PCI DSS v4.0.1 (Payment Card Industry Data Security Standard) Pre-Audit Gap Report

Generated: 2026-06-24T23:07:45.355Z

Cover: Scope Attestation

Report ID
aws_20260624_160745
Generated at
2026-06-24T23:07:45.355Z
Assessment type
Point-in-time (Type-I-friendly). NOT a Type-II operating-effectiveness assertion.
Scanner
NSAuditor AI EE v0.31.3 (CE v0.2.15)
Scan window
(not provided) → (not provided)
Targets in scope
aws
Targets explicitly excluded
None
Framework
PCI DSS v4.0.1 (Payment Card Industry Data Security Standard) (version 4.0.1)
Report integrity
SHA-256 in companion .sha256 sidecar — verify: shasum -a 256 -c <file>.sha256
Trusted timestamp (RFC 3161)
Not configured. SHA-256 provides integrity only. For non-repudiation, configure complianceTsaUrl.
TSA policy OID
N/A — TSA itself is not configured.
TSA cert chain bundling
N/A — TSA itself is not configured.
Clock advisory
ℹ️ local_clock (Active NTP-drift probing deferred to EE-SOC2.8 (v0.3.1). Local-clock advisory only.)

This attestation page is required by SOC 2 auditors as proof-of-scope. Without it, reports are routinely rejected for ambiguous coverage.

Executive Summary

PCI DSS v4.0.1 QSA Enforcement-Priority — Ranked View

Per the audit-pci-dss-qsa-perspective skill + the card-brand AOC program enforcement model (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC), the four categories below drive card-brand audit-priority — and consequently the card-brand-fine + processor-account-termination enforcement actions that flow from non-compliance findings. Findings below are aggregated from the per-control sections; same evidence, ranked by QSA-priority alignment.

Cat 1 — Externally-facing CDE with weak auth (34)

Cat 2 — Unpatched CDE infrastructure (0)

No findings matched the Cat 2 keyword set (CVE / outdated / vulnerable-version / missing-patch / EOL / deprecated-runtime). Low risk against Req 6.3.3 + Req 6.4.1.

Cat 3 — Pen-test + segmentation-validation substrate (17 substrate findings)

The engine evidences the substrate for Req 11 (vulnerability scanning + pen-test methodology). Each finding below is part of the QSA's "did pen-test happen after each segmentation change?" inquiry surface:

Cat 4 — Critical-control-failure detection substrate (38 substrate findings)

The engine evidences the substrate for Req 10 (audit-log generation + retention + NTP-sync — which feed Req 10.7 critical-control-failure detection). Each finding below is part of the QSA's "would a critical-control failure be detected and acted upon?" inquiry surface:

QSA-enforcement note: This view rebases the per-control findings against the card-brand AOC program audit-priority lens. It is not a replacement for the per-control matrix below — QSAs will still walk control-by-control + cross-reference your CDE Data Flow Diagram per Req 1.2.4 + your TPSP Responsibility Matrix per Req 12.8.5. The intent is to lead the report with the signals most-aligned with card-brand enforcement priorities so leadership sees the AOC-renewal-risk surface immediately. Pair with operator's Targeted Risk Analysis per Req 12.3.1 + Customized Approach Documentation per Req 12.3.2 (if applicable) for the full RoC narrative.

PCI DSS v4.0.1 Cardholder Data Scope — Operator Attestation Required

PCI DSS v4.0.1 requires operator attestation of WHICH storage, transmission, and processing systems hold Cardholder Data (CHD). The engine CANNOT determine CHD scope from infrastructure scanning — Reqs 3 (protect stored CHD), 4 (TLS-for-CHD), 5 (anti-malware on CDE systems), 9 (physical access to CDE), and 12 (governance over CDE scope) all gate on CHD scope. Pair this report with operator-maintained CDE data-flow diagram (DFD per Req 1.2.4 + Req 12.5.1) + PCI-aware GRC platform (Drata PCI, Vanta PCI, AuditBoard PCI module) for the CHD-attestation dimension. The substrate evidence in this report applies to in-scope CDE systems only — the operator confirms which findings touch the CDE. Customized Approach Objectives (CAOs) per Req 12.3.2 — engine evidences the Defined-Approach configuration substrate. EE 0.11.1 ships CAO text per Appendix D populated on every customized-eligible sub-requirement entry (the per-control display surfaces the CAO); verify against official PCI SSC publication before QSA RoC submission. If operator implements a Customized Approach, the QSA cross-references the operator's Customized Approach Documentation per Req 12.3.2 against the displayed CAO

The per-sub-requirement findings below evidence the technical configuration state of in-scope infrastructure. They do NOT evidence which systems are in the Cardholder Data Environment (CDE) — that is an operator attestation gated by the CDE data-flow diagram per Req 1.2.4 + Req 12.5.1.

Reqs 3, 4, 5, 9, 12 framing:

Customized Approach Objectives (CAOs): NEW in v4.0 — engine evidences the Defined-Approach configuration substrate. EE 0.11.1 ships CAO text per PCI DSS v4.0.1 Appendix D populated on every customized-eligible sub-requirement entry (customizedApproachObjective: "<text>"); the per-control display below surfaces the CAO. CAO text is transcribed from PCI SSC Appendix D — verify against the official PCI DSS v4.0.1 publication before final QSA RoC submission. Customized Approach implementations require operator-maintained Customized Approach Documentation per Req 12.3.2; the QSA cross-references that document against the displayed CAO — engine does not validate Customized Approach implementations.

Card-brand AOC enforcement priority: Card-brand AOC programs (Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC) are the actual enforcement mechanism. QSA-priority categories: externally-facing CDE with weak auth (Reqs 1 + 8); unpatched CDE infrastructure (Req 6.3.3); segmentation-change-triggered pen-test missing (Req 11.4.2); critical-control-failure undetected (Req 10.7). See Req 10.4.x log review + Req 12.10.x Incident Response Plan execution + card-brand AOC breach-notification clock — engine produces substrate adverse-events (GuardDuty findings, IAM privesc paths); operator-side IR program handles response + card-brand notification per Visa CISP / Mastercard SDP / Amex DSOP / Discover DISC.

Preventive-control discipline (controlType:'preventive'): Reqs 1, 2, 7, 8, 10 sub-requirements are largely preventive controls — the engine evidences the configuration substrate enabling prevention (e.g., MFA-required-policy enabled, SG ingress restricted, KMS encryption applied), NOT the prevention having been exercised. Per-control schema field controlType (preventive / detective / hybrid) carries this classification. A QSA inquiry "show me both (a) the preventive configuration active across period AND (b) zero policy-bypass events" requires pairing this report's configuration-substrate evidence with operator-side audit-log review evidence (CloudTrail event sampling, SIEM-acknowledgment logs). The engine surfaces (a); operator-side workflow closes (b). Per-control caveat surface deferred to EE 0.11.1+ density expansion.

PCI DSS v4.0.1 Req 12.8.5 — Cloud-Provider TPSP Shared Responsibility Matrix

Per Req 12.8.5, the Customer maintains a written agreement with each Third-Party Service Provider (TPSP) defining the shared-responsibility split for each PCI DSS sub-requirement. The matrix below aggregates the per-control cloudProviderAttestation field for the 28 in-scope sub-requirements covered or partially covered by this scan. Each Provider operates under their own annually-reissued PCI DSS Service Provider AOC v4.0; the Customer inherits the infrastructure substrate indicated and remains responsible for application-tier + IAM-tier + CHD-handling controls on top of that substrate.

Provider AOC currency (as of 2026-05-23): AWS PCI DSS Service Provider AOC v4.0 (Amazon Web Services, Inc.) · Microsoft Azure PCI DSS v4.0 AOC (Microsoft Corporation) · Google Cloud Platform PCI DSS v4.0 AOC (Google LLC). Cloud-provider AOCs are reissued annually; stale references must be revisited at every EE release cycle. The substrate-area in parentheses describes which technical layer the Provider's AOC covers, NOT the full attestation text.

Sub-reqControlAWS substrateAzure substrateGCP substrate
1.2.1Configuration standards for NSC rulesets are defined, implem…infrastructure-tier network isolationinfrastructure-tier network isolationinfrastructure-tier network isolation
1.2.5All services, protocols, and ports allowed are identified, a…port/protocol baselineport/protocol baselineport/protocol baseline
1.3.1Inbound traffic to the CDE is restrictednetwork-tier isolationnetwork-tier isolationnetwork-tier isolation
1.4.1Network security controls are implemented between trusted an…VPC isolationVNet isolationVPC isolation
2.2.1Configuration standards are developed, implemented, and main…hypervisor + host-OS baselinehypervisor + host-OS baselinehypervisor + host-OS baseline
2.2.2Vendor default accounts are managedroot-account disciplineroot-account disciplineroot-account discipline
2.2.4Only necessary services, protocols, daemons, and functions a…hypervisor-tier daemon disciplinehypervisor-tier daemon disciplinehypervisor-tier daemon discipline
2.2.6System security parameters are configured to prevent misuseKMS HSM substrateKey Vault HSM substrateCloud KMS substrate
3.5.1PAN is rendered unreadable anywhere it is storedKMS/HSM substrateKey Vault HSM substrateCloud KMS substrate
4.2.1Strong cryptography and security protocols safeguard CHD dur…TLS termination substrateTLS termination substrateTLS termination substrate
4.2.1.1Inventory of trusted keys and certificates used to protect P…ACM + KMS substrateKey Vault Certificates substrateCertificate Manager substrate
6.3.1Security vulnerabilities are identified and managedvuln-scanning substrateDefender for Cloud substrateSecurity Command Center substrate
6.3.3Security vulnerabilities in bespoke and custom software and …Inspector substrateDefender for Cloud substrateSecurity Command Center substrate
6.4.1Public-facing web applications are protectedWAF substrateApplication Gateway WAF substrateCloud Armor substrate
7.2.1An access control model is definedIAM substrateAzure AD/Entra ID substrateCloud IAM substrate
7.2.2Access is assigned to users based on job classification and …IAM least-privilege substrateRBAC least-privilege substrateCloud IAM least-privilege substrate
7.2.4All user accounts and related access privileges are reviewed…access-review substrateAccess Reviews substrateIAM Recommender substrate
8.2.1All users are assigned a unique ID before access is grantedIAM unique-identity substrateEntra ID substrateCloud Identity substrate
8.2.6Inactive user accounts are removed or disabled within 90 day…IAM dormancy substrateEntra ID dormancy substrateIAM dormancy substrate
8.3.1All user access to system components for users and administr…IAM authentication substrateEntra ID authentication substrateCloud Identity authentication substrate
8.4.1MFA is implemented for all non-console access to the CDE for…IAM MFA substrateConditional Access MFA substrate2-Step Verification substrate
8.5.1MFA systems are implemented as follows: not susceptible to r…FIDO2/WebAuthn substrateFIDO2 + phishing-resistant MFA substrateTitan Security Key substrate
10.2.1Audit logs are enabled and active for all system components …CloudTrail substrateActivity Log + Diagnostic Settings substrateCloud Audit Logs substrate
10.4.1Audit logs are reviewed at least once daily for all in-scope…GuardDuty substrateSentinel substrateSecurity Command Center substrate
10.5.1Retain audit log history for at least 12 months with at leas…CloudTrail + S3 lifecycle substrateLog Analytics + Storage Account substrateCloud Logging + GCS lifecycle substrate
10.6.1Time-synchronization technology is used and kept currentAmazon Time Sync substratehost-level NTP substrateGoogle internal NTP substrate
11.3.1Internal vulnerability scans are performed via authenticated…Inspector2 substrateDefender for Cloud substrateSecurity Command Center substrate
11.4.1External and internal penetration testing methodology is def…network-tier pen-test; customer-tier operator-sidenetwork-tier pen-test; customer-tier operator-sidenetwork-tier pen-test; customer-tier operator-side

Operator-side TPSP discipline (NOT engine-evidenced — Defined-only per Appendix E): Req 12.8.5 itself is on the Defined-only enumeration — the QSA requires a written Customer↔TPSP agreement enumerating PCI DSS responsibility allocation per sub-requirement. The engine evidences which substrate the inherited AOC covers; the Customer maintains the written agreement evidencing the allocation. Pair with PCI-aware GRC (Drata PCI / Vanta PCI / AuditBoard PCI / OneTrust GRC / ServiceNow IRM) for the agreement-management workflow.

Failing Controls

1.2.1 — Configuration standards for NSC rulesets are defined, implemented, and maintained FAIL CDE-conditional

Category: Build and Maintain a Secure Network and Systems · Network Security Controls · Violations: 3
CAO (Appendix D): NSCs are configured and operated to enforce security policies and provide protection against compromise.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.2.1 (NSC configuration standards) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.2.1 (NSC configuration standards) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.2.1 (NSC configuration standards) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.

1.3.1 — Inbound traffic to the CDE is restricted FAIL CDE-only

Category: Build and Maintain a Secure Network and Systems · Network Security Controls · Violations: 3
CAO (Appendix D): Network traffic to the CDE is restricted to that which is necessary.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.3.1 (inbound CDE traffic restricted to necessary) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.3.1 (inbound CDE traffic restricted to necessary) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.3.1 (inbound CDE traffic restricted to necessary) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.

1.4.1 — Network security controls are implemented between trusted and untrusted networks FAIL Always-in-scope

Category: Build and Maintain a Secure Network and Systems · Network Security Controls · Violations: 3
CAO (Appendix D): Unauthorized network traffic between trusted and untrusted networks is detected and prevented.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [5432 PostgreSQL]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.4.1 (NSCs between trusted and untrusted networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [22 SSH]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.4.1 (NSCs between trusted and untrusted networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.
Security Group 'sg-0abcdef0100000012' (name='nw-web-sg', vpc='vpc-0abcdef0100000010') permits tcp ingress from 0.0.0.0/0 to restricted port(s) [6379 Redis]. CC6.6 perimeter CRITICAL: management/data-tier ports MUST NOT be reachable from the public internet. Remediate by restricting the CIDR source to the operator's bastion / VPN / VPC CIDR.
Source: aws-ec2-sg-perimeter-auditor
Req 1.4.1 (NSCs between trusted and untrusted networks) -- AWS Security Group (plugin 1170) permits public 0.0.0.0/0 ingress to a restricted management/data-tier port (SSH/RDP/SQL/Redis/Mongo/SMB/etc.). Same perimeter exposure as the Azure NSG mapping; added for cross-cloud parity so the AWS path is not a silent false-clean (EE 0.16.5 anchor-drift fix). Plugin 1170 emits CRITICAL when the SG is attached. Configuration-state substrate; pair with the operator network/CDE data-flow diagram.

2.2.1 — Configuration standards are developed, implemented, and maintained covering all system components FAIL Always-in-scope

Category: Build and Maintain a Secure Network and Systems · Apply Secure Configurations · Violations: 2
CAO (Appendix D): System components cannot be compromised by exploitation of an industry-known weakness due to inadequate configuration.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
Req 2.2.1 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)
Source: aws-cloudtrail-auditor
Req 2.2.1 — CloudTrail multi-region capture is the cross-region configuration-state substrate. Single-region trails miss configuration changes in other regions; Req 2.2.1 maintenance baseline fails.

2.2.2 — Vendor default accounts are managed FAIL Always-in-scope

Category: Build and Maintain a Secure Network and Systems · Apply Secure Configurations · Violations: 6
CAO (Appendix D): System components cannot be compromised by use of vendor default accounts and passwords.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 2.2.2 — SHADOW ADMIN paths are the unmanaged-default-privilege class; principals with administrator-equivalent access via indirect grants represent vendor-default-account management gaps. Pair with operator's documented administrator inventory.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Req 2.2.2 — IAM accounts without MFA represent unmanaged-vendor-default credential exposure. Critical for root + administrator principals.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
Req 2.2.2 — SHADOW ADMIN paths are the unmanaged-default-privilege class; principals with administrator-equivalent access via indirect grants represent vendor-default-account management gaps. Pair with operator's documented administrator inventory.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 2.2.2 — SHADOW ADMIN paths are the unmanaged-default-privilege class; principals with administrator-equivalent access via indirect grants represent vendor-default-account management gaps. Pair with operator's documented administrator inventory.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Req 2.2.2 — IAM accounts without MFA represent unmanaged-vendor-default credential exposure. Critical for root + administrator principals.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
Req 2.2.2 — SHADOW ADMIN paths are the unmanaged-default-privilege class; principals with administrator-equivalent access via indirect grants represent vendor-default-account management gaps. Pair with operator's documented administrator inventory.

2.2.6 — System security parameters are configured to prevent misuse FAIL CDE-conditional

Category: Build and Maintain a Secure Network and Systems · Apply Secure Configurations · Violations: 2
CAO (Appendix D): System components cannot be compromised as a result of incorrect security parameter configuration.
KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' policy grants Principal: AWS: "*" on 1 sensitive action(s) [kms:Decrypt] WITHOUT Condition (any authenticated AWS principal can perform these confidentiality-boundary-crossing actions). C1.1 confidentiality-boundary risk.
Source: aws-kms-auditor
Req 2.2.6 — Principal:* on sensitive KMS actions (Decrypt / GenerateDataKey* / ReEncrypt* / CreateGrant / PutKeyPolicy) is a misconfigured security parameter on a key that may protect CHD. Within-framework parity fold: the kms:* + cross-account siblings already route to 2.2.6; the wildcard-on-sensitive variant under-routed (cross-source parity adjudication). Anchored on the `C1.1 confidentiality-boundary risk` trailer so it excludes the demoted AWS-managed-CMK-template INFO. Inherits soc2 C1.1.
Secrets Manager secret 'nw-db-credentials' has rotation DISABLED. Long-lived credentials accumulate compromise risk over time; AWS-recommended baseline is enabled rotation with a Lambda rotation function. CC6.1 access-control boundary risk on the credential layer (the credential is the access boundary; without rotation it becomes a single-point-of-failure if leaked). Enable rotation via secretsmanager:RotateSecret + AWSCURRENT/AWSPENDING staging labels.
Source: aws-secrets-auditor
Req 2.2.6 — Secrets Manager rotation DISABLED = system security parameter (the secret) lacks rotation-based misuse prevention. Pair with Req 8.6.x secret-lifecycle.

3.5.1 — PAN is rendered unreadable anywhere it is stored FAIL CDE-only

Category: Protect Account Data · Protect Stored Account Data · Violations: 22
CAO (Appendix D): Cleartext PAN cannot be read from storage.
⚠️ Coverage caveat: Req 3.5.1 partial — engine evidences encryption-at-rest substrate (KMS/SSE on RDS / S3 / EBS / ElastiCache / SQS-SNS; DynamoDB is always-encrypted key-custody → C1.1, not 3.5.1), but cannot determine which storage holds PAN. CDE-scope attestation per Req 1.2.4 DFD + operator-maintained data-classification gates this finding's applicability. The engine surfaces the substrate; the operator confirms whether the encrypted storage actually holds CHD per their CDE scope.
RDS DB instance 'northwind-orders-db' has storage encryption DISABLED (StorageEncrypted=false). C1.1 confidentiality gap: underlying EBS volume, automated snapshots, and read-replicas all unencrypted; no crypto-shred capability. Storage encryption cannot be enabled in-place — requires snapshot + restore-to-new-instance with KmsKeyId set.
Source: aws-rds-auditor
Req 3.5.1 partial — substrate evidence that an RDS instance has no encryption-at-rest. If this instance holds CHD per operator's CDE scope attestation, this is a Req 3.5.1 fail. Engine surfaces substrate; CDE-scope determination operator-side.
SQS queue 'https://sqs.us-east-1.amazonaws.com/123456789012/nw-order-events' has encryption-at-rest DISABLED (SqsManagedSseEnabled=false AND no KmsMasterKeyId set). C1.1 confidentiality gap: queue message bodies are stored on Amazon's SQS service infrastructure in cleartext (subject to Amazon employee operational access per the AWS shared-responsibility model). Enable SqsManagedSseEnabled=true (AWS-managed) OR set KmsMasterKeyId to a customer-managed CMK alias (customer key custody).
Source: aws-sqs-sns-auditor
Req 3.5.1 — SQS message bodies stored unencrypted at rest render any PAN in them readable. If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1150.
SNS topic 'arn:aws:sns:us-east-1:123456789012:nw-notifications' has encryption-at-rest DISABLED (no KmsMasterKeyId set). C1.1 confidentiality gap: published messages are stored on Amazon's SNS service infrastructure in cleartext until delivery. SNS has no SQS-managed-SSE equivalent — the ONLY at-rest encryption mechanism is a customer-set KmsMasterKeyId. Enable via SetTopicAttributes KmsMasterKeyId=<alias/aws/sns or CMK alias>.
Source: aws-sqs-sns-auditor
Req 3.5.1 — SNS message bodies stored unencrypted at rest render any PAN in them readable. If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1150.
EC2 account default EBS encryption is DISABLED in ap-south-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-north-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-3 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-northeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ca-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in sa-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in ap-southeast-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in eu-central-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EBS volume 'vol-0abcdef0100000014' attached to instance 'i-0a1b2c3d4e5f60718' has encryption DISABLED (Encrypted=false). C1.1 confidentiality gap: volume data at rest is stored unencrypted; without encryption there is no crypto-shred capability on decommission. Remediate by recreating the volume from an encrypted snapshot (default EBS encryption recommended account-wide).
Source: aws-ec2-instance-auditor
Req 3.5.1 — an EBS volume with Encrypted=false renders stored PAN readable at the block-storage layer. If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-east-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-1 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
EC2 account default EBS encryption is DISABLED in us-west-2 (GetEbsEncryptionByDefault=false). C1.1 preventive gap: volumes/instances launched without an explicit Encrypted=true are created UNENCRYPTED, even if all current volumes are encrypted. Enable account-wide default EBS encryption (ec2:EnableEbsEncryptionByDefault) per region.
Source: aws-ec2-instance-auditor
Req 3.5.1 — account-default EBS encryption DISABLED means new volumes are created unencrypted (preventive at-rest gap). If the resource holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), this is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1210.
ElastiCache Redis cache-cluster 'nw-session-cache' has at-rest encryption DISABLED (AtRestEncryptionEnabled=false). C1.1 confidentiality gap: cache data persisted to EBS snapshots + cross-region replication backups stored unencrypted; no crypto-shred capability. At-rest encryption cannot be enabled in-place — requires snapshot-restore-to-new-cluster with KmsKeyId set + DR window for data migration.
Source: aws-elasticache-redis-auditor
Req 3.5.1 — unencrypted ElastiCache Redis at rest renders any stored PAN readable. If the cache holds CHD per the operator CDE Data Flow Diagram (Req 1.2.4 / 12.5.1), unencrypted cache data at rest is a Req 3.5.1 stored-PAN-unreadable gap; CDE-scope caveat applies. Plugin 1180.

4.2.1 — Strong cryptography and security protocols safeguard CHD during transmission FAIL CDE-conditional

Category: Protect Account Data · Protect Cardholder Data with Strong Cryptography During Transmission · Violations: 1
CAO (Appendix D): Cleartext PAN cannot be read or intercepted from any transmission over open, public networks.
ElastiCache Redis cache-cluster 'nw-session-cache' has transit encryption DISABLED (TransitEncryptionEnabled=false). C1.1 transit-encryption gap: client connections + inter-node replication flow over the network in cleartext. Redis client credentials (AUTH tokens) AND cache contents transit unprotected. Enable via in-place migration (Redis 7+ supports TransitEncryptionMode='preferred' for zero-downtime rollout); older engines require recreate-with-encryption + data migration.
Source: aws-elasticache-redis-auditor
Req 4.2.1 — ElastiCache Redis without TLS (transit encryption DISABLED) = in-transit CHD (if cached) is unencrypted. Pair with CDE scope.

4.2.1.1 — Inventory of trusted keys and certificates used to protect PAN during transmission is maintained FAIL CDE-only

Category: Protect Account Data · Protect Cardholder Data with Strong Cryptography During Transmission · Violations: 1
⚠️ Coverage caveat: Req 4.2.1.1 partial + Defined-only (per PCI DSS v4.0.1 Appendix E) — the engine evidences KMS key aliases + (where available) ACM certificate inventory substrate, but the formal inventory artifact tying each trusted key/certificate to its CHD-transmission use case is operator-maintained. Defined-only means no Customized Approach permitted; the inventory must be implemented as stated.
Customer-managed KMS key '0a1b2c3d-4e5f-4a1b-8c2d-000000000003' has automatic key rotation DISABLED. CC6.3 expects cryptographic credential rotation cadence; AWS recommends enabling annual automatic rotation for customer-managed symmetric encryption keys. Enable via kms:EnableKeyRotation, or document the manual rotation procedure for auditor walkthrough.
Source: aws-kms-auditor
Req 4.2.1.1 partial — Customer-managed KMS key with rotation DISABLED is a candidate trusted-key for CHD-transmission protection inventory IF operator declares it for that use. The trusted-key inventory artifact + use-case mapping per Req 4.2.1.1 is operator-side; rotation-cadence dimension is the substrate evidence the engine produces.

6.3.3 — Security vulnerabilities in bespoke and custom software and third-party software components are addressed FAIL CDE-conditional

Category: Maintain a Vulnerability Management Program · Develop and Maintain Secure Systems and Software · Violations: 17
CAO (Appendix D): System components cannot be compromised via the exploitation of a known vulnerability.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 6.3.3 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

7.2.1 — An access control model is defined FAIL Always-in-scope

Category: Implement Strong Access Control Measures · Restrict Access by Business Need to Know · Violations: 7
CAO (Appendix D): Access requirements are established according to job functions following the principles of least privilege and need-to-know.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 7.2.1 — SHADOW ADMIN paths violate least-privileges-required; the access-control model must constrain access per job function. Indirect admin grants via policy chains are the textbook Req 7.2.1 violation.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
Req 7.2.1 — SHADOW ADMIN paths violate least-privileges-required; the access-control model must constrain access per job function. Indirect admin grants via policy chains are the textbook Req 7.2.1 violation.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 7.2.1 — SHADOW ADMIN paths violate least-privileges-required; the access-control model must constrain access per job function. Indirect admin grants via policy chains are the textbook Req 7.2.1 violation.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
Req 7.2.1 — SHADOW ADMIN paths violate least-privileges-required; the access-control model must constrain access per job function. Indirect admin grants via policy chains are the textbook Req 7.2.1 violation.
Bucket policy grants public access
Source: aws-s3-auditor
Req 7.2.1 — a public bucket POLICY grants internet-wide read of a stored data resource with no access-control model, identical in effect to a public ACL (the other confirmed-public vector); routed alongside the ACL/object-ACL anchor. If the bucket holds CHD per operator CDE scope, Req 7.2.1 fail; CDE determination operator-side. Plugin 1020.
Object ACL grants public access (AllUsers) on 2 of 7 sampled objects – objects publicly accessible
Source: aws-s3-auditor
Req 7.2.1 — a publicly-accessible S3 bucket grants read of a stored data resource with NO access-control model (any unauthenticated internet user), the polar opposite of the least-privileges-required + need-to-know baseline; AWS analog of the azure-storage public-container → 7.2.1 mapping. If the bucket holds CHD per operator CDE scope, Req 7.2.1 fail; engine surfaces substrate, CDE determination operator-side. Plugin 1020.
Object ACL grants public access (AllUsers) on 1 of 1 sampled non-current versions – objects publicly accessible
Source: aws-s3-auditor
Req 7.2.1 — a publicly-accessible S3 bucket grants read of a stored data resource with NO access-control model (any unauthenticated internet user), the polar opposite of the least-privileges-required + need-to-know baseline; AWS analog of the azure-storage public-container → 7.2.1 mapping. If the bucket holds CHD per operator CDE scope, Req 7.2.1 fail; engine surfaces substrate, CDE determination operator-side. Plugin 1020.

7.2.2 — Access is assigned to users based on job classification and function FAIL Always-in-scope

Category: Implement Strong Access Control Measures · Restrict Access by Business Need to Know · Violations: 9
CAO (Appendix D): Access to system components and data is appropriately authorized and restricted based on job classification and function.
⚠️ Coverage caveat: Req 7.2.2 partial (EE 0.19.4 matrix-shift) — 7.2.2 assigns access by BOTH (a) job classification and function AND (b) least privileges necessary. The job-classification/function half is process/HR-gated: only the operator's role-to-job-function assignment matrix attests that granted access matches a role's legitimate need; an infrastructure scanner cannot determine intended job function, so 'covered' would be the QSA-detectable overclaim class (the PCI analog of HIPAA's 'Addressable as Required'). The engine evidences the LEAST-PRIVILEGE half via over-privilege DETECTION: plugin 1110 flags effective kms:Decrypt reachability (a decrypt-capability slice) and plugin 1030 flags shadow-admin / privilege-escalation / PassRole paths (access exceeding least privilege). Partial is the honest scope.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — a shadow-admin principal holds admin-equivalent access it was not explicitly granted, exceeding the least privileges necessary. Broad IAM over-privilege detection (plugin 1030). Pair with the operator's role/RBAC-to-job-function matrix to confirm the access is required by the principal's job classification.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — detected privilege-escalation paths mean a principal can acquire access beyond its assigned least privilege, the core 7.2.2 least-privilege failure. Over-privilege detection (plugin 1030). Remediate the escalation primitives + verify residual access against the operator's role/job-function matrix.
Shadow admin path: northwind-deploy → northwind-ci-role (role) [inline: northwind-ci-policy]
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — a shadow-admin principal holds admin-equivalent access it was not explicitly granted, exceeding the least privileges necessary. Broad IAM over-privilege detection (plugin 1030). Pair with the operator's role/RBAC-to-job-function matrix to confirm the access is required by the principal's job classification.
SHADOW ADMIN: User has full wildcard (*) permissions
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — a shadow-admin principal holds admin-equivalent access it was not explicitly granted, exceeding the least privileges necessary. Broad IAM over-privilege detection (plugin 1030). Pair with the operator's role/RBAC-to-job-function matrix to confirm the access is required by the principal's job classification.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — detected privilege-escalation paths mean a principal can acquire access beyond its assigned least privilege, the core 7.2.2 least-privilege failure. Over-privilege detection (plugin 1030). Remediate the escalation primitives + verify residual access against the operator's role/job-function matrix.
Shadow admin path: northwind-root → northwind-ci-role (role) [via policy: arn:aws:iam::aws:policy/AdministratorAccess, arn:aws:iam::aws:policy/AdministratorAccess-Amplify]
Source: aws-iam-deep-auditor
Req 7.2.2 (least-privilege half) — a shadow-admin principal holds admin-equivalent access it was not explicitly granted, exceeding the least privileges necessary. Broad IAM over-privilege detection (plugin 1030). Pair with the operator's role/RBAC-to-job-function matrix to confirm the access is required by the principal's job classification.
IAM principal 'northwind-deploy' (user) has effective kms:Decrypt on Resource:* via policy inline-user:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Req 7.2.2 — Effective kms:Decrypt on Resource:* violates least-privileges-necessary by granting broad decrypt capability. Pair with operator's job-function-based access matrix to verify the principal's role legitimately requires Resource:* decrypt.
IAM principal 'northwind-root' (user) has effective kms:Decrypt on Resource:* via policy attached-managed:AdministratorAccess (arn:aws:iam::aws:policy/AdministratorAccess) (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Req 7.2.2 — Effective kms:Decrypt on Resource:* violates least-privileges-necessary by granting broad decrypt capability. Pair with operator's job-function-based access matrix to verify the principal's role legitimately requires Resource:* decrypt.
IAM principal 'northwind-ci-role' (role) has effective kms:Decrypt on Resource:* via policy inline-role:northwind-ci-policy (statement 0). Action(s): [*]; Resource(s): [*]. CC6.1 / C1.1 / CC6.3 risk: principal can decrypt EVERY KMS key whose key policy permits the principal — confidentiality blast-radius is account-wide for any wildcard-permissive key policy. Replace Resource:* with specific key ARN(s) bound to least-privilege. Evidence layer note (EE 0.9.1 B-CRIT-1/2 closure): this finding reflects the identity-policy GRANT — one of the layers required for effective decrypt; the others (KMS key policy + KMS grants) are now cross-referenced per the run-level kms-grant-decrypt-no-identity-grant emission and the HIGH→INFO downgrade contract when no key in the account trusts this principal. SCP / Permissions Boundary / Deny statements remain plugin 1030's domain and the scope-deferred block.
Source: aws-iam-effective-decrypt-auditor
Req 7.2.2 — Effective kms:Decrypt on Resource:* violates least-privileges-necessary by granting broad decrypt capability. Pair with operator's job-function-based access matrix to verify the principal's role legitimately requires Resource:* decrypt.

8.4.1 — MFA is implemented for all non-console access to the CDE for personnel with administrative access FAIL Always-in-scope

Category: Implement Strong Access Control Measures · Identify Users and Authenticate Access · Violations: 2
CAO (Appendix D): Administrative access to the CDE cannot be obtained by the use of a single authentication factor.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Req 8.4.1 — IAM principal without MFA configured. Cross-reference with operator's RBAC matrix to determine if the principal has administrative access (Req 8.4.1 trigger). For root accounts, this is always a Req 8.4.1 fail.
No MFA configured on active IAM user
Source: aws-iam-deep-auditor
Req 8.4.1 — IAM principal without MFA configured. Cross-reference with operator's RBAC matrix to determine if the principal has administrative access (Req 8.4.1 trigger). For root accounts, this is always a Req 8.4.1 fail.

8.5.1 — MFA systems are implemented as follows: not susceptible to replay attacks FAIL Always-in-scope

Category: Implement Strong Access Control Measures · Identify Users and Authenticate Access · Violations: 2
CAO (Appendix D): MFA systems are not susceptible to replay attacks, bypass, or other compromise that would allow access to the CDE without successfully completing MFA.
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Req 8.5.1 — Privilege escalation paths bypass MFA-required boundaries (the prevention-exercised dimension of MFA enforcement fails when escalation paths exist). Pair with operator-side MFA-factor-type evidence (phishing-resistant FIDO2/WebAuthn vs replayable virtual-MFA SMS).
Privilege escalation paths detected: iam:CreatePolicyVersion, iam:SetDefaultPolicyVersion, iam:AttachUserPolicy, iam:AttachGroupPolicy, iam:AttachRolePolicy, iam:PutUserPolicy, iam:PutGroupPolicy, iam:PutRolePolicy, iam:CreateUser, iam:CreateRole, iam:CreateLoginProfile, iam:UpdateLoginProfile, iam:CreateAccessKey, iam:AddUserToGroup, iam:UpdateAssumeRolePolicy, iam:PutRolePermissionsBoundary, iam:DeleteRolePermissionsBoundary, iam:PutUserPermissionsBoundary, iam:DeleteUserPermissionsBoundary, iam:PassRole, sts:AssumeRole, sts:AssumeRoleWithSAML, sts:AssumeRoleWithWebIdentity, sts:GetFederationToken, lambda:CreateFunction, lambda:InvokeFunction, lambda:UpdateFunctionCode, ec2:RunInstances, cloudformation:CreateStack, datapipeline:CreatePipeline, glue:CreateDevEndpoint, glue:UpdateDevEndpoint, kms:CreateGrant, kms:PutKeyPolicy, kms:ScheduleKeyDeletion
Source: aws-iam-deep-auditor
Req 8.5.1 — Privilege escalation paths bypass MFA-required boundaries (the prevention-exercised dimension of MFA enforcement fails when escalation paths exist). Pair with operator-side MFA-factor-type evidence (phishing-resistant FIDO2/WebAuthn vs replayable virtual-MFA SMS).

10.2.1 — Audit logs are enabled and active for all system components and CHD FAIL Always-in-scope

Category: Regularly Monitor and Test Networks · Log and Monitor All Access · Violations: 3
CAO (Appendix D): Records of all activities affecting system components and CHD are captured, and are available for activity reconstruction by either the entity or its authorized representatives.
EE-RT.1.2 multi-region-enumeration-incomplete: cloudtrail:DescribeTrails errored in 2 region(s) (me-south-1: TimeoutError, me-central-1: TimeoutError). Single-region trails homed in those regions are UNAUDITED — CloudTrail-derived evidence is PARTIAL. Re-run for full multi-region evidence; persistent errors warrant a network/endpoint/region-enablement check. This is an evidence gap, NOT a control pass.
Source: aws-cloudtrail-auditor
Req 10.2.1 -- CloudTrail/CloudWatch evidence is INCOMPLETE: plugin 1040 aborted at its soft budget (scan-time-budget-exceeded) before finishing the audit, so this control's CloudTrail-derived evidence was not collected. Fails-closed (no silent PASS over an un-audited control surface) per the conservative-classifier principle and consistent with the 1020/1021/1025 evidence-gap convention. Resolve by raising CLOUD_PLUGIN_TIMEOUT_MS / NSA_CT_SOFT_BUDGET_MS or scoping to a single region (NSA_CT_MAX_REGIONS / multiRegionScan=false), then re-run. EE 0.16.5 false-clean fix.
Trail northwind-trail is not multi-region (IsMultiRegionTrail=false)
Source: aws-cloudtrail-auditor
Req 10.2.1 — CloudTrail multi-region absence breaks audit-log-enabled-for-all-system-components. Single-region trails miss CDE-resource activity in other regions.
RDS DB instance 'northwind-orders-db' (postgres) has pgAudit DISABLED (pgaudit.log parameter is '<empty>'). CC7.2 + CC7.3 monitoring gap: no database-level activity log is captured — DDL changes, privileged role changes, and DML on sensitive tables go unaudited. Configure via DescribeDBParameterGroup + ModifyDBParameterGroup: set pgaudit.log to a comma-separated subset of 'ddl,role,write' (read can be added selectively for compliance tables) and add 'pgaudit' to shared_preload_libraries.
Source: aws-rds-auditor
Req 10.2.1 — pgAudit absence on a PostgreSQL DB means DB-level access events are not captured. Direct Req 10.2.1 gap on the DB system component.

10.4.1 — Audit logs are reviewed at least once daily for all in-scope systems FAIL Always-in-scope

Category: Regularly Monitor and Test Networks · Log and Monitor All Access · Violations: 34
CAO (Appendix D): Potentially suspicious or anomalous activities are quickly identified to minimize impact.
AWS GuardDuty is NOT ENABLED in region 'ap-south-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-north-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-3' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-northeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ca-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'sa-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'ap-southeast-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'eu-central-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-east-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-1' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
AWS GuardDuty is NOT ENABLED in region 'us-west-2' (zero detectors returned by guardduty:ListDetectors). CC7.1 anomaly-detection substrate gap — the auditor has NO AWS-native threat-detection evidence stream for this region. GuardDuty would detect: account reconnaissance (suspicious console/API patterns), credential exfiltration (anomalous AssumeRole / GetSessionToken), cryptocurrency mining (anomalous CPU + outbound traffic patterns), malicious-IP communication (threat-intel CIDR matches), known-bad domain resolution, etc. Enable via guardduty:CreateDetector.
Source: aws-inspector-guardduty-auditor
Req 10.4.1 — GuardDuty NOT ENABLED = continuous-monitoring substrate absent. Operator must pair with daily-review evidence (SIEM acknowledgment logs, analyst review records) to close Req 10.4.1 — engine substrate alone evidences the SOURCE of daily-review-able events.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 10.4.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

10.5.1 — Retain audit log history for at least 12 months with at least the most recent 3 months immediately available FAIL Always-in-scope

Category: Regularly Monitor and Test Networks · Log and Monitor All Access · Violations: 1
CAO (Appendix D): Historical records of activity are available immediately to support incident response and are retained for at least 12 months.
⚠️ Coverage caveat: Req 10.5.1 partial — engine evidences CloudTrail retention configuration substrate via S3 lifecycle policies, but the 3-months-immediately-available dimension is a separate concern (logs may be in Glacier with restore delay). Engine surfaces total-retention substrate; immediately-available substrate is operator-side via S3 storage-class verification.
S3 bucket 'northwind-customer-pii' has NO lifecycle configuration. C1.2 disposal-cadence gap: confidential data accumulates indefinitely without an AWS-canonical disposal trail. Auditors expect a documented retention policy backed by a lifecycle rule with Expiration days; absence is a control gap unless the bucket is documented as "indefinite retention" (legal hold, audit-log substrate, etc.).
Source: aws-s3-lifecycle-replication-auditor
Req 10.5.1 partial — S3 bucket without lifecycle configuration means no automated retention discipline; audit-log buckets without lifecycle cannot enforce the ≥1-year retention dimension of Req 10.5.1. Engine surfaces substrate (lifecycle absence); operator confirms which buckets hold audit logs + adds lifecycle policies.

11.3.1 — Internal vulnerability scans are performed via authenticated testing at least once every three months FAIL CDE-conditional

Category: Regularly Monitor and Test Networks · Test Security of Systems and Networks Regularly · Violations: 17
CAO (Appendix D): The security posture of all system components is verified periodically using internal authenticated vulnerability scanning.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-south-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-north-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-3') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-northeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ca-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'sa-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'ap-southeast-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'eu-central-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-east-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-1') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.
EE-RT.1.2 multi-region-enumeration-incomplete: Inspector2 (region 'us-west-2') — BatchGetAccountStatus returned no account-status body. Conservative classifier emits LOW + evidenceGap. Auditor walkthrough required.
Source: aws-inspector-guardduty-auditor
PCI Req 11.3.1 evidence-gap LOW (class-O, EE 0.19.4 Phase R2). aws-inspector-guardduty-auditor emits multi-region / coverage evidence-gaps (Inspector2 BatchGetAccountStatus null-or-unknown-status, GuardDuty GetDetector / FindingPublishingFrequency unverifiable, alerting-destination incomplete, per-account failure / AccessDenied) that now lead with the shared MULTI_REGION_GAP_PREFIX and fail-close EXACTLY this source's native attested set rather than routing to zero controls (the pre-R2 class-O false-clean the 0.19.3 Desktop validation found on plugin 1200). Remediate: grant the missing read permission or resolve the unverifiable signal and re-run.

Passing Controls (Within Scope)

Partial Coverage

Out of Scope

Control IDsTitleReason
3.2.1, 3.3.1, 3.3.2, 3.3.3, 3.4.1, 3.6.1Req 3 — Stored Account Data (CHD-storage attestation required)Req 3 controls (PAN classification per 3.2.1, Sensitive Authentication Data not retained per 3.3.1 + 3.3.2 + 3.3.3, PAN masking per 3.4.1, cryptographic key management per 3.6.1) require operator attestation of WHICH storage holds CHD + which SAD-handling pathways exist + which key-custody processes operate. The engine cannot determine this from infrastructure scanning. Pair NSAuditor with PCI-aware GRC (Drata PCI module, Vanta PCI, AuditBoard PCI) + operator CHD data-flow diagram (DFD per Req 1.2.4) + tokenization platform integration (Spreedly, Stripe Issuing, Braintree) for the Req 3 dimension. Reqs 3.2.1, 3.3.1, 3.3.2, 3.3.3 are Defined-only per Appendix E (no Customized Approach permitted).
5.2.1, 5.3.1, 5.4.1Req 5 — Anti-malware (endpoint EDR + anti-phishing)Req 5 controls (anti-malware deployment 5.2.x, anti-malware mechanisms active + maintained + monitored 5.3.x, anti-phishing mechanisms 5.4.x — NEW in v4.0) require endpoint anti-malware/EDR + email-gateway phishing mechanisms operator-side. No infrastructure scanner produces EDR substrate. Pair NSAuditor with CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint (Req 5.2.x + Req 5.3.x) + email-security gateway like Proofpoint, MS Defender for Office 365, Mimecast (Req 5.4.x). Parallel to NIST CSF PR.PS-05 (installation/execution of unauthorized software prevented — operator endpoint-management) OOS framing.
9.1.1, 9.2.1, 9.3.1, 9.4.1, 9.5.1Req 9 — Physical Access (facility-tier)Req 9 controls (physical access processes 9.1.x, physical access controls 9.2.x, media storage + handling 9.4.x, point-of-interaction devices 9.5.x) are physical safeguards. Engine produces no facility-control substrate. Inherit cloud-provider's PCI DSS Service Provider AOC for the cloud-substrate portion (AWS / Azure / GCP physical security covered by their AOCs); operator-maintained for on-prem CDE + badge-system logs + visitor logs. Parallel to HIPAA §164.310 + NIST CSF PR.IR-02 (organization's technology assets protected from environmental threats — facilities) OOS framing.
10.7.1, 10.7.2Req 10 — Critical-security-control failure detection processReq 10.7.x requires failure-detection of critical security controls (e.g., NSC, IDS/IPS, anti-malware, audit log mechanisms) within operator-defined timeframes + operator-defined response actions. This is operator-side SIEM + alert-pipeline + on-call runbook execution evidence — engine produces alert substrate (GuardDuty findings, Inspector findings) but not the process-execution evidence. Pair with operator SIEM (Splunk, Sumo Logic, Datadog) + on-call platform (PagerDuty, Opsgenie) + IR runbook archive. Parallel to NIST CSF DE.AE-03 + DE.AE-04 + DE.AE-06 OOS framing.
11.3.2, 11.4.2, 11.5.1, 11.5.2, 11.6.1Req 11 — Pen-test cadence + ASV scans + IDS/IPS + page-change-detectionReq 11.3.2 (external vulnerability scans by PCI SSC-Approved Scanning Vendor (ASV) ≥ quarterly) is Defined-only per Appendix E — operator must contract a PCI SSC-listed ASV; engine produces internal-scan substrate (Req 11.3.1 covered) but cannot replace the ASV-attested external scan. Req 11.4.2 (pen-test after significant segmentation change) is process-driven; engine surfaces segmentation-change substrate (delta detection) but the cadence-triggered pen-test is operator-side. Req 11.5.1 (IDS/IPS at perimeter + critical points) requires operator-side IDS/IPS deployment (Suricata, Snort, AWS Network Firewall, Palo Alto) — engine surfaces network-substrate but not IDS/IPS configuration. Req 11.5.2 + 11.6.1 (page-change + tamper-detection on payment pages — the Magecart attack class — NEW v4.0) require operator-side WAF/CSP/RASP (Cloudflare, Akamai, Imperva for WAF; CSP for inline-script integrity; RASP for runtime change detection). Reqs 11.3.2, 11.5.2, 11.6.1 are Defined-only per Appendix E.
8.2.5, 12.1.1, 12.2.1, 12.3.1, 12.3.2, 12.4.1, 12.5.1, 12.6.1, 12.7.1, 12.8.1, 12.8.5, 12.9.1, 12.10.1, 12.10.2, 12.10.4, 4.2.2, 6.2.1, 6.5.1Req 12 — Information Security Program (governance entire) + Req 8.2.5 immediate-revocation + Req 4.2.2 + Req 6.2/6.5 dev/change governanceReq 12 is policy / governance / risk-assessment / IR-program / TPRM / security-awareness training entire — Req 12.1.x policy library, Req 12.2.x acceptable use, Req 12.3.x Targeted Risk Analysis (12.3.1 + 12.3.2 — both Defined-only per Appendix E), Req 12.4.x scope review, Req 12.5.x scope documentation, Req 12.6.x awareness training, Req 12.7.x personnel screening, Req 12.8.x TPSP management (12.8.5 TPSP Responsibility Matrix Defined-only per Appendix E), Req 12.9.x TPSP acknowledgment, Req 12.10.x IR plan execution + tabletop (12.10.4 IR personnel training Defined-only per Appendix E). Plus Req 8.2.5 (terminated user access immediately revoked — Defined-only per Appendix E; HRIS termination correlation operator-side; engine evidences stale-key state but cannot trigger the immediate-revocation clock without HRIS integration). Plus Req 4.2.2 (PAN never sent via end-user messaging unless secured — Defined-only per Appendix E; operator policy) + Req 6.2.x (bespoke software dev practices — operator SDLC governance) + Req 6.5.x (change management — operator change-management process). All operator-side; pair with PCI-aware GRC platform (Drata PCI, Vanta PCI, AuditBoard PCI module, OneTrust GRC) + IR platform + TPRM platform + HRIS for training records + HRIS for termination correlation (Req 8.2.5). Parallel to HIPAA §164.308 Administrative Safeguards entire + NIST CSF GV.* (Govern function ex GV.SC-04) + RS.* (Respond function entire) OOS framing.

Appendix A — Cloud Bucket Exposure Attestation

Buckets with finding(s): 3 violation event(s) across 0 unique bucket(s).

Per-bucket detail in JSON sidecar — report.controls[].violations filtered by source IN ["aws-s3-auditor", "gcp-cloud-storage-auditor", "azure-storage-auditor"].

Appendix B — Accepted Risks & False Positives

No suppressions in this scan.