Foundations
IAM, Organizations, root account, CloudTrail, Config, monitoring and networking.
AWS Compliance Monitoring
Continuously assess identity, logging, networking, compute, database, storage and end-user computing configurations across your AWS environment.

Combined full and partial API coverage — not claimed as fully automated.
Benchmark coverage
340 controls across five AWS security benchmarks
IAM, Organizations, root account, CloudTrail, Config, monitoring and networking.
EC2, Lambda, ECS, ECR, Elastic Beanstalk, App Runner, Batch and workload configuration.
RDS, Aurora, DynamoDB, ElastiCache, Neptune, DocumentDB, Keyspaces and database protection.
S3, EBS, EFS, FSx, backups, snapshots, retention, encryption and public exposure.
Amazon WorkSpaces, AppStream, WorkDocs and remote workspace security.
What we assess
From root account security to workload configuration
Every result includes resource-level evidence — not checklist summaries.
Root credentials, MFA, IAM users, roles, policies, Access Analyzer
Account inventory, SCPs, delegated administration and guardrails
CloudTrail, Config, CloudWatch, alarms, log retention
Security groups, NACLs, routes, VPC endpoints, public exposure
EC2 metadata, EBS encryption, AMIs, Lambda and container configuration
Encryption, backups, public accessibility, logging and authentication
Public access, versioning, retention, lifecycle and recovery controls
WorkSpaces access, device restrictions, encryption and monitoring
KMS keys, Secrets Manager, key rotation and policy restrictions
Automation coverage
319 API-addressable controls combine full and partial AWS API evidence. We do not market that total as fully automated.
AWS SDK configuration state is sufficient to produce PASS or FAIL directly.
API evidence is compared against approved CIDRs, role allowlists, retention, RTO/RPO or naming baselines.
Operational or process validation is required; API evidence supports manual evaluation.
Missing permissions or incomplete evidence are reported as Unknown — never silently marked compliant.
Example findings
Root MFA is enabled, but the configured device does not meet the approved hardware MFA requirement.
6 security groups allow administrative ports from 0.0.0.0/0.
3 member accounts are not covered by the approved organization-wide CloudTrail configuration.
4 buckets do not inherit the required account-level public access protection baseline.
12 instances do not enforce IMDSv2.
5 database resources do not meet the approved backup retention or deletion protection policy.
Example findings shown for demonstration purposes.
How it works
Deploy a read-only IAM role using CloudFormation or Terraform.
Trusteed inventories AWS Organizations accounts and scans all applicable enabled regions.
Configuration evidence is collected through 54 AWS service collector integrations.
Review failed controls, affected resources, evidence and step-by-step remediation guidance.
Secure by design
Benchmark reference
AWS Foundations coverage is based on the v7.0.0 reference.
Connect your AWS organization and turn hundreds of cloud configurations into prioritized, evidence-backed compliance findings.