AWS Compliance Monitoring

Continuous AWS compliance across every account, region and workload

Continuously assess identity, logging, networking, compute, database, storage and end-user computing configurations across your AWS environment.

Amazon Web Services
Multi-account · multi-region
340
Security controls
5
CIS benchmark families
319
API-addressable controls
54
AWS service collectors
94% of controls supported by AWS API evidence

Combined full and partial API coverage — not claimed as fully automated.

Benchmark coverage

340 controls across five AWS security benchmarks

Foundations

70 controls

IAM, Organizations, root account, CloudTrail, Config, monitoring and networking.

Compute

82 controls

EC2, Lambda, ECS, ECR, Elastic Beanstalk, App Runner, Batch and workload configuration.

Database

98 controls

RDS, Aurora, DynamoDB, ElastiCache, Neptune, DocumentDB, Keyspaces and database protection.

Storage

56 controls

S3, EBS, EFS, FSx, backups, snapshots, retention, encryption and public exposure.

End User Compute

34 controls

Amazon WorkSpaces, AppStream, WorkDocs and remote workspace security.

What we assess

One assessment across your AWS environment

From root account security to workload configuration

Every result includes resource-level evidence — not checklist summaries.

Identity & Access

Root credentials, MFA, IAM users, roles, policies, Access Analyzer

AWS Organizations

Account inventory, SCPs, delegated administration and guardrails

Logging & Monitoring

CloudTrail, Config, CloudWatch, alarms, log retention

Network Security

Security groups, NACLs, routes, VPC endpoints, public exposure

Compute Security

EC2 metadata, EBS encryption, AMIs, Lambda and container configuration

Database Security

Encryption, backups, public accessibility, logging and authentication

Storage & Backup

Public access, versioning, retention, lifecycle and recovery controls

End User Computing

WorkSpaces access, device restrictions, encryption and monitoring

Secrets & Encryption

KMS keys, Secrets Manager, key rotation and policy restrictions

Automation coverage

What we can collect — and what we refuse to guess

319 API-addressable controls combine full and partial AWS API evidence. We do not market that total as fully automated.

125
Deterministic API checks

AWS SDK configuration state is sufficient to produce PASS or FAIL directly.

194
Policy-assisted API checks

API evidence is compared against approved CIDRs, role allowlists, retention, RTO/RPO or naming baselines.

21
Evidence-driven controls

Operational or process validation is required; API evidence supports manual evaluation.

Missing permissions or incomplete evidence are reported as Unknown — never silently marked compliant.

Example findings

What assessments actually surface

Root Account MFA Protection Gap

Root MFA is enabled, but the configured device does not meet the approved hardware MFA requirement.

Public Administrative Access Detected

6 security groups allow administrative ports from 0.0.0.0/0.

Incomplete Organization Trail Coverage

3 member accounts are not covered by the approved organization-wide CloudTrail configuration.

S3 Public Access Protection Gap

4 buckets do not inherit the required account-level public access protection baseline.

EC2 Metadata Security Risk

12 instances do not enforce IMDSv2.

Database Recovery Gap

5 database resources do not meet the approved backup retention or deletion protection policy.

Example findings shown for demonstration purposes.

How it works

Connect, discover, collect, remediate

01

Connect your AWS organization

Deploy a read-only IAM role using CloudFormation or Terraform.

One integration for multi-account assessment
02

Discover accounts and regions

Trusteed inventories AWS Organizations accounts and scans all applicable enabled regions.

Multi-account · multi-region
03

Collect resource-level evidence

Configuration evidence is collected through 54 AWS service collector integrations.

54 service collectors
04

Prioritize and remediate

Review failed controls, affected resources, evidence and step-by-step remediation guidance.

Resource-level findings

Secure by design

Least privilege. Read-only. No guessed Pass.

Read-only IAM access
No AWS passwords stored
Cross-account role assumption
Region-aware evidence collection
Resource-level timestamps
Raw evidence and exception records preserved
Collection failures reported as Unknown or Error
0 unsupported checks automatically marked as Passed

Benchmark reference

Version and coverage details

BenchmarkVersionControls
CIS Amazon Web Services Foundations Benchmarkv7.0.070
CIS AWS Compute Services Benchmarkv2.0.082
CIS AWS Database Services Benchmarkv2.0.098
CIS AWS End User Compute Services Benchmarkv1.2.034
CIS AWS Storage Services Benchmarkv1.0.056

AWS Foundations coverage is based on the v7.0.0 reference.

Know exactly where your AWS environment stands.

Connect your AWS organization and turn hundreds of cloud configurations into prioritized, evidence-backed compliance findings.