NIST Cybersecurity Framework 2.0 (Core) Pre-Audit Gap Report

Generated: 2026-06-24T23:07:45.347Z

Cover: Scope Attestation

Report ID
aws_20260624_160745
Generated at
2026-06-24T23:07:45.347Z
Assessment type
Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
Scanner
NSAuditor AI EE v0.31.3 (CE v0.2.15)
Scan window
(not provided) → (not provided)
Targets in scope
aws
Targets explicitly excluded
None
Framework
NIST Cybersecurity Framework 2.0 (Core) (version 2.0)
Report integrity
SHA-256 in companion .sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
Trusted timestamp (RFC 3161)
Not configured. SHA-256 provides integrity only. For non-repudiation, configure complianceTsaUrl.
TSA policy OID
N/A — TSA itself is not configured.
TSA cert chain bundling
N/A — TSA itself is not configured.
Clock advisory
ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)

This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.

Executive Summary

NIST CSF 2.0 Implementation Tiers — Out of Scope

NIST CSF 2.0 Implementation Tiers (Partial / Risk-Informed / Repeatable / Adaptive) are organizational-maturity claims that infrastructure scanning CANNOT evidence — they describe the rigor of the operator's cybersecurity program at the program-level, not the configuration state of individual controls. Pair this report with the operator's Tiering self-assessment OR a NIST-aware GRC platform (Tugboat Logic, Drata NIST CSF module, Vanta NIST CSF, AuditBoard) for the Tiers dimension

The per-Subcategory findings below evidence the technical state of individual controls. They do NOT evidence the operator's overall NIST CSF 2.0 Implementation Tier (Partial → Risk-Informed → Repeatable → Adaptive), which describes the maturity of cybersecurity-risk-management practices across the enterprise. A Tier assertion requires governance / risk-management / supplier-relationship / training program evidence streams that infrastructure scanning cannot produce. Pair this report with the operator's Tier self-assessment OR a NIST-aware GRC platform for the Tier dimension.

Govern function: The Govern function (GV.OC / GV.RM / GV.RR / GV.PO / GV.OV / most of GV.SC) is OOS-by-design. The single substrate-evidence exception is GV.SC-04 (suppliers known) — see GV.OC + GV.RR + GV.PO — Govern function OOS for technical-control report (engine does not produce policy/strategy/oversight evidence).

Respond function: The Respond function is OOS-entirely. The engine produces the substrate adverse-event findings (DE.AE-02) that incident-response programs consume, but cannot evidence the IR-runbook execution itself — pair with operator's IR platform + runbook + tabletop-exercise log archive. See DE.AE-02 adverse-event analysis + RS function (Respond — entirely OOS as IR runbook execution) — engine produces the substrate adverse-events; operator-side IR runbook + SOAR platform handles the response.

Failing Controls

PR.AA-01 — Identities and credentials for authorized users, services, and hardware are managed by the organization FAIL

Category: Protect · Identity Management, Authentication, and Access Control · Violations: 2
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
PR.AA-01 requires authorized-user credential management. MFA on privileged accounts is the auditor-canonical identity-management control; absence violates PR.AA-01.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
PR.AA-01 requires authorized-user credential management. MFA on privileged accounts is the auditor-canonical identity-management control; absence violates PR.AA-01.

PR.AA-03 — Users, services, and hardware are authenticated FAIL

Category: Protect · Identity Management, Authentication, and Access Control · Violations: 2
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
PR.AA-03 requires user authentication; MFA absence violates the multi-factor authentication strength tier appropriate for privileged access.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
PR.AA-03 requires user authentication; MFA absence violates the multi-factor authentication strength tier appropriate for privileged access.

PR.AA-05 — Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties FAIL

Category: Protect · Identity Management, Authentication, and Access Control · Violations: 11
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
PR.AA-05 requires least-privilege; shadow admins bypass policy-defined boundaries through permission aggregation across attached/inline policies.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
PR.AA-05 — least-privilege requires no self-elevation paths. EE-RT.1.3 covers both classic + NotAction-encoded Allow privesc.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
PR.AA-05 requires least-privilege; shadow admins bypass policy-defined boundaries through permission aggregation across attached/inline policies.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
PR.AA-05 requires least-privilege; shadow admins bypass policy-defined boundaries through permission aggregation across attached/inline policies.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
PR.AA-05 — least-privilege requires no self-elevation paths. EE-RT.1.3 covers both classic + NotAction-encoded Allow privesc.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
PR.AA-05 requires least-privilege; shadow admins bypass policy-defined boundaries through permission aggregation across attached/inline policies.
Bucket policy grants public access
Source: aws-s3-auditor
PR.AA-05 — a public bucket POLICY grants internet-wide read just like a public ACL (the other confirmed-public vector); routed alongside the ACL/object-ACL anchor for cross-framework agreement. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
PR.AA-05 — a publicly-accessible S3 bucket (public bucket policy, bucket ACL, object ACL, or non-current object version granting AllUsers/AuthenticatedUsers) grants read to any internet principal with no least-privilege boundary; the AWS analog of the GCP allUsers + Azure broad-role least-privilege violations already mapped to this Subcategory. Plugin 1020.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
PR.AA-05 — a publicly-accessible S3 bucket (public bucket policy, bucket ACL, object ACL, or non-current object version granting AllUsers/AuthenticatedUsers) grants read to any internet principal with no least-privilege boundary; the AWS analog of the GCP allUsers + Azure broad-role least-privilege violations already mapped to this Subcategory. Plugin 1020.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
PR.AA-05 (least-privilege) — Principal:* on sensitive KMS actions is an unmanaged access authorization. PR.AA-05 is access-control-semantic (axis-agnostic), so this is clean even for the availability/integrity-action variants — it does NOT compound the Art.32(1)(b)-confidentiality facet over-claim (GDPR-KMS-1, deferred to the CIA-axis split). Anchored on the `C1.1 confidentiality-boundary risk` trailer so it excludes the demoted AWS-managed-CMK-template INFO. Inherits soc2 C1.1.
Lambda function 'nw-checkout-fn' has a public Function URL with AuthType: NONE — exposes the function to public internet without authentication. CC6.1 violation; SOC 2 institutional CRITICAL (parallel to API Gateway NONE-authorizer class). Set AuthType to AWS_IAM (uses SigV4) or front with API Gateway authorizer.
Source: aws-lambda-auditor
PR.AA-05 (access enforcement) — a Lambda Function URL with AuthType: NONE is a public, unauthenticated entry-point — the direct analog of a NONE-auth API Gateway method (which now routes here too, paired). Inherits soc2 CC6.1. Plugin 1080.

PR.DS-01 — The confidentiality, integrity, and availability of data-at-rest are protected FAIL

Category: Protect · Data Security · Violations: 29
Bucket policy grants public access
Source: aws-s3-auditor
PR.DS-01 — a public bucket POLICY exposes data-at-rest to any internet principal just like a public ACL (the other confirmed-public vector); routed alongside the ACL/object-ACL anchor. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
PR.DS-01 — a publicly-accessible S3 bucket exposes data-at-rest to any internet principal (read of stored object bytes), breaching the at-rest confidentiality outcome regardless of encryption; the AWS analog of the azure-storage anonymous-public-container PR.DS-01 mapping. Dual-mapped with PR.AA-05 (the least-privilege dimension). Plugin 1020.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
PR.DS-01 — a publicly-accessible S3 bucket exposes data-at-rest to any internet principal (read of stored object bytes), breaching the at-rest confidentiality outcome regardless of encryption; the AWS analog of the azure-storage anonymous-public-container PR.DS-01 mapping. Dual-mapped with PR.AA-05 (the least-privilege dimension). Plugin 1020.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
PR.DS-01 (data-at-rest protected) — Principal:* on sensitive KMS actions (Decrypt / GenerateDataKey* / ReEncrypt* / CreateGrant / PutKeyPolicy) exposes the CMK-protected data-at-rest to any authenticated AWS principal. Within-framework parity fold: the kms:* + cross-account siblings already route to PR.DS-01; the wildcard-on-sensitive variant under-routed (cross-source parity adjudication). Anchored on the `C1.1 confidentiality-boundary risk` trailer so it excludes the demoted AWS-managed-CMK-template INFO. Inherits soc2 C1.1.
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.
Source: aws-rds-auditor
PR.DS-01 confidentiality of data-at-rest requires encryption. RDS with StorageEncrypted=false stores DB data in cleartext at the EBS layer.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).
Source: aws-sqs-sns-auditor
PR.DS-01 — an SQS queue with encryption-at-rest DISABLED stores message bodies in cleartext at rest. At-rest fleet-sweep parity 2026-06-22. Plugin 1150.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.
Source: aws-sqs-sns-auditor
PR.DS-01 — an SNS topic with encryption-at-rest DISABLED stores published message bodies in cleartext at rest. At-rest fleet-sweep parity 2026-06-22. Plugin 1150.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
PR.DS-01 — confidentiality requires bounded decrypt access. Wildcard kms:Decrypt (after KMS-grant + key-policy cross-reference) undermines at-rest encryption confidentiality. Plugin 1110 (EE 0.9.1 ship-blocker closure).
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
PR.DS-01 — confidentiality requires bounded decrypt access. Wildcard kms:Decrypt (after KMS-grant + key-policy cross-reference) undermines at-rest encryption confidentiality. Plugin 1110 (EE 0.9.1 ship-blocker closure).
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
PR.DS-01 — confidentiality requires bounded decrypt access. Wildcard kms:Decrypt (after KMS-grant + key-policy cross-reference) undermines at-rest encryption confidentiality. Plugin 1110 (EE 0.9.1 ship-blocker closure).
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).
Source: aws-ec2-instance-auditor
PR.DS-01 (Data-at-rest is protected) — EBS volume Encrypted=false leaves block storage in cleartext at rest. At-rest fleet-sweep parity 2026-06-22. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
PR.DS-01 — account-default EBS encryption DISABLED; new volumes created unencrypted (forward-looking at-rest gap). Plugin 1210.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.
Source: aws-elasticache-redis-auditor
PR.DS-01 — ElastiCache Redis with AtRestEncryptionEnabled=false leaves cache data in cleartext at rest. At-rest fleet-sweep parity (reviewer fold) 2026-06-22. Plugin 1180.

PR.DS-02 — The confidentiality, integrity, and availability of data-in-transit are protected FAIL

Category: Protect · Data Security · Violations: 1
ElastiCache Redis cache-cluster 'nw-session-cache' has transit encryption DISABLED (TransitEncryptionEnabled=false). C1.1 transit-encryption gap: client connections + inter-node replication flow over the network in cleartext. Redis client credentials (AUTH tokens) AND cache contents transit unprotected. Enable via in-place migration (Redis 7+ supports TransitEncryptionMode='preferred' for zero-downtime rollout); older engines require recreate-with-encryption + data migration.
Source: aws-elasticache-redis-auditor
PR.DS-02 — ElastiCache without transit encryption transmits cached data (often holding session data, tokens, etc.) in cleartext.

PR.DS-10 — The confidentiality, integrity, and availability of data-in-use are protected FAIL

Category: Protect · Data Security · Violations: 3
⚠️ Coverage caveat: PR.DS-10 partial — the engine evidences confidentiality+integrity substrate (KMS-CMK key custody, IAM boundary, Object Lock immutability) but cannot evidence in-use protection mechanisms like memory encryption / confidential computing / TEE attestation that operate at the application or hypervisor tier.
Object Lock not configured
Source: aws-s3-auditor
PR.DS-10 partial — Object Lock provides COMPLIANCE-mode immutability that defends data integrity-in-use against destructive API calls; pairs with application-tier integrity-in-use controls.
Object Lock not configured
Source: aws-s3-auditor
PR.DS-10 partial — Object Lock provides COMPLIANCE-mode immutability that defends data integrity-in-use against destructive API calls; pairs with application-tier integrity-in-use controls.
Object Lock not configured
Source: aws-s3-auditor
PR.DS-10 partial — Object Lock provides COMPLIANCE-mode immutability that defends data integrity-in-use against destructive API calls; pairs with application-tier integrity-in-use controls.

PR.DS-11 — Backups of data are created, protected, maintained, and tested FAIL

Category: Protect · Data Security · Violations: 3
Versioning is disabled – data recovery at risk
Source: aws-s3-auditor
PR.DS-11 — S3 versioning disabled means no backup-creation discipline at the object layer (overwrites/deletes are irreversible).
Versioning is disabled – data recovery at risk
Source: aws-s3-auditor
PR.DS-11 — S3 versioning disabled means no backup-creation discipline at the object layer (overwrites/deletes are irreversible).
DynamoDB table 'northwind-sessions' has neither Point-in-Time Recovery (PITR) NOR deletion protection enabled — a single DeleteTable API call can vaporize the table AND no continuous backup exists to recover. Worst-case audit-the-auditor failure: the audit record itself is not survivable. Enable both (PI1 + C1.1).
Source: aws-dynamodb-auditor
PR.DS-11 worst case: neither PITR nor deletion-protection enabled — no path back to a known-good state after corruption. Plugin 060 emits CRITICAL.

PR.PS-04 — Log records are generated and made available for continuous monitoring FAIL

Category: Protect · Platform Security · Violations: 4
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
PR.PS-04 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)
Source: aws-cloudtrail-auditor
PR.PS-04 — CloudTrail trail that's not multi-region misses API calls in untracked regions; auditor-detectable continuous-monitoring gap.
Trail northwind-trail has log file validation disabled (LogFileValidationEnabled=false)
Source: aws-cloudtrail-auditor
PR.PS-04 — CloudTrail without log-file-validation cannot evidence log integrity (the auditor-canonical audit-the-auditor dimension).
RDS DB instance 'northwind-orders-db' (postgres) has pgAudit DISABLED (pgaudit.log parameter is '<empty>'). CC7.2 + CC7.3 monitoring gap: no database-level activity log is captured — DDL changes, privileged role changes, and DML on sensitive tables go unaudited. Configure via DescribeDBParameterGroup + ModifyDBParameterGroup: set pgaudit.log to a comma-separated subset of 'ddl,role,write' (read can be added selectively for compliance tables) and add 'pgaudit' to shared_preload_libraries.
Source: aws-rds-auditor
PR.PS-04 — pgAudit disabled on PostgreSQL RDS means no DB-statement audit log; continuous-monitoring gap on data-tier activity.

PR.PS-01 — Configuration management practices are established and applied FAIL

Category: Protect · Platform Security · Violations: 1
⚠️ Coverage caveat: PR.PS-01 partial — the engine evidences configuration-drift findings on managed services but does NOT evidence the operator-side configuration-management practice itself (baseline definition, drift-detection cadence, configuration-as-code adoption).
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
PR.PS-01 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.

PR.IR-01 — Networks and environments are protected from unauthorized logical access and usage FAIL

Category: Protect · Technology Infrastructure Resilience · Violations: 3
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
PR.IR-01 — public ingress to restricted ports (SSH/RDP/SMB/RDP/databases) is unauthorized network access to administrative or data-tier surfaces. Plugin 1170 emits HIGH.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
PR.IR-01 — public ingress to restricted ports (SSH/RDP/SMB/RDP/databases) is unauthorized network access to administrative or data-tier surfaces. Plugin 1170 emits HIGH.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
PR.IR-01 — public ingress to restricted ports (SSH/RDP/SMB/RDP/databases) is unauthorized network access to administrative or data-tier surfaces. Plugin 1170 emits HIGH.

PR.IR-03 — Mechanisms are implemented to achieve resilience requirements in normal and adverse situations FAIL

Category: Protect · Technology Infrastructure Resilience · Violations: 1
⚠️ Coverage caveat: PR.IR-03 partial — the engine evidences backup-substrate (PITR, deletion-protection, Object Lock, Air-Gapped Vault) but resilience-requirement DEFINITION (RTO, RPO targets per workload) and adverse-situation EXERCISE (DR tabletop, failover testing) are operator-side.
RDS DB instance 'northwind-orders-db' is configured single-AZ (MultiAZ=false). A1.2 availability gap: an AZ outage, instance failure, or maintenance event would render the database unavailable until manual recovery. Enable Multi-AZ via rds:ModifyDBInstance for production-tier workloads.
Source: aws-rds-auditor
PR.IR-03 partial — single-AZ RDS doesn't meet auditor-canonical resilience baseline; engine evidences the configuration substrate; the resilience-requirement-acceptance is operator-side (some workloads acceptably single-AZ).

DE.CM-01 — Networks and network services are monitored to find potentially adverse events FAIL

Category: Detect · Continuous Monitoring · Violations: 36
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
DE.CM-01 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)
Source: aws-cloudtrail-auditor
DE.CM-01 — CloudTrail not multi-region misses events in untracked regions.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
DE.CM-01 — GuardDuty is the AWS-native continuous-network-monitoring service; absence in a region means no adverse-event detection there.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-01 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

DE.CM-09 — Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events FAIL

Category: Detect · Continuous Monitoring · Violations: 20
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
DE.CM-09 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail has log file validation disabled (LogFileValidationEnabled=false)
Source: aws-cloudtrail-auditor
DE.CM-09 — log-file-validation enables continuous-monitoring integrity; without it, monitoring output is unverifiable.
RDS DB instance 'northwind-orders-db' (postgres) has pgAudit DISABLED (pgaudit.log parameter is '<empty>'). CC7.2 + CC7.3 monitoring gap: no database-level activity log is captured — DDL changes, privileged role changes, and DML on sensitive tables go unaudited. Configure via DescribeDBParameterGroup + ModifyDBParameterGroup: set pgaudit.log to a comma-separated subset of 'ddl,role,write' (read can be added selectively for compliance tables) and add 'pgaudit' to shared_preload_libraries.
Source: aws-rds-auditor
DE.CM-09 — pgAudit disabled on PostgreSQL RDS means no per-statement runtime-environment monitoring of the data tier.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
DE.CM-09 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

DE.CM-03 — Personnel activity and technology usage are monitored to find potentially adverse events FAIL

Category: Detect · Continuous Monitoring · Violations: 1
⚠️ Coverage caveat: DE.CM-03 partial — CloudTrail / Azure Activity Log / GCP Cloud Audit Logs evidence the substrate for personnel-activity monitoring, but the analysis-and-alerting layer (SIEM rules, behavioral analytics) and the human-process layer (insider-threat program) are operator-side.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
DE.CM-03 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.

RC.RP-03 — The integrity of backups and other restoration assets is verified before using them for restoration FAIL

Category: Recover · Recovery Plan Execution · Violations: 3
Object Lock not configured
Source: aws-s3-auditor
RC.RP-03 — Object Lock COMPLIANCE-mode prevents tampering with backup objects, supporting integrity verification.
Object Lock not configured
Source: aws-s3-auditor
RC.RP-03 — Object Lock COMPLIANCE-mode prevents tampering with backup objects, supporting integrity verification.
Object Lock not configured
Source: aws-s3-auditor
RC.RP-03 — Object Lock COMPLIANCE-mode prevents tampering with backup objects, supporting integrity verification.

RC.RP-04 — Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms FAIL

Category: Recover · Recovery Plan Execution · Violations: 3
⚠️ Coverage caveat: RC.RP-04 partial — engine evidences the technical substrate for post-incident-operational-norms (backup integrity, Vault Lock, immutability), but the mission-function prioritization + risk-tolerance acceptance are operator-side.
Object Lock not configured
Source: aws-s3-auditor
RC.RP-04 partial — Object Lock substrate evidences post-incident-immutability anchor; mission-function prioritization is operator-side.
Object Lock not configured
Source: aws-s3-auditor
RC.RP-04 partial — Object Lock substrate evidences post-incident-immutability anchor; mission-function prioritization is operator-side.
Object Lock not configured
Source: aws-s3-auditor
RC.RP-04 partial — Object Lock substrate evidences post-incident-immutability anchor; mission-function prioritization is operator-side.

Passing Controls (Within Scope)

Partial Coverage

Out of Scope

Control IDsTitleReason
GV.OC-01, GV.OC-02, GV.OC-03, GV.OC-04, GV.OC-05, GV.RM-01, GV.RM-02, GV.RM-03, GV.RM-04, GV.RM-05, GV.RM-06, GV.RM-07, GV.RR-01, GV.RR-02, GV.RR-03, GV.RR-04, GV.PO-01, GV.PO-02, GV.OV-01, GV.OV-02, GV.OV-03, GV.SC-01, GV.SC-02, GV.SC-03, GV.SC-05, GV.SC-06, GV.SC-07, GV.SC-08, GV.SC-09, GV.SC-10Govern function (entire ex GV.SC-04)The Govern function (Organizational Context, Risk Management Strategy, Roles/Responsibilities/Authorities, Policy, Oversight, Supply Chain Risk Management ex GV.SC-04) is the policy/strategy/governance dimension of NIST CSF 2.0. These are governance, executive-oversight, board-level, and policy-cycle evidence streams — they require board minutes, risk-register documents, signed policies, formal supplier-risk frameworks, and organizational-charter documentation, none of which infrastructure scanning can produce. Pair NSAuditor with a NIST-aware GRC platform (Tugboat Logic, Drata NIST CSF module, Vanta NIST CSF, AuditBoard) for Govern coverage. The single exception is GV.SC-04 (partial — substrate evidence on supplier-known dimension via VPC endpoints + cross-account trust). This OOS-by-design framing is parallel to HIPAA §164.308 + §164.310 (administrative + physical safeguards) and SOC 2 CC1.x + CC2.x + CC3.x + CC4.x + CC5.x (governance, communication, risk assessment, monitoring activities, control activities).
ID.AM-04, ID.AM-05, ID.AM-07, ID.AM-08, ID.RA-02, ID.RA-03, ID.RA-04, ID.RA-05, ID.RA-06, ID.RA-07, ID.RA-08, ID.RA-09, ID.RA-10, ID.IM-01, ID.IM-02, ID.IM-03, ID.IM-04Identify function — Asset/Risk/Improvement dimensions OOSThe remaining Identify subcategories are process / supplier-relationship / strategic-improvement dimensions: external system inventories ID.AM-04 (operator vendor registry), criticality-based prioritization ID.AM-05 (operator BCP/DR planning), data-flow representations of third-party ID.AM-07 (operator TPRM), systems-and-data-managed-throughout-lifecycle ID.AM-08 (operator data governance program); threat intel ingestion ID.RA-02 (operator threat-intel platform), internal/external threats recorded ID.RA-03 (operator risk-register process), potential impacts/likelihoods used ID.RA-04 (operator quantitative risk methodology), threats/vulnerabilities/likelihoods/impacts used to understand inherent risk ID.RA-05 (operator risk-assessment methodology), risk responses chosen ID.RA-06 (operator risk-acceptance signoff), changes/exceptions managed ID.RA-07 (operator change-management process), vulnerability disclosures process ID.RA-08 (operator vuln-disclosure receipt-to-remediation lifecycle — engine produces the substrate findings but cannot evidence the process), critical suppliers risk-prioritized ID.RA-09 (operator TPRM program), and supplier authenticity validated ID.RA-10 (operator procurement process); continuous improvement of cybersecurity ID.IM-01..04 (operator continuous-improvement program). Pair with GRC platform + TPRM + risk-management platform.
PR.AA-02, PR.AA-04, PR.AA-06, PR.AT-01, PR.AT-02, PR.PS-03, PR.PS-05, PR.PS-06, PR.IR-02, PR.IR-04Protect function — Identity-proofing, Awareness/Training, Hardware-mgmt, Secure-dev OOSPR.AA-02 (identities proofed and bound to credentials) requires identity-proofing workflow (operator HR + IAM administration); PR.AA-04 (identity assertions protected) is application-tier session-management (not addressable by infrastructure scan); PR.AA-06 (physical access to assets) is physical-safeguards (operator facilities); PR.AT-01 + PR.AT-02 (workforce awareness/training) is HR-training records (operator security-awareness program); PR.PS-03 (hardware maintained, replaced) is asset-lifecycle (operator endpoint-management + facility-asset disposal); PR.PS-05 (installation/execution of unauthorized software prevented) is application-allowlisting at OS/endpoint tier (operator endpoint-management); PR.PS-06 (secure software development practices) is SDLC governance (operator dev-process); PR.IR-02 (organization's technology assets protected from environmental threats) is facilities (operator data-center/cloud-provider attestations); PR.IR-04 (adequate resource capacity to ensure availability) is operations / capacity-planning (operator SRE function).
DE.CM-02, DE.CM-06, DE.AE-03, DE.AE-04, DE.AE-06, DE.AE-07, DE.AE-08Detect function — Physical-monitoring, SOC-analysis, IR-coordination OOSDE.CM-02 (physical environment monitored) is facilities (operator data-center monitoring); DE.CM-06 (external service provider activities/services monitored) is TPRM (operator vendor-monitoring program); DE.AE-03 (information correlated from multiple sources) is SIEM/SOAR correlation (operator SOC platform); DE.AE-04 (estimated impact and scope of adverse events) is incident-impact analysis (operator IR runbook); DE.AE-06 (information on adverse events provided to authorized staff and tools) is IR coordination (operator IR platform); DE.AE-07 (cyber threat intelligence and other contextual information integrated into analysis) is threat-intel-platform integration (operator TIP); DE.AE-08 (incidents declared when adverse events meet defined incident criteria) is incident-declaration process (operator SOC / IR program).
RS.MA-01, RS.MA-02, RS.MA-03, RS.MA-04, RS.MA-05, RS.AN-03, RS.AN-06, RS.AN-07, RS.AN-08, RS.CO-02, RS.CO-03, RS.MI-01, RS.MI-02Respond function (entire)The Respond function (Incident Management, Incident Analysis, Incident Response Reporting/Communication, Incident Mitigation) is entirely incident-response procedure — incident-management playbook execution (RS.MA-01..05), forensic analysis (RS.AN-03..08), stakeholder communication (RS.CO-02..03), and incident-mitigation containment/eradication actions (RS.MI-01..02). These are operator-side IR-runbook execution evidence streams (post-incident reports, IR-tool logs, tabletop-exercise results, communication records to regulators / customers / law enforcement) — infrastructure scanning produces inputs (the original adverse-event substrate) but cannot evidence the IR-runbook execution. Pair NSAuditor with operator's IR platform (TheHive, IBM Resilient, Demisto/Cortex XSOAR, Splunk SOAR) + IR runbook + tabletop-exercise log archive for Respond coverage. This OOS-entirely framing is parallel to HIPAA §164.308(a)(6) Security Incident Procedures and SOC 2 CC7.4 (Respond to Identified Incidents).
RC.RP-01, RC.RP-02, RC.RP-05, RC.RP-06, RC.CO-03, RC.CO-04Recover function — Recovery execution + communications OOSRC.RP-01 (recovery portion of incident response plan executed) requires operator IR-runbook execution evidence; RC.RP-02 (recovery actions selected, scoped, prioritized, and performed) requires operator IR decision-records; RC.RP-05 (recovery declared when criteria met) requires operator-declaration process; RC.RP-06 (recovery actions communicated to internal stakeholders) requires operator communication-log; RC.CO-03 (recovery activities communicated to designated internal and external stakeholders) + RC.CO-04 (public updates managed by authorized organizational representatives) require operator communications program + designated spokespersons. Operator-side coverage; pair with IR platform + corporate communications program + crisis-management playbook.

Appendix A — Cloud Bucket Exposure Attestation

Buckets with finding(s): 17 violation event(s) across 0 unique bucket(s).

Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].

Appendix B — Accepted Risks & False Positives

No suppressions in this scan.