CIS Critical Security Controls v8 (Center for Internet Security) Pre-Audit Gap Report
Generated: 2026-06-24T23:07:45.468Z
Cover: Scope Attestation
- Report ID
aws_20260624_160745
- Generated at
- 2026-06-24T23:07:45.468Z
- Assessment type
- Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
- Scanner
- NSAuditor AI EE v0.31.3 (CE v0.2.15)
- Scan window
- (not provided) → (not provided)
- Targets in scope
aws
- Targets explicitly excluded
- None
- Framework
- CIS Critical Security Controls v8 (Center for Internet Security) (version 8)
- Report integrity
- SHA-256 in companion
.sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
- Trusted timestamp (RFC 3161)
- Not configured. SHA-256 provides integrity only. For non-repudiation, configure
complianceTsaUrl.
- TSA policy OID
- N/A — TSA itself is not configured.
- TSA cert chain bundling
- N/A — TSA itself is not configured.
- Clock advisory
- ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)
This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.
Executive Summary
- Controls assessed (in scope): 39
- Controls out of scope (documented gaps): 114
- Findings analyzed: 242
- Status breakdown:
26 fail · 5 pass · 8 partial · 0 accepted-risk · 0 false-positive · 114 out-of-scope
CIS Controls v8 — Implementation Group Coverage Summary
CIS Controls v8 organizes 153 Safeguards into 3 CUMULATIVE Implementation Groups: IG1 = 56 Safeguards (basic cyber hygiene — the cyber-insurance baseline; ~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite as of 2024+); IG2 cumulative = 130 Safeguards (IG1 + 74 IG2-only); IG3 cumulative = 153 Safeguards (IG2 + 23 IG3-only). CUMULATIVE means claiming IG2 = ALL 56 IG1 Safeguards AND ALL 74 IG2-only = 130 total (NEVER 74-of-74 in isolation); claiming IG3 = ALL 130 IG2-cumulative AND ALL 23 IG3-only = 153 total. The IG1 base MUST be intact before IG2/IG3 claims are valid — operators who skip IG1 Safeguards while pursuing IG2/IG3 depth are NOT IG2/IG3 compliant (cyber-insurance underwriters reject the claim + re-classify as incomplete IG1, potentially declining or limiting coverage). This report's engine substrate covers a SUBSET of each IG; the remaining Safeguards are operator-side process/endpoint artifacts (LMS training, endpoint EDR, IR program, TPRM) that pair with your CSAT / CIS-CAT Pro self-attestation. IG1 coverage is COMMERCIALLY load-bearing for cyber-insurance renewal — IG1 gaps are flagged as potential coverage-invalidation, not just compliance findings.
The Implementation Groups are cumulative: IG2 = IG1 + IG2-only (130 Safeguards); IG3 = IG2 + IG3-only (153 Safeguards). The counts below report engine substrate coverage; the remaining Safeguards in each IG are operator-side process/endpoint artifacts that pair with your CSAT / CIS-CAT Pro self-attestation. This report is INPUT to that attestation, NOT a CIS certification.
| Implementation Group | Total Safeguards | Engine substrate-evidenced | Operator-side remainder |
| IG1 — Basic Cyber Hygiene (cyber-insurance baseline) | 56 | 23 (41%) | 33 |
| IG2 — Foundational Cyber Hygiene (cumulative) | 130 | 37 (28%) | 93 |
| IG3 — Organizational Cyber Hygiene (cumulative) | 153 | 39 (25%) | 114 |
IG1 cyber-insurance baseline: ~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite (2024+). The engine evidences 23 of the 56 IG1 Safeguards; the remaining 33 are operator-side (unique-passwords/IdP, endpoint encryption/MDM, security-awareness LMS, access-granting/revoking process, IR designation). IG1 gaps are commercial-impact findings — verify the full IG1 base is intact BEFORE a cyber-insurance attestation. The IG1 base MUST be intact before any IG2/IG3 claim is valid.
Cumulative-discipline reminder: NEVER report IG2 coverage as a fraction of the 74 IG2-only Safeguards in isolation — IG2 is 130 cumulative (IG1 + IG2-only). Skipping IG1 Safeguards while pursuing IG2/IG3 depth = NOT IG2/IG3 compliant (underwriters re-classify as incomplete IG1).
CIS Controls v8 — Attestation Discipline (No Certification Body)
CIS Critical Security Controls v8 has NO formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths, NOT a CIS certification: (1) operator self-attestation via CSAT (CIS Controls Self Assessment Tool — lighter-weight) or CIS-CAT Pro Assessor (more rigorous, benchmark-automated); (2) SOC 2 Type II auditor cross-validating CIS Controls scope as part of the SOC 2 evidence package (CC6/CC7/CC8 substrate — the most common path for operators already pursuing SOC 2); (3) CIS-SecureSuite member peer review (informal community validation). NEVER represent this report as 'CIS certified' or 'CIS Controls certification' — there is no such certification. Represent it as 'substrate evidence supporting CIS Controls v8 IG[N] self-attestation'.
CIS Critical Security Controls v8 has no formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths — never a "CIS certification":
- Self-attestation via CSAT (lighter-weight) or CIS-CAT Pro Assessor (benchmark-automated, more rigorous).
- SOC 2 Type II auditor cross-validation — CIS Controls scope folded into the SOC 2 evidence package (CC6/CC7/CC8 substrate). Most common path for operators already pursuing SOC 2.
- CIS-SecureSuite member peer review — informal community validation.
Represent this report as "substrate evidence supporting CIS Controls v8 IG[N] self-attestation", not as a certification.
CIS Controls v8 — Cloud Companion Guide + Hardened-Image Credit
CIS Critical Security Controls Cloud Companion Guide v8 (ratified by the v8 cloud working group) provides per-Safeguard AWS/Azure/GCP applicability + shared-responsibility-model boundary. Each Safeguard in this report carries cloudCompanionApplicability + sharedResponsibilityBoundary (operator / cloud-provider / shared). Operators running CIS-Hardened-Images (AWS Marketplace / Azure Marketplace / GCP Marketplace / Docker Hub) earn substantial substrate-evidence credit for Safeguards 4.1 + 4.2 + 4.6 — the cisHardenedImageCredit field surfaces this. Cloud-provider CIS alignment (AWS CIS v8 Quick Start + Security Hub CIS standard; Azure Security Benchmark v3 CIS-aligned; GCP Security Command Center CIS Benchmark) informs the shared-responsibility split. Sector operators: MS-ISAC (state/local govt — IG1 required / IG2 recommended), EI-ISAC (elections — IG2 required), H-ISAC (healthcare — IG2 required) sector-baseline applicability is surfaced per Safeguard.
Each Safeguard carries Cloud Companion Guide v8 applicability + shared-responsibility-model boundary. Cloud-provider CIS alignment: AWS CIS v8 Quick Start + Security Hub CIS standard · Azure Security Benchmark v3 (CIS-aligned) · GCP Security Command Center CIS Benchmark (current as of 2026-Q1; revisit annually).
CIS-Hardened-Image substrate-evidence credit — Safeguards earning credit when the operator runs CIS-Hardened-Images (AWS/Azure/GCP Marketplace, Docker Hub). Status is observed at scan time when this scan detected a Hardened-Image on at least one in-scope asset, else eligible:
| Safeguard | Title | Hardened-Image credit | Status | Shared-responsibility |
4.1 | Establish and Maintain a Secure Configuration Process | substantial | ⚪ eligible | shared |
4.2 | Establish and Maintain a Secure Configuration Process fo… | partial | ⚪ eligible | shared |
4.6 | Securely Manage Enterprise Assets and Software | substantial | ⚪ eligible | shared |
No CIS-Hardened-Image was detected on the 2 inspected asset(s) this run, so the Safeguards above remain eligible (not observed). Detection is LIVE (EE 0.13.1) across AMI-name / image-publisher / image-project / container-label; running a CIS-Hardened-Image flips these rows to observed point-in-time substrate-evidence. The Safeguards' operator-side secure-configuration / asset-management process documentation is required regardless of image substrate.
Sector-baseline applicability: MS-ISAC (state/local govt — IG1 required / IG2 recommended) · EI-ISAC (elections — IG2 required) · H-ISAC (healthcare — IG2 required; substantially overlaps the HIPAA Security Rule Technical Safeguards). Sector operators select their IG per the sector baseline + cyber-insurance requirements.
Failing Controls
3.3 — Configure Data Access Control Lists FAIL
Category: n/a · Violations: 7
Bucket policy grants public accessSource: aws-s3-auditor
3.3 substrate — public bucket policy violates data access control lists; auditor-canonical CIS 3.3 finding.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessibleSource: aws-s3-auditor
3.3 substrate — publicly accessible data store violates least-privilege access control.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessibleSource: aws-s3-auditor
3.3 substrate — publicly accessible data store violates least-privilege access control.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.Source: aws-kms-auditor
3.3 — Principal:* on sensitive KMS actions (Decrypt / GenerateDataKey* / ReEncrypt* / CreateGrant / PutKeyPolicy) is an over-permissive data ACL. Anchored on the `C1.1 confidentiality-boundary risk` trailer so it does NOT match the demoted AWS-managed-CMK-template INFO. Inherits soc2 C1.1.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.
3.4 — Enforce Data Retention FAIL
Category: n/a · Violations: 4
⚠️ Coverage caveat: 3.4 partial — engine evidences S3 lifecycle / retention-policy configuration substrate, but the retention SCHEDULE (how long each data class must be retained per operator policy) is operator-side.
Object Lock not configuredSource: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
Object Lock not configuredSource: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
Object Lock not configuredSource: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).Source: aws-s3-lifecycle-replication-auditor
3.4 substrate — absent lifecycle config means no enforced retention/disposal cadence.
3.5 — Securely Dispose of Data FAIL
Category: n/a · Violations: 1
⚠️ Coverage caveat: 3.5 partial — engine evidences S3 lifecycle-expiration + KMS-key-deletion substrate (the disposal mechanism), but the disposal RECORDS / certificates-of-destruction are operator-side.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).Source: aws-s3-lifecycle-replication-auditor
3.5 substrate — absent lifecycle config = no automated disposal.
3.11 — Encrypt Sensitive Data at Rest FAIL
Category: n/a · Violations: 22
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.Source: aws-rds-auditor
3.11 substrate — RDS storage encryption disabled.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).Source: aws-sqs-sns-auditor
3.11 substrate — SQS at-rest encryption disabled.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.Source: aws-sqs-sns-auditor
3.11 substrate — SNS at-rest encryption disabled.
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): EBS volume unencrypted at rest. Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.Source: aws-elasticache-redis-auditor
CIS 3.11 (Encrypt sensitive data at rest) — ElastiCache Redis at-rest encryption DISABLED. Plugin 1180.
3.14 — Log Sensitive Data Access FAIL
Category: n/a · Violations: 2
⚠️ Coverage caveat: 3.14 partial (IG3) — engine evidences CloudTrail data-event logging substrate (whether sensitive-data access IS logged), but the sensitive-data tagging (which stores hold sensitive data warranting access logging) is operator-side per 3.7.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
3.14 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail does not log data events (S3 object-level / Lambda invocation)Source: aws-cloudtrail-auditor
3.14 substrate — trail without data-event logging cannot evidence sensitive-data access.
4.1 — Establish and Maintain a Secure Configuration Process FAIL
Category: n/a · Violations: 1
⚠️ Coverage caveat: 4.1 partial — engine evidences AWS Config recorder substrate (the configuration-monitoring mechanism); CIS-Hardened-Image usage provides substantial substrate-evidence. The secure-configuration PROCESS documentation is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
4.1 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
4.2 — Establish and Maintain a Secure Configuration Process for Network Infrastructure FAIL
Category: n/a · Violations: 3
⚠️ Coverage caveat: 4.2 partial — engine evidences network-infrastructure configuration (Security Group rules, NACLs, firewall rules) per the CIS Cloud Companion Guide; operator-side network-device firmware/config baselines complete the dimension.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.
4.4 — Implement and Manage a Firewall on Servers FAIL
Category: n/a · Violations: 3
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.
4.6 — Securely Manage Enterprise Assets and Software FAIL
Category: n/a · Violations: 3
⚠️ Coverage caveat: 4.6 partial — engine evidences managed-asset configuration substrate (Config, IaC-management tags); CIS-Hardened-Image usage provides substantial substrate-evidence for secure asset management. Operator-side asset-management process completes the dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
4.6 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
EC2 instance 'i-0a1b2c3d4e5f60718' has IMDSv1 enabled (HttpTokens=optional). CC6.1 access-control gap: instance metadata is reachable without a session token — no IAM instance profile is attached, so no role credentials are currently exposed — but attaching a profile later silently reintroduces the SSRF credential-theft path. Remediate by setting HttpTokens=required (IMDSv2-only) via ec2:ModifyInstanceMetadataOptions.Source: aws-ec2-instance-auditor
4.6 substrate — EE 0.13.1 density (plugin 1210): IMDSv1 enabled is an insecurely-managed instance-metadata configuration. Inherits from soc2.json CC6.1 per the inheritance contract.
EC2 instance 'i-0b2c3d4e5f6071829' has IMDSv2 enforced but metadata hop limit 2 exceeds 1 (HttpPutResponseHopLimit=2). CC6.1 access-control gap: a containerized workload on the instance can still reach IMDS across the extra network hop — no IAM instance profile is attached, so no role credentials are currently exposed — but attaching a profile later silently reintroduces the SSRF credential-theft path. Set HttpPutResponseHopLimit=1 unless containers legitimately require IMDS.Source: aws-ec2-instance-auditor
4.6 substrate — EE 0.13.1 density (plugin 1210): IMDSv2 hop limit >1 leaves the metadata service over-reachable from containers (insecure asset management). Inherits from soc2.json CC6.1.
5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts FAIL
Category: n/a · Violations: 6
SHADOW ADMIN: User has full wildcard (*) permissionsSource: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletionSource: aws-iam-deep-auditor
5.4 substrate — privilege escalation enables non-dedicated accounts to gain admin.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
SHADOW ADMIN: User has full wildcard (*) permissionsSource: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletionSource: aws-iam-deep-auditor
5.4 substrate — privilege escalation enables non-dedicated accounts to gain admin.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
6.3 — Require MFA for Externally-Exposed Applications FAIL
Category: n/a · Violations: 2
No MFA configured on active IAM userSource: aws-iam-deep-auditor
6.3 substrate — accounts without MFA fail externally-exposed-application MFA requirement.
No MFA configured on active IAM userSource: aws-iam-deep-auditor
6.3 substrate — accounts without MFA fail externally-exposed-application MFA requirement.
6.5 — Require MFA for Administrative Access FAIL
Category: n/a · Violations: 3
MFA Delete not enabledSource: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.
MFA Delete not enabledSource: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.
MFA Delete not enabledSource: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.
7.5 — Perform Automated Vulnerability Scans of Internal Enterprise Assets FAIL
Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
7.6 — Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets FAIL
Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
8.2 — Collect Audit Logs FAIL
Category: n/a · Violations: 2
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
8.2 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail has log file validation disabled (LogFileValidationEnabled=false)Source: aws-cloudtrail-auditor
8.2 substrate — disabled log-file validation weakens audit-log integrity.
8.3 — Ensure Adequate Audit Log Storage FAIL
Category: n/a · Violations: 7
⚠️ Coverage caveat: 8.3 partial — engine evidences audit-log storage substrate (trail S3 destination, encryption), but the adequate-storage SIZING (retention duration matching operator's log-volume) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
8.3 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail destination bucket northwind-orgtrail-logs has Object Lock enabled but NO DefaultRetention rule — the bucket is "Object-Lock-able" but no retention is auto-applied. Auditors expect a default retention rule on trail buckets.Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail destination bucket northwind-orgtrail-logs has MFA Delete NOT enabled. Without MFA Delete, any IAM principal with s3:DeleteBucket / s3:DeleteObject can permanently delete trail logs via delete-marker → permanent-delete bypass. For trail buckets (institutional-grade evidence storage), MFA Delete is mandatory.Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail northwind-orgtrail log files not encrypted with a KMS-CMK (KmsKeyId not set)Source: aws-cloudtrail-auditor
8.3 substrate — unencrypted log storage weakens audit-log protection.
Trail destination bucket northwind-trail-logs has NO Object Lock configuration. SEC Rule 17a-4 / FINRA 4511 require WORM storage for audit logs. Enable Object Lock + COMPLIANCE mode + retention.Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail destination bucket northwind-trail-logs has Versioning Disabled — Object Lock REQUIRES Versioning. Without it, retention rules cannot be enforced.Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail northwind-trail log files not encrypted with a KMS-CMK (KmsKeyId not set)Source: aws-cloudtrail-auditor
8.3 substrate — unencrypted log storage weakens audit-log protection.
8.5 — Collect Detailed Audit Logs FAIL
Category: n/a · Violations: 3
⚠️ Coverage caveat: 8.5 partial (IG2) — engine evidences detailed-logging substrate (data-event logging, per-service log exports), but the detail-completeness (all required event types per operator policy) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
8.5 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail does not log data events (S3 object-level / Lambda invocation)Source: aws-cloudtrail-auditor
8.5 substrate — absent data-event logging = insufficient log detail.
RDS DB instance 'northwind-orders-db' (postgres) has NO CloudWatch Logs exports configured (EnabledCloudwatchLogsExports=[]). CC7.2 monitoring gap: no database activity logs reach CloudWatch for centralized anomaly detection / alerting / long-term retention. Expected for this engine: essential=[postgresql] + optional=[upgrade]. Configure via ModifyDBInstance --cloudwatch-logs-export-configuration.Source: aws-rds-auditor
8.5 substrate — no DB log exports = missing detailed database audit logs.
8.9 — Centralize Audit Logs FAIL
Category: n/a · Violations: 19
⚠️ Coverage caveat: 8.9 partial (IG2) — engine evidences log-centralization substrate (multi-region trail aggregation), but the SIEM-aggregation completeness (all sources feeding a central store) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.Source: aws-cloudtrail-auditor
8.9 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)Source: aws-cloudtrail-auditor
8.9 substrate — non-multi-region trail fails to centralize logs across regions.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
11.1 — Establish and Maintain a Data Recovery Process FAIL
Category: n/a · Violations: 1
⚠️ Coverage caveat: 11.1 partial — engine evidences backup-process substrate (AWS Backup plans exist), but the recovery-process documentation + RPO/RTO targets are operator-side.
AWS Backup account audit: ZERO backup plans configured. A1.2 availability gap: no AWS-native backup substrate is operating. Production-tier workloads on EBS / RDS / DynamoDB / EFS / FSx / Storage Gateway / Aurora typically require AWS Backup plans (or vendor-equivalent backup). Auditor walkthrough required if backups are managed externally.Source: aws-backup-auditor
11.1 substrate — zero backup plans = no operational data-recovery process.
11.2 — Perform Automated Backups FAIL
Category: n/a · Violations: 1
RDS DB instance 'northwind-orders-db' has BackupRetentionPeriod=0 — automated backups are DISABLED. A1.2 availability gap: PITR is unavailable (requires automated backups), no recovery from corruption / accidental-DROP / insider-vandalism. Enable via rds:ModifyDBInstance --backup-retention-period <days>; institutional baseline is 7 days.Source: aws-rds-auditor
11.2 substrate — BackupRetentionPeriod=0 disables automated RDS backups.
11.5 — Test Data Recovery FAIL
Category: n/a · Violations: 1
⚠️ Coverage caveat: 11.5 partial (IG2) — engine evidences restore-testing substrate (Restore Testing Plans + job outcomes), but the recovery-test SCOPE adequacy (do tests cover all critical systems per operator's BIA) is operator-side.
AWS Backup account audit: ZERO Restore Testing Plans configured. A1.2 disaster-recovery validation gap: NO periodic test-restores are scheduled against the AWS Backup substrate. Per SEC Rule 17a-4 / FINRA 4511 audit-the-restorer doctrine, recovery points without periodic test-restores are unverifiable evidence — backups may exist but operators cannot prove they CAN be restored. Configure at least one Restore Testing Plan covering production-tier recovery points. Auditor walkthrough required if DR is validated via external runbook.Source: aws-backup-auditor
11.5 substrate — zero restore-testing plans = recovery never tested.
12.2 — Establish and Maintain a Secure Network Architecture FAIL
Category: n/a · Violations: 1
EC2 instance 'i-0a1b2c3d4e5f60718' has public IP exposed (3.239.218.43). CC6.6 perimeter substrate evidence: the instance is directly reachable from the public internet (top-level + secondary-ENI / Elastic-IP associations checked) — auditor walkthrough verifies the Security Group ingress is intentional (pair with plugin 1170 SG perimeter findings).Source: aws-ec2-instance-auditor
12.2 substrate — EE 0.13.1 density (plugin 1210): a directly-internet-reachable instance is network-architecture substrate evidence (verify intent vs the secure-architecture design). Inherits from soc2.json CC6.6 per the inheritance contract.
13.1 — Centralize Security Event Alerting FAIL
Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
13.3 — Deploy a Network Intrusion Detection Solution FAIL
Category: n/a · Violations: 34
⚠️ Coverage caveat: 13.3 partial (IG2) — engine evidences network-IDS substrate (GuardDuty enablement + detector coverage), but full IDS deployment across all network segments is operator-side.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
13.11 — Tune Security Event Alerting Thresholds FAIL
Category: n/a · Violations: 17
⚠️ Coverage caveat: 13.11 partial (IG3) — engine evidences alerting-threshold substrate (GuardDuty FindingPublishingFrequency), but threshold-tuning to operator's alert-fatigue/coverage balance is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
16.1 — Establish and Maintain a Secure Application Development Process FAIL
Category: n/a · Violations: 1
⚠️ Coverage caveat: 16.1 partial (IG2) — engine evidences CI/CD + application-deployment substrate (CodeBuild/CodePipeline guardrails, API Gateway auth/WAF), but the secure-development PROCESS (SDLC gates, secure-coding standards) is operator-side.
Lambda function 'nw-checkout-fn' has a public Function URL with AuthType: NONE — exposes the function to public internet without authentication. CC6.1 violation; SOC 2 institutional CRITICAL (parallel to API Gateway NONE-authorizer class). Set AuthType to AWS_IAM (uses SigV4) or front with API Gateway authorizer.Source: aws-lambda-auditor
16.1 substrate — a Lambda Function URL with AuthType: NONE is a public, unauthenticated application entry-point — the direct analog of a NONE-auth API Gateway method. Routed here for cross-source parity. Inherits soc2 CC6.1. Plugin 1080.
Passing Controls (Within Scope)
- PASS 2.2 — Ensure Authorized Software is Currently Supported
- PASS 3.10 — Encrypt Sensitive Data in Transit
- PASS 5.1 — Establish and Maintain an Inventory of Accounts
- PASS 11.3 — Protect Recovery Data
- PASS 11.4 — Establish and Maintain an Isolated Instance of Recovery Data
Partial Coverage
- PARTIAL 1.1 — Establish and Maintain Detailed Enterprise Asset Inventory
⚠️ Coverage caveat: 1.1 partial — engine enumerates managed cloud resources (VPC endpoints, Security Groups, S3/storage buckets, IAM principals) producing substrate-inventory evidence, but the authorized-vs-unauthorized determination + asset-owner dimension is operator-side (CMDB / Resource Tagger).
- PARTIAL 2.1 — Establish and Maintain a Software Inventory
⚠️ Coverage caveat: 2.1 partial — engine enumerates deployed software substrate (Lambda runtimes, container images, managed-service versions) but the authorized-software allowlist + full SBOM is operator-side.
- PARTIAL 3.2 — Establish and Maintain a Data Inventory
⚠️ Coverage caveat: 3.2 partial — engine enumerates data-bearing stores (S3 buckets, RDS, DynamoDB) producing data-inventory substrate, but the data-classification dimension (what sensitivity each store holds) is operator-side per 3.7.
- PARTIAL 4.7 — Manage Default Accounts on Enterprise Assets and Software
⚠️ Coverage caveat: 4.7 partial — engine enumerates IAM principals and access-key posture (substrate for default-account management), but the default-account identification (which are vendor-default vs operator-created) is operator-side.
- PARTIAL 4.8 — Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
⚠️ Coverage caveat: 4.8 partial (IG2) — engine detects exposed legacy/unnecessary services (Telnet, SNMP default community, RPC portmapper, anonymous FTP) at the network perimeter; full host-level service enumeration is operator-side.
- PARTIAL 5.3 — Disable Dormant Accounts
⚠️ Coverage caveat: 5.3 partial — engine detects stale/dormant credential substrate (unused access keys), but the disable CADENCE (operator's dormancy threshold + action) is operator-side.
- PARTIAL 9.5 — Implement DMARC
⚠️ Coverage caveat: 9.5 partial (IG2) — EE 0.13.1 density expansion. The engine directly evidences DMARC policy presence/strength (p=reject / p=quarantine / p=none / not-published) + strict SPF+DKIM alignment for SES-managed sending identities (aws-ses-auditor). Scope is SES-only: non-SES sending domains (Google Workspace / Microsoft 365 / on-prem MTAs) and the operator's full email-domain inventory are operator-side, so this is partial not covered — reconcile the complete sending-domain inventory in self-attestation.
- PARTIAL 12.6 — Use of Secure Network Management and Communication Protocols
⚠️ Coverage caveat: 12.6 partial (IG2) — engine evidences insecure-management-protocol substrate (SSH password auth, exposed management ports, deprecated TLS), but full network-management-protocol inventory is operator-side.
Out of Scope
| Control IDs | Title | Reason |
|---|
1.2, 1.3, 1.4, 1.5 | Control 1 — active/passive discovery + unauthorized-asset response OOS (4) | Active/passive discovery tooling + DHCP logging + unauthorized-asset response are operator-side (NAC, discovery agents, IR). Pair with operator network-discovery + IR program. |
2.3, 2.4, 2.5, 2.6, 2.7 | Control 2 — software allowlisting + unauthorized-software response OOS (5) | Application allowlisting (software/library/script) + automated inventory tooling + unauthorized-software response are operator-side (AppLocker/WDAC, software-inventory agents, IR). |
3.1, 3.6, 3.7, 3.8, 3.9, 3.12, 3.13 | Control 3 — data-management governance + endpoint/removable-media encryption + DLP OOS (7) | Data-management process, classification scheme, data-flow documentation, end-user/removable-media encryption, sensitivity segmentation, and DLP are operator-side governance + endpoint controls. |
4.3, 4.5, 4.9, 4.10, 4.11, 4.12 | Control 4 — endpoint/session/mobile configuration OOS (6) | Session locking, end-user-device firewalls, trusted DNS on assets, device lockout/remote-wipe, and mobile workspace separation are operator-side endpoint/MDM controls. |
5.2, 5.5, 5.6 | Control 5 — password policy + service-account inventory + centralized account mgmt OOS (3) | Unique-password enforcement, service-account inventory, and centralized account management (IdP) are operator-side identity-provider controls. |
6.1, 6.2, 6.4, 6.6, 6.7, 6.8 | Control 6 — access-granting/revoking process + AAA inventory + RBAC governance OOS (6) | Access granting/revoking processes, remote-access MFA (VPN/AAA), authentication-system inventory, centralized access control, and RBAC definition are operator-side IGA/IdP governance. |
7.1, 7.2, 7.3, 7.4, 7.7 | Control 7 — vuln-management process + patch management + remediation OOS (5) | Vulnerability-management/remediation processes and OS/application patch management are operator-side (Patch Manager + ticketing/CAPA). Pair with intelligence_engine substrate findings. |
8.1, 8.4, 8.6, 8.7, 8.8, 8.10, 8.11, 8.12 | Control 8 — log-mgmt process + time-sync + DNS/URL/command-line logs + retention + review + SP logs OOS (8) | Audit-log-management process, time synchronization, DNS/URL/command-line audit logs, retention duration, log review, and service-provider log collection are operator-side process + endpoint/SIEM controls. |
9.1, 9.2, 9.3, 9.4, 9.6, 9.7 | Control 9 — email + web-browser protections OOS (6) | Supported browsers/email clients, DNS/URL filtering, browser-extension restriction, file-type blocking, and email-server anti-malware are operator-side endpoint + email-gateway controls. (9.5 Implement DMARC moved to partial in EE 0.13.1 — the SES auditor evidences DMARC posture for SES-managed sending identities.) |
10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7 | Control 10 — malware defenses (endpoint EDR) OOS (7) | Anti-malware deployment/updates/scanning, autorun disabling, anti-exploitation, and behavior-based EDR are operator-side endpoint controls (CrowdStrike/SentinelOne/MS Defender). |
12.1, 12.3, 12.4, 12.5, 12.7, 12.8 | Control 12 — network-device firmware + AAA + diagrams + VPN + dedicated admin resources OOS (6) | Network-infrastructure firmware currency, secure device management, architecture diagrams, centralized AAA, remote-device VPN, and dedicated admin workstations are operator-side network + endpoint controls. |
13.2, 13.4, 13.5, 13.6, 13.7, 13.8, 13.9, 13.10 | Control 13 — HIDS/HIPS + segment filtering + NetFlow + port-level + app-layer filtering OOS (8) | Host-based IDS/IPS, inter-segment traffic filtering, remote-asset access control, traffic-flow logs, network IPS, port-level access control (802.1x), and application-layer filtering are operator-side network/endpoint controls. |
14.1, 14.2, 14.3, 14.4, 14.5, 14.6, 14.7, 14.8, 14.9 | Control 14 — security awareness + skills training (entire) OOS (9) | All security awareness and skills training Safeguards are operator-side LMS controls (KnowBe4/Proofpoint/SANS). Not substrate-evidenceable. |
15.1, 15.2, 15.3, 15.4, 15.5, 15.6, 15.7 | Control 15 — service-provider management (TPRM, entire) OOS (7) | Service-provider inventory, policy, classification, contract requirements, assessment, monitoring, and decommissioning are operator-side TPRM controls. Cloud-provider AOCs/certificates inform but do not substitute. |
16.2, 16.3, 16.4, 16.5, 16.6, 16.7, 16.8, 16.9, 16.10, 16.11, 16.12, 16.13, 16.14 | Control 16 — application security process depth (SDLC, SCA, threat modeling) OOS (13) | Vulnerability acceptance/root-cause, third-party-component inventory/currency, severity rating, hardening templates, prod/non-prod separation, developer training, secure design, vetted modules, code-level checks, app pentest, and threat modeling are operator-side SDLC/AppSec controls. |
17.1, 17.2, 17.3, 17.4, 17.5, 17.6, 17.7, 17.8, 17.9 | Control 17 — incident response management (entire) OOS (9) | Incident-handling personnel, contacts, reporting process, IR process, roles, communication mechanisms, exercises, post-incident reviews, and thresholds are operator-side IR-program controls. |
18.1, 18.2, 18.3, 18.4, 18.5 | Control 18 — penetration testing (entire) OOS (5) | Penetration-testing program, external/internal tests, finding remediation, and security-measure validation are operator-side engagement controls (independent pentest firms). |
Appendix A — Cloud Bucket Exposure Attestation
Buckets with finding(s): 9 violation event(s) across 0 unique bucket(s).
Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].
Appendix B — Accepted Risks & False Positives
No suppressions in this scan.