CIS Critical Security Controls v8 (Center for Internet Security) Pre-Audit Gap Report

Generated: 2026-06-24T23:07:45.468Z

Cover: Scope Attestation

Report ID
aws_20260624_160745
Generated at
2026-06-24T23:07:45.468Z
Assessment type
Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
Scanner
NSAuditor AI EE v0.31.3 (CE v0.2.15)
Scan window
(not provided) → (not provided)
Targets in scope
aws
Targets explicitly excluded
None
Framework
CIS Critical Security Controls v8 (Center for Internet Security) (version 8)
Report integrity
SHA-256 in companion .sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
Trusted timestamp (RFC 3161)
Not configured. SHA-256 provides integrity only. For non-repudiation, configure complianceTsaUrl.
TSA policy OID
N/A — TSA itself is not configured.
TSA cert chain bundling
N/A — TSA itself is not configured.
Clock advisory
ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)

This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.

Executive Summary

CIS Controls v8 — Implementation Group Coverage Summary

CIS Controls v8 organizes 153 Safeguards into 3 CUMULATIVE Implementation Groups: IG1 = 56 Safeguards (basic cyber hygiene — the cyber-insurance baseline; ~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite as of 2024+); IG2 cumulative = 130 Safeguards (IG1 + 74 IG2-only); IG3 cumulative = 153 Safeguards (IG2 + 23 IG3-only). CUMULATIVE means claiming IG2 = ALL 56 IG1 Safeguards AND ALL 74 IG2-only = 130 total (NEVER 74-of-74 in isolation); claiming IG3 = ALL 130 IG2-cumulative AND ALL 23 IG3-only = 153 total. The IG1 base MUST be intact before IG2/IG3 claims are valid — operators who skip IG1 Safeguards while pursuing IG2/IG3 depth are NOT IG2/IG3 compliant (cyber-insurance underwriters reject the claim + re-classify as incomplete IG1, potentially declining or limiting coverage). This report's engine substrate covers a SUBSET of each IG; the remaining Safeguards are operator-side process/endpoint artifacts (LMS training, endpoint EDR, IR program, TPRM) that pair with your CSAT / CIS-CAT Pro self-attestation. IG1 coverage is COMMERCIALLY load-bearing for cyber-insurance renewal — IG1 gaps are flagged as potential coverage-invalidation, not just compliance findings.

The Implementation Groups are cumulative: IG2 = IG1 + IG2-only (130 Safeguards); IG3 = IG2 + IG3-only (153 Safeguards). The counts below report engine substrate coverage; the remaining Safeguards in each IG are operator-side process/endpoint artifacts that pair with your CSAT / CIS-CAT Pro self-attestation. This report is INPUT to that attestation, NOT a CIS certification.

Implementation GroupTotal SafeguardsEngine substrate-evidencedOperator-side remainder
IG1 — Basic Cyber Hygiene (cyber-insurance baseline)5623 (41%)33
IG2 — Foundational Cyber Hygiene (cumulative)13037 (28%)93
IG3 — Organizational Cyber Hygiene (cumulative)15339 (25%)114

IG1 cyber-insurance baseline: ~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite (2024+). The engine evidences 23 of the 56 IG1 Safeguards; the remaining 33 are operator-side (unique-passwords/IdP, endpoint encryption/MDM, security-awareness LMS, access-granting/revoking process, IR designation). IG1 gaps are commercial-impact findings — verify the full IG1 base is intact BEFORE a cyber-insurance attestation. The IG1 base MUST be intact before any IG2/IG3 claim is valid.

Cumulative-discipline reminder: NEVER report IG2 coverage as a fraction of the 74 IG2-only Safeguards in isolation — IG2 is 130 cumulative (IG1 + IG2-only). Skipping IG1 Safeguards while pursuing IG2/IG3 depth = NOT IG2/IG3 compliant (underwriters re-classify as incomplete IG1).

CIS Controls v8 — Attestation Discipline (No Certification Body)

CIS Critical Security Controls v8 has NO formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths, NOT a CIS certification: (1) operator self-attestation via CSAT (CIS Controls Self Assessment Tool — lighter-weight) or CIS-CAT Pro Assessor (more rigorous, benchmark-automated); (2) SOC 2 Type II auditor cross-validating CIS Controls scope as part of the SOC 2 evidence package (CC6/CC7/CC8 substrate — the most common path for operators already pursuing SOC 2); (3) CIS-SecureSuite member peer review (informal community validation). NEVER represent this report as 'CIS certified' or 'CIS Controls certification' — there is no such certification. Represent it as 'substrate evidence supporting CIS Controls v8 IG[N] self-attestation'.

CIS Critical Security Controls v8 has no formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths — never a "CIS certification":

  1. Self-attestation via CSAT (lighter-weight) or CIS-CAT Pro Assessor (benchmark-automated, more rigorous).
  2. SOC 2 Type II auditor cross-validation — CIS Controls scope folded into the SOC 2 evidence package (CC6/CC7/CC8 substrate). Most common path for operators already pursuing SOC 2.
  3. CIS-SecureSuite member peer review — informal community validation.

Represent this report as "substrate evidence supporting CIS Controls v8 IG[N] self-attestation", not as a certification.

CIS Controls v8 — Cloud Companion Guide + Hardened-Image Credit

CIS Critical Security Controls Cloud Companion Guide v8 (ratified by the v8 cloud working group) provides per-Safeguard AWS/Azure/GCP applicability + shared-responsibility-model boundary. Each Safeguard in this report carries cloudCompanionApplicability + sharedResponsibilityBoundary (operator / cloud-provider / shared). Operators running CIS-Hardened-Images (AWS Marketplace / Azure Marketplace / GCP Marketplace / Docker Hub) earn substantial substrate-evidence credit for Safeguards 4.1 + 4.2 + 4.6 — the cisHardenedImageCredit field surfaces this. Cloud-provider CIS alignment (AWS CIS v8 Quick Start + Security Hub CIS standard; Azure Security Benchmark v3 CIS-aligned; GCP Security Command Center CIS Benchmark) informs the shared-responsibility split. Sector operators: MS-ISAC (state/local govt — IG1 required / IG2 recommended), EI-ISAC (elections — IG2 required), H-ISAC (healthcare — IG2 required) sector-baseline applicability is surfaced per Safeguard.

Each Safeguard carries Cloud Companion Guide v8 applicability + shared-responsibility-model boundary. Cloud-provider CIS alignment: AWS CIS v8 Quick Start + Security Hub CIS standard · Azure Security Benchmark v3 (CIS-aligned) · GCP Security Command Center CIS Benchmark (current as of 2026-Q1; revisit annually).

CIS-Hardened-Image substrate-evidence credit — Safeguards earning credit when the operator runs CIS-Hardened-Images (AWS/Azure/GCP Marketplace, Docker Hub). Status is observed at scan time when this scan detected a Hardened-Image on at least one in-scope asset, else eligible:

SafeguardTitleHardened-Image creditStatusShared-responsibility
4.1Establish and Maintain a Secure Configuration Processsubstantial⚪ eligibleshared
4.2Establish and Maintain a Secure Configuration Process fo…partial⚪ eligibleshared
4.6Securely Manage Enterprise Assets and Softwaresubstantial⚪ eligibleshared

No CIS-Hardened-Image was detected on the 2 inspected asset(s) this run, so the Safeguards above remain eligible (not observed). Detection is LIVE (EE 0.13.1) across AMI-name / image-publisher / image-project / container-label; running a CIS-Hardened-Image flips these rows to observed point-in-time substrate-evidence. The Safeguards' operator-side secure-configuration / asset-management process documentation is required regardless of image substrate.

Sector-baseline applicability: MS-ISAC (state/local govt — IG1 required / IG2 recommended) · EI-ISAC (elections — IG2 required) · H-ISAC (healthcare — IG2 required; substantially overlaps the HIPAA Security Rule Technical Safeguards). Sector operators select their IG per the sector baseline + cyber-insurance requirements.

Failing Controls

3.3 — Configure Data Access Control Lists FAIL

Category: n/a · Violations: 7
Bucket policy grants public access
Source: aws-s3-auditor
3.3 substrate — public bucket policy violates data access control lists; auditor-canonical CIS 3.3 finding.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
3.3 substrate — publicly accessible data store violates least-privilege access control.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
3.3 substrate — publicly accessible data store violates least-privilege access control.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
3.3 — Principal:* on sensitive KMS actions (Decrypt / GenerateDataKey* / ReEncrypt* / CreateGrant / PutKeyPolicy) is an over-permissive data ACL. Anchored on the `C1.1 confidentiality-boundary risk` trailer so it does NOT match the demoted AWS-managed-CMK-template INFO. Inherits soc2 C1.1.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
3.3 (Configure Data Access Control Lists) — an IAM principal with effective kms:Decrypt on Resource:* can decrypt every CMK that admits it (account-wide decrypt reach) — an over-permissive data-access-control posture. The identity-policy vector of plugin 1110's effective-decrypt dimension; routed here alongside the grant vector + the truncation/partial gap so the WHOLE effective-decrypt native set is consistently CIS-attested (the class-O invariant: grant == identity == gap). Inherits soc2 CC6.1; real-engine ==.

3.4 — Enforce Data Retention FAIL

Category: n/a · Violations: 4
⚠️ Coverage caveat: 3.4 partial — engine evidences S3 lifecycle / retention-policy configuration substrate, but the retention SCHEDULE (how long each data class must be retained per operator policy) is operator-side.
Object Lock not configured
Source: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
Object Lock not configured
Source: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
Object Lock not configured
Source: aws-s3-auditor
3.4 substrate — Object Lock absence weakens enforced-retention (WORM) posture.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
3.4 substrate — absent lifecycle config means no enforced retention/disposal cadence.

3.5 — Securely Dispose of Data FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: 3.5 partial — engine evidences S3 lifecycle-expiration + KMS-key-deletion substrate (the disposal mechanism), but the disposal RECORDS / certificates-of-destruction are operator-side.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
3.5 substrate — absent lifecycle config = no automated disposal.

3.11 — Encrypt Sensitive Data at Rest FAIL

Category: n/a · Violations: 22
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.
Source: aws-rds-auditor
3.11 substrate — RDS storage encryption disabled.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).
Source: aws-sqs-sns-auditor
3.11 substrate — SQS at-rest encryption disabled.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.
Source: aws-sqs-sns-auditor
3.11 substrate — SNS at-rest encryption disabled.
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): EBS volume unencrypted at rest. Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
3.11 substrate — EE 0.13.1 (plugin 1210): account default-EBS-encryption disabled = future volumes launch unencrypted at rest (preventive). Inherits from soc2.json C1.1 per the inheritance contract.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.
Source: aws-elasticache-redis-auditor
CIS 3.11 (Encrypt sensitive data at rest) — ElastiCache Redis at-rest encryption DISABLED. Plugin 1180.

3.14 — Log Sensitive Data Access FAIL

Category: n/a · Violations: 2
⚠️ Coverage caveat: 3.14 partial (IG3) — engine evidences CloudTrail data-event logging substrate (whether sensitive-data access IS logged), but the sensitive-data tagging (which stores hold sensitive data warranting access logging) is operator-side per 3.7.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
3.14 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail does not log data events (S3 object-level / Lambda invocation)
Source: aws-cloudtrail-auditor
3.14 substrate — trail without data-event logging cannot evidence sensitive-data access.

4.1 — Establish and Maintain a Secure Configuration Process FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: 4.1 partial — engine evidences AWS Config recorder substrate (the configuration-monitoring mechanism); CIS-Hardened-Image usage provides substantial substrate-evidence. The secure-configuration PROCESS documentation is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
4.1 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.

4.2 — Establish and Maintain a Secure Configuration Process for Network Infrastructure FAIL

Category: n/a · Violations: 3
⚠️ Coverage caveat: 4.2 partial — engine evidences network-infrastructure configuration (Security Group rules, NACLs, firewall rules) per the CIS Cloud Companion Guide; operator-side network-device firmware/config baselines complete the dimension.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.2 substrate — open ingress to restricted ports violates secure network configuration.

4.4 — Implement and Manage a Firewall on Servers FAIL

Category: n/a · Violations: 3
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
4.4 substrate — Security Group is the cloud server firewall; open restricted-port ingress is a 4.4 firewall finding.

4.6 — Securely Manage Enterprise Assets and Software FAIL

Category: n/a · Violations: 3
⚠️ Coverage caveat: 4.6 partial — engine evidences managed-asset configuration substrate (Config, IaC-management tags); CIS-Hardened-Image usage provides substantial substrate-evidence for secure asset management. Operator-side asset-management process completes the dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
4.6 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
EC2 instance 'i-0a1b2c3d4e5f60718' has IMDSv1 enabled (HttpTokens=optional). CC6.1 access-control gap: instance metadata is reachable without a session token — no IAM instance profile is attached, so no role credentials are currently exposed — but attaching a profile later silently reintroduces the SSRF credential-theft path. Remediate by setting HttpTokens=required (IMDSv2-only) via ec2:ModifyInstanceMetadataOptions.
Source: aws-ec2-instance-auditor
4.6 substrate — EE 0.13.1 density (plugin 1210): IMDSv1 enabled is an insecurely-managed instance-metadata configuration. Inherits from soc2.json CC6.1 per the inheritance contract.
EC2 instance 'i-0b2c3d4e5f6071829' has IMDSv2 enforced but metadata hop limit 2 exceeds 1 (HttpPutResponseHopLimit=2). CC6.1 access-control gap: a containerized workload on the instance can still reach IMDS across the extra network hop — no IAM instance profile is attached, so no role credentials are currently exposed — but attaching a profile later silently reintroduces the SSRF credential-theft path. Set HttpPutResponseHopLimit=1 unless containers legitimately require IMDS.
Source: aws-ec2-instance-auditor
4.6 substrate — EE 0.13.1 density (plugin 1210): IMDSv2 hop limit >1 leaves the metadata service over-reachable from containers (insecure asset management). Inherits from soc2.json CC6.1.

5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts FAIL

Category: n/a · Violations: 6
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
5.4 substrate — privilege escalation enables non-dedicated accounts to gain admin.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
5.4 substrate — privilege escalation enables non-dedicated accounts to gain admin.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
5.4 substrate — shadow admins violate dedicated-administrator-account restriction; auditor-canonical CIS 5.4 finding.

6.3 — Require MFA for Externally-Exposed Applications FAIL

Category: n/a · Violations: 2
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
6.3 substrate — accounts without MFA fail externally-exposed-application MFA requirement.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
6.3 substrate — accounts without MFA fail externally-exposed-application MFA requirement.

6.5 — Require MFA for Administrative Access FAIL

Category: n/a · Violations: 3
MFA Delete not enabled
Source: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.
MFA Delete not enabled
Source: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.
MFA Delete not enabled
Source: aws-s3-auditor
6.5 substrate — MFA Delete absent weakens MFA protection on sensitive administrative actions.

7.5 — Perform Automated Vulnerability Scans of Internal Enterprise Assets FAIL

Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.5 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

7.6 — Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets FAIL

Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
7.6 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

8.2 — Collect Audit Logs FAIL

Category: n/a · Violations: 2
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
8.2 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail has log file validation disabled (LogFileValidationEnabled=false)
Source: aws-cloudtrail-auditor
8.2 substrate — disabled log-file validation weakens audit-log integrity.

8.3 — Ensure Adequate Audit Log Storage FAIL

Category: n/a · Violations: 7
⚠️ Coverage caveat: 8.3 partial — engine evidences audit-log storage substrate (trail S3 destination, encryption), but the adequate-storage SIZING (retention duration matching operator's log-volume) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
8.3 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail destination bucket northwind-orgtrail-logs has Object Lock enabled but NO DefaultRetention rule — the bucket is "Object-Lock-able" but no retention is auto-applied. Auditors expect a default retention rule on trail buckets.
Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail destination bucket northwind-orgtrail-logs has MFA Delete NOT enabled. Without MFA Delete, any IAM principal with s3:DeleteBucket / s3:DeleteObject can permanently delete trail logs via delete-marker → permanent-delete bypass. For trail buckets (institutional-grade evidence storage), MFA Delete is mandatory.
Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail northwind-orgtrail log files not encrypted with a KMS-CMK (KmsKeyId not set)
Source: aws-cloudtrail-auditor
8.3 substrate — unencrypted log storage weakens audit-log protection.
Trail destination bucket northwind-trail-logs has NO Object Lock configuration. SEC Rule 17a-4 / FINRA 4511 require WORM storage for audit logs. Enable Object Lock + COMPLIANCE mode + retention.
Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail destination bucket northwind-trail-logs has Versioning Disabled — Object Lock REQUIRES Versioning. Without it, retention rules cannot be enforced.
Source: aws-cloudtrail-auditor
8.3 substrate — trail destination bucket is the audit-log storage location.
Trail northwind-trail log files not encrypted with a KMS-CMK (KmsKeyId not set)
Source: aws-cloudtrail-auditor
8.3 substrate — unencrypted log storage weakens audit-log protection.

8.5 — Collect Detailed Audit Logs FAIL

Category: n/a · Violations: 3
⚠️ Coverage caveat: 8.5 partial (IG2) — engine evidences detailed-logging substrate (data-event logging, per-service log exports), but the detail-completeness (all required event types per operator policy) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
8.5 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail does not log data events (S3 object-level / Lambda invocation)
Source: aws-cloudtrail-auditor
8.5 substrate — absent data-event logging = insufficient log detail.
RDS DB instance 'northwind-orders-db' (postgres) has NO CloudWatch Logs exports configured (EnabledCloudwatchLogsExports=[]). CC7.2 monitoring gap: no database activity logs reach CloudWatch for centralized anomaly detection / alerting / long-term retention. Expected for this engine: essential=[postgresql] + optional=[upgrade]. Configure via ModifyDBInstance --cloudwatch-logs-export-configuration.
Source: aws-rds-auditor
8.5 substrate — no DB log exports = missing detailed database audit logs.

8.9 — Centralize Audit Logs FAIL

Category: n/a · Violations: 19
⚠️ Coverage caveat: 8.9 partial (IG2) — engine evidences log-centralization substrate (multi-region trail aggregation), but the SIEM-aggregation completeness (all sources feeding a central store) is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
8.9 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)
Source: aws-cloudtrail-auditor
8.9 substrate — non-multi-region trail fails to centralize logs across regions.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
8.9 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

11.1 — Establish and Maintain a Data Recovery Process FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: 11.1 partial — engine evidences backup-process substrate (AWS Backup plans exist), but the recovery-process documentation + RPO/RTO targets are operator-side.
AWS Backup account audit: ZERO backup plans configured. A1.2 availability gap: no AWS-native backup substrate is operating. Production-tier workloads on EBS / RDS / DynamoDB / EFS / FSx / Storage Gateway / Aurora typically require AWS Backup plans (or vendor-equivalent backup). Auditor walkthrough required if backups are managed externally.
Source: aws-backup-auditor
11.1 substrate — zero backup plans = no operational data-recovery process.

11.2 — Perform Automated Backups FAIL

Category: n/a · Violations: 1
RDS DB instance 'northwind-orders-db' has BackupRetentionPeriod=0 — automated backups are DISABLED. A1.2 availability gap: PITR is unavailable (requires automated backups), no recovery from corruption / accidental-DROP / insider-vandalism. Enable via rds:ModifyDBInstance --backup-retention-period <days>; institutional baseline is 7 days.
Source: aws-rds-auditor
11.2 substrate — BackupRetentionPeriod=0 disables automated RDS backups.

11.5 — Test Data Recovery FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: 11.5 partial (IG2) — engine evidences restore-testing substrate (Restore Testing Plans + job outcomes), but the recovery-test SCOPE adequacy (do tests cover all critical systems per operator's BIA) is operator-side.
AWS Backup account audit: ZERO Restore Testing Plans configured. A1.2 disaster-recovery validation gap: NO periodic test-restores are scheduled against the AWS Backup substrate. Per SEC Rule 17a-4 / FINRA 4511 audit-the-restorer doctrine, recovery points without periodic test-restores are unverifiable evidence — backups may exist but operators cannot prove they CAN be restored. Configure at least one Restore Testing Plan covering production-tier recovery points. Auditor walkthrough required if DR is validated via external runbook.
Source: aws-backup-auditor
11.5 substrate — zero restore-testing plans = recovery never tested.

12.2 — Establish and Maintain a Secure Network Architecture FAIL

Category: n/a · Violations: 1
EC2 instance 'i-0a1b2c3d4e5f60718' has public IP exposed (3.239.218.43). CC6.6 perimeter substrate evidence: the instance is directly reachable from the public internet (top-level + secondary-ENI / Elastic-IP associations checked) — auditor walkthrough verifies the Security Group ingress is intentional (pair with plugin 1170 SG perimeter findings).
Source: aws-ec2-instance-auditor
12.2 substrate — EE 0.13.1 density (plugin 1210): a directly-internet-reachable instance is network-architecture substrate evidence (verify intent vs the secure-architecture design). Inherits from soc2.json CC6.6 per the inheritance contract.

13.1 — Centralize Security Event Alerting FAIL

Category: n/a · Violations: 17
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

13.3 — Deploy a Network Intrusion Detection Solution FAIL

Category: n/a · Violations: 34
⚠️ Coverage caveat: 13.3 partial (IG2) — engine evidences network-IDS substrate (GuardDuty enablement + detector coverage), but full IDS deployment across all network segments is operator-side.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
13.3 substrate — GuardDuty disabled = no managed network intrusion detection in region.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

13.11 — Tune Security Event Alerting Thresholds FAIL

Category: n/a · Violations: 17
⚠️ Coverage caveat: 13.11 partial (IG3) — engine evidences alerting-threshold substrate (GuardDuty FindingPublishingFrequency), but threshold-tuning to operator's alert-fatigue/coverage balance is operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
13.11 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

16.1 — Establish and Maintain a Secure Application Development Process FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: 16.1 partial (IG2) — engine evidences CI/CD + application-deployment substrate (CodeBuild/CodePipeline guardrails, API Gateway auth/WAF), but the secure-development PROCESS (SDLC gates, secure-coding standards) is operator-side.
Lambda function 'nw-checkout-fn' has a public Function URL with AuthType: NONE — exposes the function to public internet without authentication. CC6.1 violation; SOC 2 institutional CRITICAL (parallel to API Gateway NONE-authorizer class). Set AuthType to AWS_IAM (uses SigV4) or front with API Gateway authorizer.
Source: aws-lambda-auditor
16.1 substrate — a Lambda Function URL with AuthType: NONE is a public, unauthenticated application entry-point — the direct analog of a NONE-auth API Gateway method. Routed here for cross-source parity. Inherits soc2 CC6.1. Plugin 1080.

Passing Controls (Within Scope)

Partial Coverage

Out of Scope

Control IDsTitleReason
1.2, 1.3, 1.4, 1.5Control 1 — active/passive discovery + unauthorized-asset response OOS (4)Active/passive discovery tooling + DHCP logging + unauthorized-asset response are operator-side (NAC, discovery agents, IR). Pair with operator network-discovery + IR program.
2.3, 2.4, 2.5, 2.6, 2.7Control 2 — software allowlisting + unauthorized-software response OOS (5)Application allowlisting (software/library/script) + automated inventory tooling + unauthorized-software response are operator-side (AppLocker/WDAC, software-inventory agents, IR).
3.1, 3.6, 3.7, 3.8, 3.9, 3.12, 3.13Control 3 — data-management governance + endpoint/removable-media encryption + DLP OOS (7)Data-management process, classification scheme, data-flow documentation, end-user/removable-media encryption, sensitivity segmentation, and DLP are operator-side governance + endpoint controls.
4.3, 4.5, 4.9, 4.10, 4.11, 4.12Control 4 — endpoint/session/mobile configuration OOS (6)Session locking, end-user-device firewalls, trusted DNS on assets, device lockout/remote-wipe, and mobile workspace separation are operator-side endpoint/MDM controls.
5.2, 5.5, 5.6Control 5 — password policy + service-account inventory + centralized account mgmt OOS (3)Unique-password enforcement, service-account inventory, and centralized account management (IdP) are operator-side identity-provider controls.
6.1, 6.2, 6.4, 6.6, 6.7, 6.8Control 6 — access-granting/revoking process + AAA inventory + RBAC governance OOS (6)Access granting/revoking processes, remote-access MFA (VPN/AAA), authentication-system inventory, centralized access control, and RBAC definition are operator-side IGA/IdP governance.
7.1, 7.2, 7.3, 7.4, 7.7Control 7 — vuln-management process + patch management + remediation OOS (5)Vulnerability-management/remediation processes and OS/application patch management are operator-side (Patch Manager + ticketing/CAPA). Pair with intelligence_engine substrate findings.
8.1, 8.4, 8.6, 8.7, 8.8, 8.10, 8.11, 8.12Control 8 — log-mgmt process + time-sync + DNS/URL/command-line logs + retention + review + SP logs OOS (8)Audit-log-management process, time synchronization, DNS/URL/command-line audit logs, retention duration, log review, and service-provider log collection are operator-side process + endpoint/SIEM controls.
9.1, 9.2, 9.3, 9.4, 9.6, 9.7Control 9 — email + web-browser protections OOS (6)Supported browsers/email clients, DNS/URL filtering, browser-extension restriction, file-type blocking, and email-server anti-malware are operator-side endpoint + email-gateway controls. (9.5 Implement DMARC moved to partial in EE 0.13.1 — the SES auditor evidences DMARC posture for SES-managed sending identities.)
10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7Control 10 — malware defenses (endpoint EDR) OOS (7)Anti-malware deployment/updates/scanning, autorun disabling, anti-exploitation, and behavior-based EDR are operator-side endpoint controls (CrowdStrike/SentinelOne/MS Defender).
12.1, 12.3, 12.4, 12.5, 12.7, 12.8Control 12 — network-device firmware + AAA + diagrams + VPN + dedicated admin resources OOS (6)Network-infrastructure firmware currency, secure device management, architecture diagrams, centralized AAA, remote-device VPN, and dedicated admin workstations are operator-side network + endpoint controls.
13.2, 13.4, 13.5, 13.6, 13.7, 13.8, 13.9, 13.10Control 13 — HIDS/HIPS + segment filtering + NetFlow + port-level + app-layer filtering OOS (8)Host-based IDS/IPS, inter-segment traffic filtering, remote-asset access control, traffic-flow logs, network IPS, port-level access control (802.1x), and application-layer filtering are operator-side network/endpoint controls.
14.1, 14.2, 14.3, 14.4, 14.5, 14.6, 14.7, 14.8, 14.9Control 14 — security awareness + skills training (entire) OOS (9)All security awareness and skills training Safeguards are operator-side LMS controls (KnowBe4/Proofpoint/SANS). Not substrate-evidenceable.
15.1, 15.2, 15.3, 15.4, 15.5, 15.6, 15.7Control 15 — service-provider management (TPRM, entire) OOS (7)Service-provider inventory, policy, classification, contract requirements, assessment, monitoring, and decommissioning are operator-side TPRM controls. Cloud-provider AOCs/certificates inform but do not substitute.
16.2, 16.3, 16.4, 16.5, 16.6, 16.7, 16.8, 16.9, 16.10, 16.11, 16.12, 16.13, 16.14Control 16 — application security process depth (SDLC, SCA, threat modeling) OOS (13)Vulnerability acceptance/root-cause, third-party-component inventory/currency, severity rating, hardening templates, prod/non-prod separation, developer training, secure design, vetted modules, code-level checks, app pentest, and threat modeling are operator-side SDLC/AppSec controls.
17.1, 17.2, 17.3, 17.4, 17.5, 17.6, 17.7, 17.8, 17.9Control 17 — incident response management (entire) OOS (9)Incident-handling personnel, contacts, reporting process, IR process, roles, communication mechanisms, exercises, post-incident reviews, and thresholds are operator-side IR-program controls.
18.1, 18.2, 18.3, 18.4, 18.5Control 18 — penetration testing (entire) OOS (5)Penetration-testing program, external/internal tests, finding remediation, and security-measure validation are operator-side engagement controls (independent pentest firms).

Appendix A — Cloud Bucket Exposure Attestation

Buckets with finding(s): 9 violation event(s) across 0 unique bucket(s).

Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].

Appendix B — Accepted Risks & False Positives

No suppressions in this scan.