of 54 automated
8 critical
attested compliant
7 new failures since last run
- Default branch protection enabled
- Cloud Audit Logs enabled for all services
- MFA enforced via Security Defaults or Conditional Access
- Azure Activity Log diagnostic settings configured
- Azure managed disks encrypted at rest
- Azure SQL Transparent Data Encryption enabled
- Azure PostgreSQL enforces SSL
8 critical controls failing — audit risk
- Root account has no active access keys (CC6.1)
- CloudTrail enabled in all regions (CC7.2)
- GuardDuty enabled in all regions (CC7.2)
- Default branch protection enabled (CC8.1)
- Cloud Audit Logs enabled for all services (CC7.2)
- MFA enforced via Security Defaults or Conditional Access (CC6.1)
- Azure Storage account public blob access disabled (CC6.1)
- Azure Activity Log diagnostic settings configured (CC7.2)
| Check | Criteria | Severity | Status | Last Run | |
|---|---|---|---|---|---|
MFA enabled for all IAM users MFA enabled for all IAM users: all observed resources comply. ↳ CC6.1 — Identifies and Authenticates Users | SOC 2CC6.1 PCI8.4.2 ISO 270018.5 | critical | pass | 7/10/2026 | |
Root account has no active access keys Root account has no active access keys: 2 resource(s) do not comply. Fix: Delete root keys: AWS Console → Account name → Security credentials → Access keys → Delete. Use IAM users or roles instead. ↳ CC6.1 — Manages Credentials for Infrastructure and Software | SOC 2CC6.1 PCI8.6.1 ISO 270018.2 | critical | fail | 7/10/2026 | |
S3 public access block enabled S3 public access block enabled: all observed resources comply. ↳ CC6.1 — Restricts Access to Information Assets | SOC 2CC6.1 PCI1.4.4 ISO 270018.20 | critical | pass | 7/10/2026 | |
CloudTrail enabled in all regions CloudTrail enabled in all regions: 2 resource(s) do not comply. Fix: Create a multi-region trail: CloudTrail → Create trail → Apply to all regions. Enable log file validation and deliver logs to a dedicated S3 bucket. ↳ CC7.2 — Implements Detection Policies, Procedures, and Tools | SOC 2CC7.2 PCI10.2.1 ISO 270018.15 | critical | fail | 7/10/2026 | |
GuardDuty enabled in all regions GuardDuty enabled in all regions: 2 resource(s) do not comply. Fix: Enable: Console → GuardDuty → Get Started → Enable. Use AWS Organizations to enable in all accounts and delegate to a security account. ↳ CC7.2 — Designs Detection Measures | SOC 2CC7.2 PCI11.5.1 ISO 270018.16 | critical | fail | 7/10/2026 | |
No security groups expose SSH/RDP/DB ports to the internet No security groups expose SSH/RDP/DB ports to the internet: all observed resources comply. ↳ CC6.1 — Restricts Access to Information Assets | SOC 2CC6.1 PCI1.4.1 ISO 270018.20 | critical | pass | 7/10/2026 | |
No credentials unused for 90+ days No credentials unused for 90+ days: all observed resources comply. ↳ CC6.2 — Removes Access to Protected Assets When Appropriate | SOC 2CC6.2 PCI8.2.6 ISO 270015.16 | high | pass | 7/10/2026 | |
Strong password policy configured Strong password policy configured: all observed resources comply. ↳ CC6.1 — Considers Password Requirements | SOC 2CC6.1 PCI8.3.6 ISO 270015.17 | high | pass | 7/10/2026 | |
S3 buckets encrypted at rest S3 buckets encrypted at rest: all observed resources comply. ↳ CC6.1 — Uses Encryption to Protect Data | SOC 2CC6.1 PCI3.5.1 ISO 270018.24 | high | pass | 7/10/2026 | |
CloudTrail log file validation enabled CloudTrail log file validation enabled: all observed resources comply. ↳ CC7.2 — Evaluates Security Events | SOC 2CC7.2 PCI10.3.2 ISO 270018.15 | high | pass | 7/10/2026 | |
RDS instances encrypted at rest RDS instances encrypted at rest: 2 resource(s) do not comply. Fix: Enable at creation: RDS → Create database → Storage → Enable encryption. For existing instances: take snapshot → copy with encryption → restore from encrypted snapshot. ↳ CC6.1 — Uses Encryption to Protect Data | SOC 2CC6.1 PCI3.5.1 ISO 270018.24 | high | fail | 7/10/2026 | |
EBS default encryption enabled EBS default encryption enabled: all observed resources comply. ↳ CC6.1 — Uses Encryption to Protect Data | SOC 2CC6.1 PCI3.5.1 ISO 270018.24 | high | pass | 7/10/2026 | |
VPC Flow Logs enabled VPC Flow Logs enabled: 2 resource(s) do not comply. Fix: Enable: VPC → Your VPCs → [VPC] → Flow logs → Create flow log. Ship to CloudWatch Logs or S3 and set up metric filters for anomaly detection. ↳ CC7.2 — Implements Detection Policies, Procedures, and Tools | SOC 2CC7.2 PCI10.2.1 ISO 270018.16 | high | fail | 7/10/2026 | |
CloudWatch alarm for root account usage CloudWatch alarm for root account usage: all observed resources comply. ↳ CC7.2 — Responds to Identified Security Events | SOC 2CC7.2 PCI10.7.2 ISO 270015.25 | high | pass | 7/10/2026 | |
CloudWatch log groups retain at least 12 months CloudWatch log groups retain at least 12 months: all observed resources comply. ↳ CC7.2 — Implements Detection Policies, Procedures, and Tools | SOC 2CC7.2 PCI10.5.1 ISO 270018.15 | high | pass | 7/10/2026 | |
Load balancer HTTPS listeners require TLS 1.2 or higher Load balancer HTTPS listeners require TLS 1.2 or higher: all observed resources comply. ↳ CC6.1 — Uses Encryption to Protect Data | SOC 2CC6.1 PCI4.2.1 ISO 270018.24 | high | pass | 7/10/2026 | |
RDS instances enforce TLS at the parameter group RDS instances enforce TLS at the parameter group: all observed resources comply. ↳ CC6.1 — Uses Encryption to Protect Data | SOC 2CC6.1 PCI4.2.1 ISO 270018.24 | high | pass | 7/10/2026 | |
S3 versioning enabled on critical buckets S3 versioning enabled on critical buckets: 2 resource(s) do not comply. Fix: Enable versioning: S3 → Bucket → Properties → Bucket Versioning → Enable. Add lifecycle rules to transition old versions to Glacier. ↳ A1.2 — Environmental Protections, Software, Data Back-Up Processes, and Recovery Infrastructure | SOC 2A1.2 PCI10.5.1 ISO 270018.13 | medium | fail | 7/10/2026 | |
RDS instances use non-default master username RDS instances use non-default master username: all observed resources comply. ↳ CC6.1 — Manages Credentials for Infrastructure and Software | SOC 2CC6.1 PCI2.2.5 ISO 270018.9 | medium | pass | 7/10/2026 |