ISO/IEC 27001:2022 (Information Security Management Systems) Pre-Audit Gap Report

Generated: 2026-06-24T23:07:45.451Z

Cover: Scope Attestation

Report ID
aws_20260624_160745
Generated at
2026-06-24T23:07:45.451Z
Assessment type
Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
Scanner
NSAuditor AI EE v0.31.3 (CE v0.2.15)
Scan window
(not provided) → (not provided)
Targets in scope
aws
Targets explicitly excluded
None
Framework
ISO/IEC 27001:2022 (Information Security Management Systems) (version 2022)
Report integrity
SHA-256 in companion .sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
Trusted timestamp (RFC 3161)
Not configured. SHA-256 provides integrity only. For non-repudiation, configure complianceTsaUrl.
TSA policy OID
N/A — TSA itself is not configured.
TSA cert chain bundling
N/A — TSA itself is not configured.
Clock advisory
ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)

This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.

Executive Summary

ISO/IEC 27001:2022 Statement of Applicability — Operator Pairing Required

ISO/IEC 27001:2022 requires operator to produce a Statement of Applicability (SoA) per Clause 6.1.3.d — the central ISMS artifact enumerating every Annex A control with inclusion/exclusion decision + justification + implementation status. Stage 1 certification body assessors review the SoA FIRST — before any technical evidence. This report produces SUBSTRATE for INCLUDED controls; the SoA inclusion/exclusion decisions are operator-side per Clause 6.1.3.d. This report is INPUT to your SoA, NOT a substitute. For each control marked covered/partial: operator's SoA should show the control as Included with implementation status = Implemented (or In progress for partial) + a reference to this report as documentation evidence. For each Annex A control NOT in this report: operator's SoA must address it independently (Included with operator-side substrate, Excluded with justification, etc.). Pair with ISO-aware GRC platform's SoA-management surface (Drata ISO 27001, Vanta ISO 27001, AuditBoard, OneTrust ISMS) — the engine produces evidence that threads through the operator's SoA, not around it. 2013-edition SoAs are stale (transition deadline passed October 31, 2025); operators migrating from 2013 must re-author the SoA against the 2022 Annex A (35 unchanged + 23 renamed + 57 merged-into-24 + 11 NEW = 93 controls)

The per-Annex-A-code findings below evidence the technical configuration state of in-scope controls. They do NOT replace the operator's Statement of Applicability (SoA) per Clause 6.1.3.d — the central ISMS artifact enumerating every Annex A control with inclusion/exclusion + justification + implementation status. Stage 1 assessors review the SoA FIRST.

SoA pairing pattern per control:

2013-edition transition (deadline October 31, 2025 passed): All active ISO 27001 certificates must now be 2022 edition. 93 Annex A controls reorganized from 2013's 114 across 4 themes: A.5 Organizational (37) + A.6 People (8) + A.7 Physical (14) + A.8 Technological (34). 35 unchanged + 23 renamed + 57 merged-into-24 + 11 NEW.

11 NEW 2022 controls: A.5.7 Threat intelligence · A.5.23 Cloud services · A.5.30 ICT readiness for BC · A.7.4 Physical security monitoring · A.8.9 Configuration management · A.8.10 Information deletion · A.8.11 Data masking · A.8.12 DLP · A.8.16 Monitoring activities · A.8.23 Web filtering · A.8.28 Secure coding. Each must be explicitly addressed in the operator's SoA — silent omission is a freshness-signal failure.

5-attribute taxonomy (NEW in 2022): controlType (preventive/detective/corrective) · informationSecurityProperties (C/I/A) · cybersecurityConcepts (identify/protect/detect/respond/recover — 5 categories, NOT 6 like NIST CSF 2.0) · operationalCapabilities (15 named) · securityDomains (4 named: Governance_and_ecosystem, Protection, Defence, Resilience). Pair with ISO-aware GRC platform (Drata ISO 27001, Vanta ISO 27001, AuditBoard, OneTrust ISMS, Secureframe ISO 27001).

ISO/IEC 27001:2022 ISMS Management-System Clauses 4-10 — Out of Scope

ISO/IEC 27001:2022 certification requires BOTH (1) Annex A control implementation (93 controls — engine produces substrate per this report) AND (2) ISMS management-system Clauses 4-10 (operator-side processes — OOS-by-design for any infrastructure scanner). This report evidences (1) only. For (2), pair with your GRC platform: Clause 4 (Context — ISMS Manual); Clause 5 (Leadership — board-approved Information Security Policy); Clause 6 (Planning — risk-assessment methodology + risk register + risk-treatment plan + Statement of Applicability per Clause 6.1.3.d); Clause 7 (Support — HR competence records + LMS awareness training + document-control system); Clause 8 (Operation — risk-assessment + risk-treatment execution records); Clause 9 (Performance Evaluation — internal audit program per Clause 9.2 [MANDATORY] + management review minutes per Clause 9.3 [MANDATORY]); Clause 10 (Improvement — corrective-action records + continual-improvement log). ABSENCE of any of these 7 operator-side artifacts = auto-fail Major Nonconformity at Stage 2: (a) No Information Security Policy per Clause 5.2; (b) No risk assessment process per Clause 6.1.2; (c) No risk treatment plan per Clause 6.1.3; (d) No Statement of Applicability per Clause 6.1.3.d; (e) No internal audit program per Clause 9.2; (f) No management review per Clause 9.3; (g) No documented information per Clause 7.5. These 7 classes account for the majority of first-time Stage 2 failures — verify operator-side artifacts BEFORE scheduling Stage 2 audit with the accredited certification body (BSI / DNV / BVQI / Schellman / Coalfire / A-LIGN / etc.)

ISO/IEC 27001:2022 certification requires BOTH dimensions:

  1. Annex A control implementation (93 controls) — engine produces substrate per this report.
  2. ISMS management-system Clauses 4-10 — operator-side processes; OOS-by-design for any infrastructure scanner.

This report evidences (1) only. For (2), pair with your GRC platform.

Per-Clause OOS framing + operator-side pairings:

The 7 Major Nonconformity classes (any one = auto-fail Stage 2):

  1. No Information Security Policy (Clause 5.2)
  2. No risk assessment process (Clause 6.1.2)
  3. No risk treatment plan (Clause 6.1.3)
  4. No Statement of Applicability (Clause 6.1.3.d)
  5. No internal audit program (Clause 9.2)
  6. No management review (Clause 9.3)
  7. No documented information (Clause 7.5)

These 7 classes account for the majority of first-time Stage 2 failures. Verify operator-side artifacts BEFORE scheduling Stage 2 audit with your accredited certification body (BSI / DNV / BVQI / Schellman / Coalfire / A-LIGN / TÜV / SGS / etc.).

Certification-cycle cadence (Stage 1 → Stage 2 → surveillance → recertification):

ISO/IEC 27001:2022 — Major vs Minor Nonconformity Triage (Annex A findings)

Distinct from the 7 systemic Clause-absence Major NCs above, this triages the Annex A control findings in this report per ISO/IEC 17021-1. The engine triages candidates on finding severity; your accredited lead auditor makes the final Major / Minor / OFI determination.

GradeDefinition (ISO/IEC 17021-1)Engine triage ruleCount this scan
Major NCTotal/systemic failure of an applicable control; absence of a required control. Blocks/suspends certification.Failing control with ≥1 HIGH/CRITICAL violation18
Minor NCIsolated lapse not breaking the control's intent; correctable within the cycle.Failing control with only MEDIUM/LOW violations4
OFIOpportunity for Improvement — not a nonconformity.INFO / substrate-only findings(advisory)

Candidate Major NCs (18) — resolve BEFORE Stage 2 / surveillance:

Escalation rule: a Minor NC left unresolved across two surveillance cycles, or a cluster of related Minor NCs in one control area, is commonly escalated to a Major NC. A single Major NC at Stage 2 blocks initial certification until corrective action + verification; at surveillance it can suspend the certificate. Pair every candidate NC with root-cause analysis + corrective-action plan per Clause 10.1.

ISO/IEC 27001:2022 — Cloud-Provider Certificate Inheritance Matrix

Per Clause 4.3 ISMS scope + Annex A.5.23 Information security for use of cloud services + A.5.19-A.5.22 supplier relationships, the Customer documents the Certificate inheritance from each cloud provider in the Statement of Applicability. The matrix below aggregates the per-control cloudProviderAttestation field for the 16 in-scope Annex A controls covered or partially covered by this scan. Each Provider operates under their own ISO/IEC 17021-1 accredited certification body — the Customer inherits the infrastructure-tier substrate indicated and remains responsible for application-tier + IAM-tier + data-handling controls on top of that substrate.

Provider Certificate currency (as of 2026-Q1): AWS ISO/IEC 27001:2022 Certificate (Amazon Web Services, Inc.) · Microsoft Azure ISO/IEC 27001:2022 Certificate (Microsoft Corporation) · Google Cloud Platform ISO/IEC 27001:2022 Certificate (Google LLC). Cloud-provider Certificates are reissued on the provider's own 3-year cycle with annual surveillance — re-pull the current Certificate at every EE release cycle + every annual surveillance.

Annex A codeControlAWS substrateAzure substrateGCP substrate
A.5.15Access controlcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.5.16Identity managementcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.5.17Authentication informationcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.5.18Access rightscurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.5.23Information security for use of cloud servicescurrent as of 2026-Q1) — shared responsibility model substratecurrent as of 2026-Q1) — shared responsibility model substratecurrent as of 2026-Q1) — shared responsibility model substrate
A.8.2Privileged access rightscurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.3Information access restrictioncurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.5Secure authenticationcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.9Configuration managementcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.13Information backupcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.15Loggingcurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.16Monitoring activitiescurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.20Networks securitycurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.21Security of network servicescurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.22Segregation of networkscurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1
A.8.24Use of cryptographycurrent as of 2026-Q1current as of 2026-Q1current as of 2026-Q1

Theme A.7 Physical (14 controls — entirely OOS): Beyond the controls in the matrix above, ALL 14 Annex A.7 Physical controls are entirely inheritable from cloud-provider's ISO 27001:2022 Certificate via shared-responsibility model. On-premises operators must evidence operator-side facility-access systems + CCTV (Verkada, Avigilon for A.7.4 NEW 2022 Physical security monitoring) + facility-security operational records. The Customer's SoA documents A.7.* exclusions with justification "operator uses [AWS / Azure / GCP] shared-responsibility model; [Provider]'s ISO 27001:2022 Certificate covers physical perimeter".

Operator-side ISO discipline (NOT engine-evidenced): Per Clause 5.2 Information Security Policy + Clause 6.1.3 Risk Treatment Plan + Clause 6.1.3.d Statement of Applicability, the Customer documents the cloud-provider Certificate inheritance as part of the SoA per-control justification. The engine evidences which substrate the inherited Certificate covers; the Customer maintains the SoA documenting the inheritance + supplier-relationship records per A.5.19-A.5.22. Pair with ISO-aware GRC (Drata ISO 27001 / Vanta ISO 27001 / AuditBoard / OneTrust ISMS / Secureframe ISO 27001) for the SoA-management + supplier-records workflow.

Failing Controls

A.5.3 — Segregation of duties FAIL

Category: A.5 Organizational · Violations: 4
⚠️ Coverage caveat: A.5.3 partial — engine surfaces IAM separation-of-duties violations (shadow admins, transitive privilege escalation paths, dual-role conflicts) but operator-side org-chart + role-conflict-matrix (which roles MUST be segregated per operator's risk treatment) is the SoA-discipline dimension. Pair engine substrate with operator's role-conflict matrix.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.5.3 substrate — shadow admins violate segregation-of-duties boundaries; auditor-canonical class. Engine evidences observed IAM permission topology; operator's SoA inclusion of A.5.3 + role-conflict matrix is the operator-side completion.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
A.5.3 substrate — shadow admins violate segregation-of-duties boundaries; auditor-canonical class. Engine evidences observed IAM permission topology; operator's SoA inclusion of A.5.3 + role-conflict matrix is the operator-side completion.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.5.3 substrate — shadow admins violate segregation-of-duties boundaries; auditor-canonical class. Engine evidences observed IAM permission topology; operator's SoA inclusion of A.5.3 + role-conflict matrix is the operator-side completion.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
A.5.3 substrate — shadow admins violate segregation-of-duties boundaries; auditor-canonical class. Engine evidences observed IAM permission topology; operator's SoA inclusion of A.5.3 + role-conflict matrix is the operator-side completion.

A.5.13 — Labelling of information FAIL

Category: A.5 Organizational · Violations: 5
⚠️ Coverage caveat: A.5.13 partial — engine surfaces tag-based labelling substrate (S3 object tags, KMS key tags, IAM resource tags carrying classification metadata) but the labelling SCHEME (operator's data classification taxonomy per A.5.12) is operator-side. Pair with operator's data classification scheme.
Access logging not enabled – audit trail gap
Source: aws-s3-auditor
A.5.13 substrate — S3 bucket enumeration surfaces resources eligible for classification-tag inspection. Operator's SoA inclusion of A.5.13 + classification scheme per A.5.12 completes the labelling-implementation dimension.
Access logging not enabled – audit trail gap
Source: aws-s3-auditor
A.5.13 substrate — S3 bucket enumeration surfaces resources eligible for classification-tag inspection. Operator's SoA inclusion of A.5.13 + classification scheme per A.5.12 completes the labelling-implementation dimension.
Access logging not enabled – audit trail gap
Source: aws-s3-auditor
A.5.13 substrate — S3 bucket enumeration surfaces resources eligible for classification-tag inspection. Operator's SoA inclusion of A.5.13 + classification scheme per A.5.12 completes the labelling-implementation dimension.
Access logging not enabled – audit trail gap
Source: aws-s3-auditor
A.5.13 substrate — S3 bucket enumeration surfaces resources eligible for classification-tag inspection. Operator's SoA inclusion of A.5.13 + classification scheme per A.5.12 completes the labelling-implementation dimension.
Access logging not enabled – audit trail gap
Source: aws-s3-auditor
A.5.13 substrate — S3 bucket enumeration surfaces resources eligible for classification-tag inspection. Operator's SoA inclusion of A.5.13 + classification scheme per A.5.12 completes the labelling-implementation dimension.

A.5.15 — Access control FAIL

Category: A.5 Organizational · Violations: 2
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.5.15 substrate — privileged-account access without MFA violates the access-control rules dimension for high-privilege identities.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.5.15 substrate — privileged-account access without MFA violates the access-control rules dimension for high-privilege identities.

A.5.17 — Authentication information FAIL

Category: A.5 Organizational · Violations: 3
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.5.17 substrate — authentication-information allocation requires MFA per identity. No-MFA condition violates the allocation-management process baseline.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.5.17 substrate — authentication-information allocation requires MFA per identity. No-MFA condition violates the allocation-management process baseline.
Secrets Manager secret 'nw-db-credentials' has rotation DISABLED. Long-lived credentials accumulate compromise risk over time; AWS-recommended baseline is enabled rotation with a Lambda rotation function. CC6.1 access-control boundary risk on the credential layer (the credential is the access boundary; without rotation it becomes a single-point-of-failure if leaked). Enable rotation via secretsmanager:RotateSecret + AWSCURRENT/AWSPENDING staging labels.
Source: aws-secrets-auditor
A.5.17 substrate — Secrets Manager surfaces authentication-information storage; rotation cadence + access control on secrets are A.5.17 dimensions.

A.5.18 — Access rights FAIL

Category: A.5 Organizational · Violations: 7
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.5.18 substrate — access rights review requires detecting unintended privilege expansion. Shadow admin paths surface access-right configurations that bypass intended access-control rules.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
A.5.18 substrate — access rights review requires detecting unintended privilege expansion. Shadow admin paths surface access-right configurations that bypass intended access-control rules.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.5.18 substrate — access rights review requires detecting unintended privilege expansion. Shadow admin paths surface access-right configurations that bypass intended access-control rules.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
A.5.18 substrate — access rights review requires detecting unintended privilege expansion. Shadow admin paths surface access-right configurations that bypass intended access-control rules.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
A.5.18 substrate — effective-decrypt permissions surface principals with implicit data-access rights through KMS that exceed documented access-control rules. Direct A.5.18 review dimension.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
A.5.18 substrate — effective-decrypt permissions surface principals with implicit data-access rights through KMS that exceed documented access-control rules. Direct A.5.18 review dimension.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
A.5.18 substrate — effective-decrypt permissions surface principals with implicit data-access rights through KMS that exceed documented access-control rules. Direct A.5.18 review dimension.

A.5.23 — Information security for use of cloud services FAIL

Category: A.5 Organizational · Violations: 3
Bucket policy grants public access
Source: aws-s3-auditor
A.5.23 — a public bucket POLICY is the other confirmed-public vector (internet-wide read, same as a public ACL); routed alongside the ACL/object-ACL anchor for cross-framework agreement. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
A.5.23 NEW 2022 — managed cloud-storage service. Engine substrate surfaces S3 usage; operator's SoA + cloud-service procedures complete the dimension.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
A.5.23 NEW 2022 — managed cloud-storage service. Engine substrate surfaces S3 usage; operator's SoA + cloud-service procedures complete the dimension.

A.5.28 — Collection of evidence FAIL

Category: A.5 Organizational · Violations: 1
⚠️ Coverage caveat: A.5.28 partial — engine produces CloudTrail-based audit-log substrate suitable as forensic evidence input. Operator-side chain-of-custody discipline (evidence-preservation procedures, forensic-tool integration, legal-hold workflow) is operator-side and pairs with IR platform.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
A.5.28 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.

A.5.33 — Protection of records FAIL

Category: A.5 Organizational · Violations: 1
⚠️ Coverage caveat: A.5.33 partial — engine surfaces S3 Object Lock WORM substrate (immutability via Compliance/Governance retention modes) + lifecycle policies as records-protection substrate. Operator-side records-retention schedule + legal-hold workflow is OOS.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
A.5.33 substrate — S3 lifecycle policy surfaces the records-retention configuration. SoA inclusion + retention schedule complete the operator-side dimension.

A.8.2 — Privileged access rights FAIL

Category: A.8 Technological · Violations: 6
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.8.2 substrate — shadow admins represent unmanaged privileged access (rights effectively-admin but not documented as such). Direct A.8.2 violation.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
A.8.2 substrate — full-admin privilege allocation must be tightly restricted + managed per A.8.2. Detected full-admin principals surface privileged-access management gaps.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
A.8.2 substrate — shadow admins represent unmanaged privileged access (rights effectively-admin but not documented as such). Direct A.8.2 violation.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.8.2 substrate — shadow admins represent unmanaged privileged access (rights effectively-admin but not documented as such). Direct A.8.2 violation.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
A.8.2 substrate — full-admin privilege allocation must be tightly restricted + managed per A.8.2. Detected full-admin principals surface privileged-access management gaps.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
A.8.2 substrate — shadow admins represent unmanaged privileged access (rights effectively-admin but not documented as such). Direct A.8.2 violation.

A.8.3 — Information access restriction FAIL

Category: A.8 Technological · Violations: 8
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.8.3 substrate — wildcard resource grants violate access-restriction discipline; principal can access more information than topic-specific policy intends.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
A.8.3 substrate — wildcard resource grants violate access-restriction discipline; principal can access more information than topic-specific policy intends.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
A.8.3 substrate — wildcard resource grants violate access-restriction discipline; principal can access more information than topic-specific policy intends.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
A.8.3 substrate — wildcard resource grants violate access-restriction discipline; principal can access more information than topic-specific policy intends.
Bucket policy grants public access
Source: aws-s3-auditor
A.8.3 — a public bucket POLICY bypasses the information-access-restriction baseline just like a public ACL (the other confirmed-public vector); routed alongside the ACL/object-ACL anchor. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
A.8.3 substrate — public S3 bucket bypasses information-access-restriction baseline. Direct A.8.3 violation.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
A.8.3 substrate — public S3 bucket bypasses information-access-restriction baseline. Direct A.8.3 violation.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
A.8.3 — Principal:* on sensitive KMS actions (Decrypt / GenerateDataKey* / ReEncrypt* / CreateGrant / PutKeyPolicy) grants any authenticated AWS principal confidentiality-boundary-crossing access to the key — an access-restriction failure. Anchored on the `C1.1 confidentiality-boundary risk` trailer (HIGH/MEDIUM tiers) so it does NOT match the demoted AWS-managed-CMK-template INFO emission (by-design service-scoped, no operator gap). Inherits soc2 C1.1.

A.8.5 — Secure authentication FAIL

Category: A.8 Technological · Violations: 2
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.8.5 substrate — MFA absence violates secure-authentication baseline for privileged identities. Direct A.8.5 implementation evidence.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
A.8.5 substrate — MFA absence violates secure-authentication baseline for privileged identities. Direct A.8.5 implementation evidence.

A.8.6 — Capacity management FAIL

Category: A.8 Technological · Violations: 14
⚠️ Coverage caveat: A.8.6 partial — engine surfaces CloudWatch capacity-metric substrate (CPU/memory/IOPS metrics on EC2/RDS/Lambda). Operator-side capacity-planning process + future-demand forecasting is OOS.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
A.8.6 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
CloudWatch alarm missing: Unauthorized API calls (CIS AWS Foundations Benchmark cis-3.1). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Management Console sign-in without MFA (CIS AWS Foundations Benchmark cis-3.2). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Root account usage (CIS AWS Foundations Benchmark cis-3.3). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: IAM policy changes (CIS AWS Foundations Benchmark cis-3.4). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Management Console authentication failures (CIS AWS Foundations Benchmark cis-3.6). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Disabling or scheduled deletion of customer-created CMKs (CIS AWS Foundations Benchmark cis-3.7). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: S3 bucket policy changes (CIS AWS Foundations Benchmark cis-3.8). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: AWS Config configuration changes (CIS AWS Foundations Benchmark cis-3.9). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Security group changes (CIS AWS Foundations Benchmark cis-3.10). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Network ACL changes (CIS AWS Foundations Benchmark cis-3.11). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Network gateway changes (CIS AWS Foundations Benchmark cis-3.12). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: Route table changes (CIS AWS Foundations Benchmark cis-3.13). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.
CloudWatch alarm missing: VPC changes (CIS AWS Foundations Benchmark cis-3.14). SOC 2 CC7.2 expects active monitoring for this event class; CC7.3 expects routing to incident response. Evidence method: metric-filter-pattern-v2 (auditor-canonical — direct logs:DescribeMetricFilters per CloudTrail LogGroup).
Source: aws-cloudtrail-auditor
A.8.6 substrate — CloudWatch capacity metrics availability is the technical substrate for capacity-management monitoring. Operator's capacity-planning process completes the SoA-implementation dimension.

A.8.7 — Protection against malware FAIL

Category: A.8 Technological · Violations: 34
⚠️ Coverage caveat: A.8.7 partial — engine surfaces GuardDuty malware-protection findings (for EBS volumes, Lambda functions). Endpoint anti-malware (operator-side EDR — CrowdStrike / SentinelOne / Microsoft Defender) is OOS for infrastructure scanning. User-awareness dimension (A.8.7 second sentence) is operator-side LMS-driven.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.7 substrate — GuardDuty malware-protection findings on EBS volumes + Lambda functions provide cloud-tier anti-malware substrate. Pair with operator's endpoint EDR + LMS for complete A.8.7 coverage.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.7 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

A.8.10 — Information deletion FAIL

Category: A.8 Technological · Violations: 1
⚠️ Coverage caveat: A.8.10 partial — engine surfaces S3 lifecycle deletion policies + KMS key-deletion scheduling as deletion-substrate. Operator-side data-disposal records + per-data-class retention schedule is operator-side and required for full A.8.10 coverage.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
A.8.10 NEW 2022 substrate — S3 lifecycle expiration rules surface the information-deletion configuration. Operator's data-retention schedule pairs with the substrate.

A.8.12 — Data leakage prevention FAIL

Category: A.8 Technological · Violations: 3
⚠️ Coverage caveat: A.8.12 partial — engine surfaces Macie classification + DLP-config substrate (S3 public-access, exposed-endpoint findings as leak-risk substrate). Endpoint-tier DLP (Proofpoint, Forcepoint) is OOS for infrastructure scanning.
Bucket policy grants public access
Source: aws-s3-auditor
A.8.12 — a public bucket POLICY is the other confirmed-public leak vector (internet-wide read, same as a public ACL); routed alongside the ACL/object-ACL anchor. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
A.8.12 NEW 2022 substrate — public S3 buckets surface leak-risk substrate (sensitive information potentially accessible without authentication). Direct A.8.12 implementation evidence.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
A.8.12 NEW 2022 substrate — public S3 buckets surface leak-risk substrate (sensitive information potentially accessible without authentication). Direct A.8.12 implementation evidence.

A.8.14 — Redundancy of information processing facilities FAIL

Category: A.8 Technological · Violations: 1
⚠️ Coverage caveat: A.8.14 partial — engine surfaces multi-AZ + multi-region configuration substrate (RDS Multi-AZ, S3 cross-region replication, Lambda multi-AZ deployment). Operator-side availability-target documentation + failover-test cadence is OOS.
RDS DB instance 'northwind-orders-db' is configured single-AZ (MultiAZ=false). A1.2 availability gap: an AZ outage, instance failure, or maintenance event would render the database unavailable until manual recovery. Enable Multi-AZ via rds:ModifyDBInstance for production-tier workloads.
Source: aws-rds-auditor
A.8.14 substrate — RDS Multi-AZ deployment surfaces information-processing-facility redundancy. Single-AZ RDS in availability-critical scope violates A.8.14.

A.8.15 — Logging FAIL

Category: A.8 Technological · Violations: 1
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
A.8.15 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.

A.8.16 — Monitoring activities FAIL

Category: A.8 Technological · Violations: 34
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
A.8.16 NEW 2022 substrate — GuardDuty anomaly detection + threat intelligence surfaces the network/system monitoring dimension. Operator's SIEM correlation (Splunk, Sumo Logic) completes the evaluation-into-incident dimension.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
A.8.16 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

A.8.20 — Networks security FAIL

Category: A.8 Technological · Violations: 3
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.20 (Networks security) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.20 (Networks security) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.20 (Networks security) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.

A.8.21 — Security of network services FAIL

Category: A.8 Technological · Violations: 1
Lambda function 'nw-checkout-fn' has a public Function URL with AuthType: NONE — exposes the function to public internet without authentication. CC6.1 violation; SOC 2 institutional CRITICAL (parallel to API Gateway NONE-authorizer class). Set AuthType to AWS_IAM (uses SigV4) or front with API Gateway authorizer.
Source: aws-lambda-auditor
A.8.21 (Security of network services) — a Lambda Function URL with AuthType: NONE is a public, unauthenticated internet entry-point — the direct analog of a NONE-auth API Gateway method. Routed here for cross-source parity with the API Gateway public-entry anchor. Inherits soc2 CC6.1. Plugin 1080.

A.8.22 — Segregation of networks FAIL

Category: A.8 Technological · Violations: 3
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.22 (Segregation of networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.22 (Segregation of networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
A.8.22 (Segregation of networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.

A.8.24 — Use of cryptography FAIL

Category: A.8 Technological · Violations: 28
DynamoDB table 'northwind-inventory' uses KMS encryption but the returned KMSMasterKeyArn is a :key/UUID form, not an alias — cannot determine AWS-managed vs customer-managed from the SSE response alone. Verify via 'aws kms describe-key --key-id arn:aws:kms:us-east-1:123456789012:key/0a1b2c3d-4e5f-4a1b-8c2d-000000000007' and check KeyManager (AWS = AWS-managed; CUSTOMER = customer-managed-CMK / PASS). EE-RT.3 v1 added automated kms:DescribeKey cross-reference; if this finding still emits, KMS SDK was unavailable OR caller did not provide kmsClient OR kms:DescribeKey returned AccessDenied / NotFoundException.
Source: aws-dynamodb-auditor
A.8.24 key-management dimension (P2 key-custody doctrine 2026-06-22) — DynamoDB (KMS key unclassifiable — always-encrypted custody gap) data IS encrypted at rest but under a provider-managed/unclassifiable key (no customer rotation / revocation / crypto-shred). A.8.24 "Use of cryptography, including cryptographic key management" is the home; the data IS unreadable so the encryption-PRESENCE controls (nist PR.DS-01 / pci 3.5.1 / cis 3.11 / gdpr Art.32(1)(a)) are SATISFIED and intentionally NOT routed. Inherits soc2.json. Severity unchanged (LOW/INFO/MEDIUM observation).
DynamoDB table 'northwind-sessions' uses AWS-owned default encryption (no SSEDescription or SSEType=AES256). Customer has no key custody; AWS-owned keys cannot be disabled, audited, or rotated by the customer. Auditors require KMS-CMK (customer-managed key) for audit-store tables (C1.1 key-custody requirement).
Source: aws-dynamodb-auditor
A.8.24 key-management dimension (P2 key-custody doctrine 2026-06-22) — DynamoDB (AWS-owned default key) data IS encrypted at rest but under a provider-managed/unclassifiable key (no customer rotation / revocation / crypto-shred). A.8.24 "Use of cryptography, including cryptographic key management" is the home; the data IS unreadable so the encryption-PRESENCE controls (nist PR.DS-01 / pci 3.5.1 / cis 3.11 / gdpr Art.32(1)(a)) are SATISFIED and intentionally NOT routed. Inherits soc2.json. Severity unchanged (LOW/INFO/MEDIUM observation).
Customer-managed KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' has automatic key rotation DISABLED. CC6.3 expects cryptographic credential rotation cadence; AWS recommends enabling annual automatic rotation for customer-managed symmetric encryption keys. Enable via kms:EnableKeyRotation, or document the manual rotation procedure for auditor walkthrough.
Source: aws-kms-auditor
A.8.24 substrate — KMS key configuration (rotation, key-policy, deletion-pending state) is the cryptography-use + key-management dimension. Direct A.8.24 implementation evidence.
RDS DB instance 'northwind-analytics-cluster' uses AWS-managed KMS key (arn:aws:kms:us-east-1:123456789012:key/0a1b2c3d-4e5f-4a1b-8c2d-000000000002) — promoted from UNVERIFIABLE LOW via kms:DescribeKey cross-reference (KeyManager=AWS). C1.1 confidentiality is in effect but key custody lives in the AWS-managed key pool rather than the customer's KMS keyring — not customer-rotatable / not customer-revocable. Prefer customer-managed CMK via snapshot-restore-with-KmsKeyId for production-tier databases.
Source: aws-rds-auditor
A.8.24 key-management dimension (P2 key-custody doctrine 2026-06-22) — RDS (AWS-managed KMS key, promoted) data IS encrypted at rest but under a provider-managed/unclassifiable key (no customer rotation / revocation / crypto-shred). A.8.24 "Use of cryptography, including cryptographic key management" is the home; the data IS unreadable so the encryption-PRESENCE controls (nist PR.DS-01 / pci 3.5.1 / cis 3.11 / gdpr Art.32(1)(a)) are SATISFIED and intentionally NOT routed. Inherits soc2.json. Severity unchanged (LOW/INFO/MEDIUM observation).
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.
Source: aws-rds-auditor
A.8.24 (Use of cryptography) — an RDS DB instance with StorageEncrypted=false leaves its underlying storage, automated snapshots, and read-replicas UNENCRYPTED at rest: a direct cryptography-use gap. At-rest fleet-sweep parity (2026-06-22) — RDS storage-encryption already routed to the at-rest set in 5/7 frameworks (soc2 C1.1 / hipaa 164.312(a)(2)(iv) / nist PR.DS-01 / pci 3.5.1 / cis 3.11) but omitted iso A.8.24; this closes the RDS at-rest/iso asymmetry (the deliberate deferral from the apigw-cache fold). Inherits from soc2.json C1.1. Plugin 1140 rds-storage-unencrypted.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).
Source: aws-sqs-sns-auditor
A.8.24 (Use of cryptography) — SQS encryption-at-rest DISABLED leaves message bodies unencrypted at rest. At-rest fleet-sweep parity 2026-06-22. Inherits soc2.json C1.1. Plugin 1150.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/sqs-encrypted-queue' uses AWS-managed KMS key (alias/aws/sqs). C1.1 confidentiality is in effect but key custody lives in the AWS-managed key pool — not customer-rotatable / not customer-revocable. For production-tier confidential workloads, prefer customer-managed CMK.
Source: aws-sqs-sns-auditor
A.8.24 key-management dimension (P2 key-custody doctrine 2026-06-22) — SQS (AWS-managed KMS key) data IS encrypted at rest but under a provider-managed/unclassifiable key (no customer rotation / revocation / crypto-shred). A.8.24 "Use of cryptography, including cryptographic key management" is the home; the data IS unreadable so the encryption-PRESENCE controls (nist PR.DS-01 / pci 3.5.1 / cis 3.11 / gdpr Art.32(1)(a)) are SATISFIED and intentionally NOT routed. Inherits soc2.json. Severity unchanged (LOW/INFO/MEDIUM observation).
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.
Source: aws-sqs-sns-auditor
A.8.24 (Use of cryptography) — SNS encryption-at-rest DISABLED leaves published message bodies unencrypted at rest. Inherits soc2.json C1.1. Plugin 1150.
SNS topic 'arn:aws:sns:us-east-1:123456789012:sns-encrypted-topic' uses AWS-managed KMS key (alias/aws/sns). C1.1 confidentiality is in effect but key custody is AWS-managed — not customer-rotatable / not customer-revocable. For production-tier confidential topics, prefer customer-managed CMK.
Source: aws-sqs-sns-auditor
A.8.24 key-management dimension (P2 key-custody doctrine 2026-06-22) — SNS (AWS-managed KMS key) data IS encrypted at rest but under a provider-managed/unclassifiable key (no customer rotation / revocation / crypto-shred). A.8.24 "Use of cryptography, including cryptographic key management" is the home; the data IS unreadable so the encryption-PRESENCE controls (nist PR.DS-01 / pci 3.5.1 / cis 3.11 / gdpr Art.32(1)(a)) are SATISFIED and intentionally NOT routed. Inherits soc2.json. Severity unchanged (LOW/INFO/MEDIUM observation).
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).
Source: aws-ec2-instance-auditor
A.8.24 (Use of cryptography) — an EBS volume with Encrypted=false stores data unencrypted at rest: a direct cryptography-use gap. At-rest fleet-sweep parity 2026-06-22 (EBS block storage is the RDS analog → A.8.24 only, NOT A.5.34/PII-document). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
A.8.24 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking cryptography-use gap). Inherits soc2.json C1.1. Plugin 1210.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.
Source: aws-elasticache-redis-auditor
A.8.24 (Use of cryptography) — ElastiCache Redis with at-rest encryption DISABLED leaves cache data unencrypted at rest: a direct cryptography-use gap. iso A.8.24 only (cache = data store, the EBS/RDS analog, NOT an S3 PII-document → no A.5.34). Inherits soc2.json C1.1. Plugin 1180.

Passing Controls (Within Scope)

Partial Coverage

Out of Scope

Control IDsTitleReason
A.5.1, A.5.2, A.5.4, A.5.5, A.5.6, A.5.10, A.5.11, A.5.12, A.5.31, A.5.32, A.5.35, A.5.37Theme A.5 Organizational — policy / governance / legal-register OOS (12)These 12 Annex A controls are operator-side ISMS policy + governance + legal-register dimensions: A.5.1 board-approved Information Security Policy (Clause 5.2 dependency), A.5.2 organizational roles/responsibilities (RACI matrix), A.5.4 management responsibilities (process), A.5.5 contact with authorities (regulator-relationship), A.5.6 contact with special interest groups (membership records), A.5.10 acceptable use policy (operator AUP), A.5.11 return of assets (HR offboarding), A.5.12 information classification scheme (operator data taxonomy), A.5.31 legal/statutory/regulatory/contractual requirements (operator legal register; cross-reference A.5.34 PII + ISO 27701 PIMS), A.5.32 intellectual property rights (operator legal program), A.5.35 independent review of information security (Clause 9.2 internal audit dependency — MANDATORY), A.5.37 documented operating procedures (operator runbook documentation). Engine produces no substrate for these dimensions. Pair with GRC platform documentation surface (AuditBoard / OneTrust / Drata / Vanta / Secureframe ISMS-documentation modules) for SoA pairing. ABSENCE of A.5.35 = auto-fail Major Nonconformity at every Stage 2 + every annual surveillance per Clause 9.2 internal audit mandatoriness.
A.5.8Theme A.5 Organizational — SDLC governance OOS (1)A.5.8 (Information security in project management) is SDLC governance — embedding information security into the project-management lifecycle. Operator-side process discipline; engine produces no substrate. Pair with operator's SDLC governance + project-management framework (Jira PMO templates, Asana, Monday.com).
A.5.19, A.5.20, A.5.21Theme A.5 Organizational — TPRM OOS (3)These 3 Annex A controls are Third-Party Risk Management (TPRM) program dimensions: A.5.19 information security in supplier relationships (operator vendor program), A.5.20 information security within supplier agreements (operator contracts with security riders), A.5.21 managing information security in the ICT supply chain (operator software/hardware supply-chain risk program). Operator-side TPRM is OOS for infrastructure scanning. Pair with TPRM platform (Drata Vendor Management, OneTrust TPRM, Whistic, Vanta Vendor Management). Note: A.5.22 (monitoring, review and change management of supplier services) is partial-covered above via cross-account VPC endpoint substrate.
A.5.24, A.5.25, A.5.26, A.5.27, A.5.29Theme A.5 Organizational — Incident response + business continuity (operator-side) OOS (5)These 5 Annex A controls are operator-side IR + BCP runbook execution evidence streams: A.5.24 incident management planning and preparation, A.5.25 assessment and decision on events, A.5.26 response to information security incidents, A.5.27 learning from information security incidents, A.5.29 information security during disruption. Pair with operator IR platform (TheHive, IBM Resilient, Cortex XSOAR, Splunk SOAR) + BCP program (Veeam, Cohesity, Datto). Engine produces pre-incident detection substrate (GuardDuty findings, CloudTrail audit logs) but cannot evidence IR-runbook execution or BCP-cadence operating effectiveness. This OOS framing parallels HIPAA §164.308(a)(6) Security Incident Procedures and NIST CSF Respond-function-entire + Recover-function-partial.
A.5.7, A.5.30Theme A.5 Organizational — NEW 2022 process-driven OOS (2)Two of the 11 NEW 2022 controls are process-driven and OOS for infrastructure scanners: A.5.7 Threat intelligence (operator-side TIP integration — pair with Recorded Future, Mandiant, ThreatConnect, Anomali; engine produces CVE substrate via intelligence_engine but cannot evidence the operator-side TIP-into-defensive-actions process) + A.5.30 ICT readiness for business continuity (operator-side BCP testing cadence — pair with Veeam, Cohesity, Datto for backup-recovery cadence + structured BCP testing schedule). Both NEW controls require explicit operator-side pairings; silent omission would be a freshness-signal failure per Skill #18 Class I.
A.6.1, A.6.2, A.6.3, A.6.4, A.6.5, A.6.6, A.6.7, A.6.8Theme A.6 People — entire (8)All 8 Annex A.6 People controls are workforce-lifecycle dimensions: A.6.1 screening (HR pre-employment background checks), A.6.2 terms and conditions of employment (HR contracts), A.6.3 information security awareness/education/training (LMS — KnowBe4, Proofpoint, SANS Security Awareness), A.6.4 disciplinary process (HR disciplinary records), A.6.5 responsibilities after termination (HR offboarding), A.6.6 confidentiality or non-disclosure agreements (legal NDA execution records), A.6.7 remote working (operator remote-work policy + endpoint-management via Intune, JAMF, Kandji), A.6.8 information security event reporting (operator incident-reporting channel). Entirely OOS for infrastructure scanning — pair with HR system + LMS + endpoint-management platform. Theme A.6 OOS-entirely framing parallels NIST CSF PR.AT (Awareness/Training) + HIPAA §164.308(a)(5) Security Awareness and Training.
A.7.1, A.7.2, A.7.3, A.7.4, A.7.5, A.7.6, A.7.7, A.7.8, A.7.9, A.7.10, A.7.11, A.7.12, A.7.13, A.7.14Theme A.7 Physical — entire (14)All 14 Annex A.7 Physical controls are facility-tier dimensions: A.7.1 physical security perimeters, A.7.2 physical entry, A.7.3 securing offices/rooms/facilities, A.7.4 physical security monitoring (NEW 2022 — facility CCTV/IDS), A.7.5 protecting against physical and environmental threats, A.7.6 working in secure areas, A.7.7 clear desk and clear screen, A.7.8 equipment siting and protection, A.7.9 security of assets off-premises, A.7.10 storage media, A.7.11 supporting utilities (power, HVAC), A.7.12 cabling security, A.7.13 equipment maintenance, A.7.14 secure disposal or re-use of equipment. For cloud-hosted operators: ENTIRELY inheritable from cloud-provider's ISO 27001:2022 Certificate via shared-responsibility model (AWS / Azure / GCP all certified as of 2026-Q1). For on-premises operators: pair with facility-access systems (Brivo, S2 Security, Genetec), facility CCTV (Verkada, Avigilon), and operator's physical-security operational records. Theme A.7 OOS-entirely framing parallels HIPAA §164.310 Physical Safeguards (entirely OOS for cloud-hosted operators) + PCI DSS Req 9 (OOS-entirely).
A.8.1, A.8.18, A.8.19Theme A.8 Technological — Endpoint-management OOS (3)These 3 Annex A.8 controls are endpoint-management dimensions: A.8.1 user endpoint devices (operator endpoint-management — Intune, JAMF, Kandji, Workspace ONE), A.8.18 use of privileged utility programs (operator limits sudo/runas via endpoint-management policy + EDR), A.8.19 installation of software on operational systems (operator application allowlisting via Microsoft AppLocker, JAMF restrictions, CrowdStrike Falcon Identity Protection). Pair with operator's endpoint-management platform; engine produces no endpoint-tier substrate.
A.8.4, A.8.11Theme A.8 Technological — SCM access + application-tier data masking OOS (2)A.8.4 (Access to source code) is operator-side SCM access controls — pair with GitHub Enterprise/GitLab/Bitbucket access governance + branch-protection rules + secret-scanning. A.8.11 (Data masking) is NEW 2022 — application-tier tokenization / data masking, OOS for infrastructure scanning. Pair with Hashicorp Vault, Skyflow, Very Good Security (VGS), Privacera, or in-application tokenization layer.
A.8.23Theme A.8 Technological — NEW 2022 web filtering OOS (1)A.8.23 (Web filtering) is NEW 2022 — operator-side Secure Web Gateway (SWG). Pair with Cloudflare Gateway, Zscaler Internet Access, Netskope SWG, or equivalent secure-web-proxy. Infrastructure scanning produces no SWG substrate.
A.8.17, A.8.25, A.8.26, A.8.27, A.8.28, A.8.29, A.8.30, A.8.31, A.8.32, A.8.33, A.8.34Theme A.8 Technological — SDLC + secure-development governance + clock-sync + env-separation OOS (11)These 11 Annex A.8 controls span SDLC governance + operator-side cloud configuration dimensions not evidenced by infrastructure scanning: A.8.17 Clock synchronization (cloud-tier NTP is typically auto-managed by the cloud provider; operator documents the approved time source per workload tier) + A.8.25 secure development life cycle (operator SDLC documentation) + A.8.26 application security requirements (operator threat-modeling + requirements process) + A.8.27 secure system architecture and engineering principles (operator architecture-review process) + A.8.28 secure coding (NEW 2022 — operator SAST/IAST via Semgrep, Snyk Code, GitHub Advanced Security, Sonatype, Checkmarx, Veracode) + A.8.29 security testing in development and acceptance (operator DAST + penetration-test cadence) + A.8.30 outsourced development (operator TPRM applied to development vendors) + A.8.31 Separation of development, test and production environments (operator-side environment-management documentation + per-environment access-control matrix) + A.8.32 change management (operator change-management process — pair with CodePipeline substrate for partial deployment-pipeline evidence) + A.8.33 test information (operator data-management for test environments) + A.8.34 protection of information systems during audit testing (operator audit-window coordination). Operator pairs with NTP-source documentation (A.8.17), dev/test/prod environment-management documentation (A.8.31), and SDLC + SAST/DAST/IAST/SCA + change-management platforms (A.8.25-A.8.34).

Appendix A — Cloud Bucket Exposure Attestation

Buckets with finding(s): 14 violation event(s) across 0 unique bucket(s).

Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].

Appendix B — Accepted Risks & False Positives

No suppressions in this scan.