GDPR Article 32 (Security of Processing) — Regulation (EU) 2016/679 Pre-Audit Gap Report

Generated: 2026-06-24T23:07:45.534Z

Cover: Scope Attestation

Report ID
aws_20260624_160745
Generated at
2026-06-24T23:07:45.534Z
Assessment type
Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
Scanner
NSAuditor AI EE v0.31.3 (CE v0.2.15)
Scan window
(not provided) → (not provided)
Targets in scope
aws
Targets explicitly excluded
None
Framework
GDPR Article 32 (Security of Processing) — Regulation (EU) 2016/679 (version 2016/679)
Report integrity
SHA-256 in companion .sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
Trusted timestamp (RFC 3161)
Not configured. SHA-256 provides integrity only. For non-repudiation, configure complianceTsaUrl.
TSA policy OID
N/A — TSA itself is not configured.
TSA cert chain bundling
N/A — TSA itself is not configured.
Clock advisory
ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)

This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.

Executive Summary

GDPR Article 32 (Security of Processing) — Scope & Legal Framing

This report substrate-evidences GDPR ARTICLE 32 (security of processing) ONLY — it is NOT a statement of compliance with the GDPR as a whole and not a certification under the regulation (there is no GDPR certificate). Of the 99 articles of Regulation (EU) 2016/679, Article 32 is the only one whose evidence is technical infrastructure state; every other article (lawful basis Art. 6, consent Art. 7, data-subject rights Art. 12-23, records of processing Art. 30, breach notification Art. 33-34, DPIA Art. 35, DPO Art. 37-39, international transfers Art. 44-49) is operator-side legal/process discipline, OUT OF SCOPE by design. Art. 32 infringements sit in the Art. 83(4) LOWER fine tier (up to EUR 10 million or 2% of worldwide annual turnover), NOT the Art. 83(5) headline tier (which is for the basic principles and data-subject rights). Represent this report as 'infrastructure substrate supporting GDPR Article 32 security-of-processing measures', never as 'GDPR compliant'.

Article 32 measures are proportionate — this report is not a pass/fail verdict

GDPR Art. 32(1) measures are EXPLICITLY PROPORTIONATE: the controller and processor implement appropriate technical and organisational measures 'to ensure a level of security appropriate to the risk', taking into account (1) the state of the art, (2) the costs of implementation, (3) the nature, scope, context and purposes of processing, and (4) the risk of varying likelihood and severity for the rights and freedoms of natural persons. There is NO fixed bar — the same configuration (e.g. an unencrypted store) may be appropriate over low-sensitivity already-public data and a serious Art. 32 failure over special-category (Art. 9) data. Every finding in this report is SUBSTRATE FOR the operator's four-factor 'appropriate to the risk' determination, NOT an absolute pass/fail verdict. The proportionalityFactors field on each sub-measure names which factors dominate that measure's appropriateness judgment.

Personal-data scope — operator attestation required

GDPR Art. 32 protects PERSONAL DATA. This engine reads infrastructure configuration, NOT data classification — it cannot determine which scanned resources process personal data. A finding (unencrypted store, over-permissive role, missing backup) is an Art. 32 concern ONLY IF the resource is within the personal-data processing scope. Confirm each finding against your Article 30 Records of Processing Activities (RoPA) / data map before treating it as an Art. 32 violation — an unencrypted bucket of build artifacts or telemetry that holds no personal data is not an Art. 32 finding.

The rest of the GDPR is out of scope by design

GDPR is a 99-article legal regime; this Art. 32 report is silent on every other article — all operator-side and OUT OF SCOPE by design: lawful basis (Art. 6) + consent (Art. 7) — legal determination, pair with OneTrust / TrustArc / a CMP; transparency notices (Art. 12-14) — operator privacy team; data-subject rights / DSARs (Art. 15-22, incl. erasure Art. 17) — pair with DataGrail / OneTrust / Transcend; records of processing (Art. 30) — a legal register, NOT a resource inventory (the engine's Art. 32 substrate is an INPUT to the RoPA's Art. 30(1)(g) security-measures description, not the RoPA itself); breach notification (Art. 33-34) — IR runbook + DPA-notification template (signal-adjacent only); DPIA (Art. 35-36) — pair with a privacy GRC DPIA module; DPO (Art. 37-39) — appointed/external DPO; international transfers (Art. 44-49) — legal team + SCC/TIA management. The engine must never claim coverage of any of these.

Cloud-provider certification inheritance (Art. 32(3) / Art. 42)

GDPR Art. 32(3): adherence to an approved code of conduct (Art. 40) or certification mechanism (Art. 42) MAY be used as AN ELEMENT BY WHICH TO DEMONSTRATE compliance with Art. 32(1) — it is NOT a substitute for the controller's/processor's own appropriate technical and organisational measures. For the substrate the cloud provider controls, the operator may rely on the provider's ISO/IEC 27001 + SOC 2 + C5 (BSI) + EU Cloud Code of Conduct (Art. 40) adherence (surfaced per covered/partial control as cloudProviderAttestation). TWO disciplines: (1) it covers only the PROVIDER-controlled layer — the operator still owes its own measures over its data and configuration (enabling encryption, key management, access control, etc.); (2) ANNUAL-CURRENCY — provider attestations are reissued periodically, so verify the current certificate/AoC scope + validity before relying on it. Pair with your DPA/Art. 28 processor agreement, which documents the provider's Art. 32 'sufficient guarantees'.

Fine-tier note: Article 32 infringements sit in the Art. 83(4) lower tier (up to €10 million or 2% of total worldwide annual turnover), not the €20 million / 4% Art. 83(5) headline tier (which is for the basic principles in Arts. 5/6/7/9 and data-subject rights). Each finding carries a proportionalityFactors set, a personalDataScope caveat, and a roleApplicability (controller / processor / both) — pair them with your Article 30 Records of Processing Activities and your Article 28 processor agreements.

Failing Controls

Art.32(1)(a)-encryption-at-rest — Encryption of personal data at rest FAIL

Category: n/a · Violations: 23
Customer-managed KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' has automatic key rotation DISABLED. CC6.3 expects cryptographic credential rotation cadence; AWS recommends enabling annual automatic rotation for customer-managed symmetric encryption keys. Enable via kms:EnableKeyRotation, or document the manual rotation procedure for auditor walkthrough.
Source: aws-kms-auditor
Art. 32(1)(a) substrate — CMK rotation hygiene for at-rest encryption keys.
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.
Source: aws-rds-auditor
Art. 32(1)(a) substrate — an RDS instance with StorageEncrypted=false leaves its storage, automated snapshots, and read-replicas unencrypted at rest: a direct encryption-of-personal-data-at-rest gap. At-rest fleet-sweep parity 2026-06-22 (RDS already routed to the at-rest set in 5/7 frameworks; closing the iso/gdpr asymmetry). Personal-data-scope: an Art. 32 finding ONLY if the database holds personal data (confirm vs Art. 30 RoPA). art83(4)-lower tier. Plugin 1140.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).
Source: aws-sqs-sns-auditor
Art. 32(1)(a) substrate — SQS encryption-at-rest DISABLED leaves personal data in message bodies unencrypted at rest. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1150.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.
Source: aws-sqs-sns-auditor
Art. 32(1)(a) substrate — SNS encryption-at-rest DISABLED leaves personal data in published messages unencrypted at rest. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1150.
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — an EBS volume with Encrypted=false leaves personal data unencrypted at rest. At-rest fleet-sweep parity 2026-06-22. Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Art. 32(1)(a) substrate — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking encryption-at-rest gap). Personal-data-scope: an Art. 32 finding ONLY if the resource holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1210.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.
Source: aws-elasticache-redis-auditor
Art. 32(1)(a) substrate — ElastiCache Redis with at-rest encryption DISABLED leaves personal data in the cache unencrypted at rest. At-rest fleet-sweep parity (reviewer fold) 2026-06-22. Personal-data-scope: an Art. 32 finding ONLY if the cache holds personal data (confirm vs Art. 30 RoPA). art83Tier:83(4)-lower. Plugin 1180.

Art.32(1)(b)-confidentiality — Ongoing confidentiality of processing systems and services FAIL

Category: n/a · Violations: 16
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — missing MFA weakens access control to personal data.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — missing MFA weakens access control to personal data.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
Art. 32(1)(b) confidentiality substrate — shadow-admin paths defeat least-privilege over personal-data systems.
Bucket policy grants public access
Source: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — policy-granted public access to a store.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — confirmed public accessibility of bucket/objects.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
Art. 32(1)(b) confidentiality substrate — confirmed public accessibility of bucket/objects.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
Art. 32(1)(b) confidentiality substrate — Principal:* on sensitive KMS actions including Decrypt / ReEncrypt* / GenerateDataKey* grants read-of-plaintext capability to any authenticated AWS principal. Anchored on the `C1.1 confidentiality-boundary risk` trailer so it excludes the demoted AWS-managed-CMK-template INFO (service-scoped, by-design). Personal-data-scope + proportionality caveats control-level. Inherits soc2 C1.1.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(1)(b) confidentiality substrate — an IAM principal with effective kms:Decrypt on Resource:* can read (decrypt) personal data protected by every CMK that admits it (account-wide decrypt reach). Decrypt-SPECIFIC (plugin 1110 emits this only for decrypt-equivalent ops → genuine read-of-plaintext; no action-agnostic over-claim, unlike the wildcard-on-sensitive KMS anchor), so the confidentiality home is correct. Dual-homed with Art.32(4)-instruction-bound: completes the cross-vector confidentiality view so all three KMS-decrypt vectors (key-policy admission + grant + identity-policy) route here. Personal-data-scope + four-factor proportionality + art83Tier 83(4)-lower caveats control-level. Inherits soc2 CC6.1; real-engine ==.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Art. 32(1)(b) confidentiality substrate — a Security Group exposing a restricted management/data-tier port (SSH/RDP/DB) to a public-internet source range (literal 0.0.0.0/0, a public CIDR, or a split-range covering all IPv4/IPv6) is the same confidentiality-of-processing-systems concern as the all-protocol case (which already routes here) and the Azure NSG restricted-port analog (which routes to Art.32(1)(b)). Closes the AWS-SG cross-cloud/cross-dim under-claim (review C2-3). Inherits soc2.json (CC6.6). Plugin 1170.

Art.32(1)(b)-integrity — Ongoing integrity of processing systems and services FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: PARTIAL — audit-trail / diagnostic-logging substrate is necessary integrity-monitoring evidence but not sufficient; the operator's change-detection review, immutability (object-lock/WORM), and tamper-investigation process complete the Art. 32(1)(b) integrity determination.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
Evidence gap — CloudTrail enumeration incomplete; integrity-logging posture partially UNVERIFIED.

Art.32(1)(b)-resilience — Ongoing resilience of processing systems and services FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: PARTIAL — redundancy configuration (Multi-AZ) is necessary resilience substrate but not sufficient; the operator's DR drills, multi-region failover testing, and the documented continuity process complete the Art. 32(1)(b) resilience determination.
RDS DB instance 'northwind-orders-db' is configured single-AZ (MultiAZ=false). A1.2 availability gap: an AZ outage, instance failure, or maintenance event would render the database unavailable until manual recovery. Enable Multi-AZ via rds:ModifyDBInstance for production-tier workloads.
Source: aws-rds-auditor
Art. 32(1)(b) resilience substrate — single-AZ database is a redundancy single-point-of-failure.

Art.32(1)(c)-restore-capability — Ability to restore availability and access to personal data after an incident FAIL

Category: n/a · Violations: 1
⚠️ Coverage caveat: PARTIAL — the engine evidences the restore MECHANISM (PITR, logically air-gapped / immutable backup vaults, lifecycle/retention), but Art. 32(1)(c) requires the ABILITY to restore in a timely manner — which only a successful, periodic restore TEST establishes (Class K: backup existence is necessary but not sufficient; an untested or co-located/ransomware-encrypted backup does not satisfy (c)). The operator's restore-test cadence completes the (c) determination. Classified partial for consistency with Art.32(1)(b)-resilience (same mechanism-vs-tested-capability distinction).
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
Art. 32(1)(c) restore/retention substrate — absent lifecycle/retention undermines timely-restore and disposal discipline for personal data.

Art.32(1)(d)-testing-effectiveness — Process for regularly testing and evaluating the effectiveness of security measures FAIL

Category: n/a · Violations: 34
⚠️ Coverage caveat: PARTIAL — this recurring scan + vulnerability/threat-detection substrate is one input to the Art. 32(1)(d) regular-testing process; it is NOT the whole. The operator's penetration testing, DR drills, and documented test-evaluate-remediate process complete the obligation. Per the audit-gdpr-art32 Class J discipline: the engine must not claim it IS the operator's regular testing.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Art. 32(1)(d) testing substrate — GuardDuty disabled removes continuous threat-detection from the testing/monitoring program.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
Evidence gap — Inspector/GuardDuty enumeration incomplete; testing coverage partially UNVERIFIED.

Art.32(4)-instruction-bound-processing — Persons under authority process personal data only on instructions FAIL

Category: n/a · Violations: 5
⚠️ Coverage caveat: PARTIAL — IAM least-privilege / no-privilege-escalation / scoped-decrypt substrate enforces instruction-bound processing technically, but the organisational half (the Art. 28 processor agreement, documented processing instructions, and personnel confidentiality undertakings) is operator-side.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Art. 32(4) substrate — privilege-escalation paths let principals exceed their instructed access to personal data.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Art. 32(4) substrate — privilege-escalation paths let principals exceed their instructed access to personal data.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Art. 32(4) substrate — effective decrypt on Resource:* lets a principal read personal data beyond instructed scope.

Passing Controls (Within Scope)

Partial Coverage

No in-scope partial controls (or all partial controls have findings — see Failing Controls with coverage caveats).

Out of Scope

Control IDsTitleReason
Art.32(1)(a)-pseudonymisationArt. 32(1)(a) pseudonymisation — data-model decision, no infrastructure substrate (OOS-by-design)Art. 32(1)(a) names BOTH pseudonymisation AND encryption. Encryption is substrate-rich (covered above); pseudonymisation — replacing direct identifiers with pseudonyms and holding the re-identification key separately — is a data-model decision wholly outside the scanner's visibility. The engine evidences ZERO of it; the encryption siblings (encryption-at-rest / in-transit) are adjacent 32(1)(a) measures but do NOT credit pseudonymisation (per the audit-gdpr-art32 Class M discipline: distinct measures in the same sub-paragraph, never conflated). Classified OOS rather than partial because a unit whose every available signal credits nothing toward it is OOS in substance — 'partial' would imply the engine partially evidences pseudonymisation when it evidences none. The operator attests pseudonymisation of identifiers per the data model. OOS-by-design.
Art.32(2)-risk-assessmentArt. 32(2) risk-assessment — operator-side process (OOS-by-design)Art. 32(2) requires the controller/processor to account, in assessing the appropriate level of security, for the risks presented by processing — in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This is an operator-side RISK-ASSESSMENT PROCESS, the GDPR analog of HIPAA §164.308(a)(1)(ii)(A) Risk Analysis and the most-cited dimension in DPA breach enforcement. The engine produces substrate (configuration state, vulnerability findings, IAM exposure) that INFORMS the assessment; it cannot perform it. Pair with the operator's DPIA process per Art. 35 where applicable + a privacy GRC platform (OneTrust / TrustArc / DataGrail). OOS-by-design.

Appendix A — Cloud Bucket Exposure Attestation

Buckets with finding(s): 3 violation event(s) across 0 unique bucket(s).

Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].

Appendix B — Accepted Risks & False Positives

No suppressions in this scan.