Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →
SOC 2 Type II Observation Window FY2026 · Mar 14, 2026Sep 10, 2026
120 of 180 days elapsed
Active
Posture Score
79%
x
Passing
19

of 24 automated

Failing
5

4 critical

Manual Controls
3/5

attested compliant

Posture Score Trend
4 critical controls failingaudit risk until resolved
  • Root account has no active access keysawsCC6.1
  • GuardDuty enabled in all regionsawsCC7.2
  • MFA enforced via Security Defaults or Conditional AccessazureCC6.1
  • Azure Storage account public blob access disabledazureCC6.1
1 new failure since last runpassed previously, failing now
  • MFA enforced via Security Defaults or Conditional AccessazureCC6.1
Control Checks
CheckCriteriaSeverityStatusLast Run

MFA enabled for all IAM users

MFA enabled for all IAM users: all observed resources comply.

CC6.1 — Identifies and Authenticates Users

SOC 2CC6.1
PCI8.4.2
ISO 270018.5
HIPAA164.312(d)
CMMC L1IA.L1-3.5.2
criticalpass7/12/2026

Root account has no active access keys

Root account has no active access keys: 2 resource(s) do not comply.

Fix: Delete root keys: AWS Console → Account name → Security credentials → Access keys → Delete. Use IAM users or roles instead.

CC6.1 — Manages Credentials for Infrastructure and Software

SOC 2CC6.1
PCI8.6.1
ISO 270018.2
HIPAA164.312(a)(2)(i)
CMMC L1IA.L1-3.5.1
criticalfail7/12/2026

S3 public access block enabled

S3 public access block enabled: all observed resources comply.

CC6.1 — Restricts Access to Information Assets

SOC 2CC6.1
PCI1.4.4
ISO 270018.20
HIPAA164.312(a)(1)
CMMC L1AC.L1-3.1.22
criticalpass7/12/2026

GuardDuty enabled in all regions

GuardDuty enabled in all regions: 2 resource(s) do not comply.

Fix: Enable: Console → GuardDuty → Get Started → Enable. Use AWS Organizations to enable in all accounts and delegate to a security account.

CC7.2 — Designs Detection Measures

SOC 2CC7.2
PCI11.5.1
ISO 270018.16
HIPAA164.308(a)(1)(ii)(D)
CMMC L1SI.L1-3.14.2
criticalfail7/12/2026

No security groups expose SSH/RDP/DB ports to the internet

No security groups expose SSH/RDP/DB ports to the internet: all observed resources comply.

CC6.1 — Restricts Access to Information Assets

SOC 2CC6.1
PCI1.4.1
ISO 270018.20
HIPAA164.312(a)(1)
CMMC L1SC.L1-3.13.1
criticalpass7/12/2026

No credentials unused for 90+ days

No credentials unused for 90+ days: all observed resources comply.

CC6.2 — Removes Access to Protected Assets When Appropriate

SOC 2CC6.2
PCI8.2.6
ISO 270015.16
HIPAA164.308(a)(3)(ii)(C)
CMMC L1AC.L1-3.1.1
highpass7/12/2026

Strong password policy configured

Strong password policy configured: all observed resources comply.

CC6.1 — Considers Password Requirements

SOC 2CC6.1
PCI8.3.6
ISO 270015.17
HIPAA164.308(a)(5)(ii)(D)
CMMC L1IA.L1-3.5.2
highpass7/12/2026

RDS instances use non-default master username

RDS instances use non-default master username: all observed resources comply.

CC6.1 — Manages Credentials for Infrastructure and Software

SOC 2CC6.1
PCI2.2.5
ISO 270018.9
HIPAA164.312(a)(2)(i)
CMMC L1IA.L1-3.5.1
mediumpass7/12/2026