# SaaS infrastructure gates by funding stage (AWS)

Run these **in order** at each funding milestone. Do not skip gates because "we'll fix it at Series B" —
investor diligence and SOC 2 timelines compress what you can defer.

> Reflects **July 2026** guidance: AWS Activate (Founders up to $5k, Portfolio up to $200k with Org ID),
> Organizations multi-account, Aurora Serverless v2, Fargate Spot 80/20 split.

## Seed / pre-PMF (MVP → first paying customers)

- [ ] Single AWS account with **environment tags** (`environment=dev|staging|prod`)
- [ ] **Cost allocation tags** on every billable resource (`service`, `team`)
- [ ] Monthly budget alert at **80%** and **100%** of expected spend
- [ ] No long-lived IAM users — SSO or role-based CI only
- [ ] Apply for **AWS Activate Founders** (up to **$5,000** credits) when ready to deploy

**Rollback trigger:** Bill exceeds **2×** user growth rate for two consecutive months → architecture review before Series A pitch.

## Series A (product-market fit → $1M–$5M ARR band)

- [ ] **AWS Organizations** with minimum **3 accounts**: prod, non-prod, shared (ECR, DNS, logs)
- [ ] **Multi-AZ** on production RDS/Aurora and ElastiCache
- [ ] **WAF** on public API/ALB (even pre-SOC2 — blocks scanner noise)
- [ ] **CloudTrail** org trail → immutable S3 + KMS CMK
- [ ] **Secrets Manager** or SSM Parameter Store for all credentials (no env vars in task defs)
- [ ] Activate **Portfolio credits** (up to **$200k** with investor Org ID) before large GPU/ML experiments

**Rollback trigger:** Cannot produce account-level cost breakdown in **48 hours** for board → defer feature work until tagging fixed.

## Series B (scale → enterprise sales)

- [ ] **SCP guardrails** on prod OU (region deny, instance size caps)
- [ ] **SOC 2 Type II** evidence path: Config rules, Security Hub, documented access reviews
- [ ] **Savings Plans or RIs** on baseline compute (after **30-day** Cost Explorer stable baseline)
- [ ] **Multi-region** DR documented (pilot light or warm standby — pick one)
- [ ] Per-tenant cost attribution for **top 20%** revenue customers (tag or app-level)

**Rollback trigger:** Enterprise prospect asks for SOC 2 and you have no Security Hub score history → emergency 90-day compliance sprint.

## What NOT to do at each stage

| Stage | Anti-pattern |
|-------|--------------|
| Seed | Multi-account before you need billing isolation |
| Series A | Full microservices split before team can deploy independently |
| Series B | Savings Plans before baseline is stable (commitment trap) |

## Related posts

- [Cost-optimized SaaS stack](/blog/cost-optimized-saas-stack-aws-end-to-end/)
- [SaaS multi-tenancy models](/blog/saas-multi-tenancy-on-aws-silo-vs-pool-vs-bridge-model/)
- [SOC 2 on AWS](/blog/how-to-achieve-soc2-compliance-aws-2026/)
