
| Service | Current | Optimized | Savings | Assessment |
|---|---|---|---|---|
| EC2 Compute (12 instances) | $312,000 | $148,000 | $164,000 | 3 instances running at <3% CPU. Right-size + Reserved Instances. |
| RDS (PostgreSQL, db.r6g.4xlarge) | $228,000 | $112,000 | $116,000 | Provisioned 4x actual workload. Downsize + read replica strategy. |
| S3 Storage (14 buckets) | $96,000 | $48,000 | $48,000 | No lifecycle policies. Move year-old raw data to Glacier. |
| ElasticSearch (9-node cluster) | $84,000 | $62,000 | $22,000 | Sized for 10x current document volume. Minor savings available. |
| Total | $780,000/yr | $428,000/yr | $352,000/yr | 45% cloud cost reduction opportunity |
Architecture Map (Generated from Code)
Prioritized Action List
| Priority | Action | Timeframe | Impact |
|---|---|---|---|
| 1 | Rotate all 17 committed credentials; implement secrets management with Vault or AWS Secrets Manager | Pre-Close | Eliminates PCI-DSS breach liability and compliance exposure |
| 2 | Right-size EC2 instances and purchase Reserved Instances for baseline workload | Day 1–30 | $164K/yr savings; 1-day implementation |
| 3 | Decouple checkout service with async queueing, retry logic, and dead-letter handling | 30–90 Days | Eliminates revenue-impacting outages; ROI in under 6 months |
| 4 | Implement S3 lifecycle policies; downsize RDS to match workload | 30–60 Days | $164K/yr additional savings |
| 5 | Begin systematic dead code removal and test coverage program | 90–180 Days | Unlocks engineering velocity and supports post-acquisition scale |
Recommended Management Questions
These questions are generated from findings and are designed to surface information not visible in the codebase or cost data.
- Who has access to the repositories containing the live Stripe and AWS credentials, and has any unauthorized party had access in the last 12 months?
- How have checkout outages been characterized to leadership, and what has the customer-facing impact been?
- Is the current AWS bill tracked against budget, and has the team performed any cloud cost review in the last 18 months?
- Is the engineering team aware that test coverage is at 14%, and is there an active improvement program underway?
- Redis is deployed without high availability. Has there been a production failure, and what is the recovery procedure?