Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →
SOC 2 Type II Observation Window FY2026 · Mar 12, 2026Sep 8, 2026
120 of 180 days elapsed
Active
Posture Score
63%
x
Passing
34

of 54 automated

Failing
20

8 critical

Manual Controls
8/36

attested compliant

Posture Score Trend

7 new failures since last run

  • Default branch protection enabled
  • Cloud Audit Logs enabled for all services
  • MFA enforced via Security Defaults or Conditional Access
  • Azure Activity Log diagnostic settings configured
  • Azure managed disks encrypted at rest
  • Azure SQL Transparent Data Encryption enabled
  • Azure PostgreSQL enforces SSL

8 critical controls failing — audit risk

  • Root account has no active access keys (CC6.1)
  • CloudTrail enabled in all regions (CC7.2)
  • GuardDuty enabled in all regions (CC7.2)
  • Default branch protection enabled (CC8.1)
  • Cloud Audit Logs enabled for all services (CC7.2)
  • MFA enforced via Security Defaults or Conditional Access (CC6.1)
  • Azure Storage account public blob access disabled (CC6.1)
  • Azure Activity Log diagnostic settings configured (CC7.2)
Control Checks
CheckCriteriaSeverityStatusLast Run

MFA enabled for all IAM users

MFA enabled for all IAM users: all observed resources comply.

CC6.1 — Identifies and Authenticates Users

SOC 2CC6.1
PCI8.4.2
ISO 270018.5
criticalpass7/10/2026

Root account has no active access keys

Root account has no active access keys: 2 resource(s) do not comply.

Fix: Delete root keys: AWS Console → Account name → Security credentials → Access keys → Delete. Use IAM users or roles instead.

CC6.1 — Manages Credentials for Infrastructure and Software

SOC 2CC6.1
PCI8.6.1
ISO 270018.2
criticalfail7/10/2026

S3 public access block enabled

S3 public access block enabled: all observed resources comply.

CC6.1 — Restricts Access to Information Assets

SOC 2CC6.1
PCI1.4.4
ISO 270018.20
criticalpass7/10/2026

CloudTrail enabled in all regions

CloudTrail enabled in all regions: 2 resource(s) do not comply.

Fix: Create a multi-region trail: CloudTrail → Create trail → Apply to all regions. Enable log file validation and deliver logs to a dedicated S3 bucket.

CC7.2 — Implements Detection Policies, Procedures, and Tools

SOC 2CC7.2
PCI10.2.1
ISO 270018.15
criticalfail7/10/2026

GuardDuty enabled in all regions

GuardDuty enabled in all regions: 2 resource(s) do not comply.

Fix: Enable: Console → GuardDuty → Get Started → Enable. Use AWS Organizations to enable in all accounts and delegate to a security account.

CC7.2 — Designs Detection Measures

SOC 2CC7.2
PCI11.5.1
ISO 270018.16
criticalfail7/10/2026

No security groups expose SSH/RDP/DB ports to the internet

No security groups expose SSH/RDP/DB ports to the internet: all observed resources comply.

CC6.1 — Restricts Access to Information Assets

SOC 2CC6.1
PCI1.4.1
ISO 270018.20
criticalpass7/10/2026

No credentials unused for 90+ days

No credentials unused for 90+ days: all observed resources comply.

CC6.2 — Removes Access to Protected Assets When Appropriate

SOC 2CC6.2
PCI8.2.6
ISO 270015.16
highpass7/10/2026

Strong password policy configured

Strong password policy configured: all observed resources comply.

CC6.1 — Considers Password Requirements

SOC 2CC6.1
PCI8.3.6
ISO 270015.17
highpass7/10/2026

S3 buckets encrypted at rest

S3 buckets encrypted at rest: all observed resources comply.

CC6.1 — Uses Encryption to Protect Data

SOC 2CC6.1
PCI3.5.1
ISO 270018.24
highpass7/10/2026

CloudTrail log file validation enabled

CloudTrail log file validation enabled: all observed resources comply.

CC7.2 — Evaluates Security Events

SOC 2CC7.2
PCI10.3.2
ISO 270018.15
highpass7/10/2026

RDS instances encrypted at rest

RDS instances encrypted at rest: 2 resource(s) do not comply.

Fix: Enable at creation: RDS → Create database → Storage → Enable encryption. For existing instances: take snapshot → copy with encryption → restore from encrypted snapshot.

CC6.1 — Uses Encryption to Protect Data

SOC 2CC6.1
PCI3.5.1
ISO 270018.24
highfail7/10/2026

EBS default encryption enabled

EBS default encryption enabled: all observed resources comply.

CC6.1 — Uses Encryption to Protect Data

SOC 2CC6.1
PCI3.5.1
ISO 270018.24
highpass7/10/2026

VPC Flow Logs enabled

VPC Flow Logs enabled: 2 resource(s) do not comply.

Fix: Enable: VPC → Your VPCs → [VPC] → Flow logs → Create flow log. Ship to CloudWatch Logs or S3 and set up metric filters for anomaly detection.

CC7.2 — Implements Detection Policies, Procedures, and Tools

SOC 2CC7.2
PCI10.2.1
ISO 270018.16
highfail7/10/2026

CloudWatch alarm for root account usage

CloudWatch alarm for root account usage: all observed resources comply.

CC7.2 — Responds to Identified Security Events

SOC 2CC7.2
PCI10.7.2
ISO 270015.25
highpass7/10/2026

CloudWatch log groups retain at least 12 months

CloudWatch log groups retain at least 12 months: all observed resources comply.

CC7.2 — Implements Detection Policies, Procedures, and Tools

SOC 2CC7.2
PCI10.5.1
ISO 270018.15
highpass7/10/2026

Load balancer HTTPS listeners require TLS 1.2 or higher

Load balancer HTTPS listeners require TLS 1.2 or higher: all observed resources comply.

CC6.1 — Uses Encryption to Protect Data

SOC 2CC6.1
PCI4.2.1
ISO 270018.24
highpass7/10/2026

RDS instances enforce TLS at the parameter group

RDS instances enforce TLS at the parameter group: all observed resources comply.

CC6.1 — Uses Encryption to Protect Data

SOC 2CC6.1
PCI4.2.1
ISO 270018.24
highpass7/10/2026

S3 versioning enabled on critical buckets

S3 versioning enabled on critical buckets: 2 resource(s) do not comply.

Fix: Enable versioning: S3 → Bucket → Properties → Bucket Versioning → Enable. Add lifecycle rules to transition old versions to Glacier.

A1.2 — Environmental Protections, Software, Data Back-Up Processes, and Recovery Infrastructure

SOC 2A1.2
PCI10.5.1
ISO 270018.13
mediumfail7/10/2026

RDS instances use non-default master username

RDS instances use non-default master username: all observed resources comply.

CC6.1 — Manages Credentials for Infrastructure and Software

SOC 2CC6.1
PCI2.2.5
ISO 270018.9
mediumpass7/10/2026