SOC2 Compliance Report

Generated October 13, 2025 at 4:49 PM | Account: 1234567890
33%

Automated Check Score

49
Total Controls
13
Passed
26
Failed

Important: Automated Technical Checks Only

This report shows 41 automated technical checks out of 49 total controls. The 31.7% score represents automated infrastructure checks only.

Automated Checks (41 controls)

  • Infrastructure configurations
  • Access control policies
  • Encryption settings
  • Network security rules
  • Logging and monitoring

Manual Documentation Required (8 controls)

  • Organizational policies
  • Training records
  • Incident response plans
  • Third-party assessments
  • Business processes

Full compliance requires:

THIS TOOL DOES NOT PROVIDE CERTIFICATION. Formal assessment by qualified auditor is required.

Executive Summary

Your AWS environment requires immediate attention with a compliance score of 33.3%. Out of 49 controls evaluated, 13 passed and 26 failed. Immediate action is required on 5 critical issues to achieve compliance.

Top Priority Actions

1. URGENT: Fix 5 CRITICAL issues immediately - these WILL fail your audit
2. CRITICAL: Enable MFA for root/admin accounts TODAY - auditors check this first
3. MEDIUM: Enable encryption on all storage - best practice
4. HIGH: Close management ports from internet - major security finding
5. HIGH: Rotate access keys/credentials older than 90 days - compliance requirement

Control Details

1. [CC1.1] Organizational Governance
FAIL
Issue: AWS Organizations not enabled - no centralized governance
$ Enable AWS Organizations and implement Service Control Policies
Evidence Collection Guide
  • 1. Go to AWS Organizations
  • 2. Screenshot the organization structure
  • 3. Document SCPs in place
Open Console →
2. [CC1.2] Board Oversight
FAIL
Issue: Insufficient role segregation for proper oversight
$ Create separate admin, operator, and audit roles
3. [CC1.4] Commitment to Competence
FAIL
Issue: Only 0% of users have MFA enabled
$ Enforce MFA for all IAM users
4. [CC2.2] Internal Communication
FAIL
Issue: No SNS topics configured - no security alerting mechanism
$ Create SNS topics for security alerts and operational notifications
Evidence Collection Guide
  • 1. Go to SNS Console
  • 2. Create topics for SecurityAlerts, OperationalAlerts
  • 3. Configure subscriptions
Open Console →
5. [CC3.1] Risk Assessment Process
FAIL
Issue: AWS Security Hub not enabled - no centralized security objectives
$ Enable Security Hub to centralize security standards and objectives
Evidence Collection Guide
  • 1. Go to Security Hub
  • 2. Enable with security standards
  • 3. Document compliance scores
Open Console →
6. [CC3.2] Risk Identification
FAIL
Issue: GuardDuty not enabled - no automated threat detection
$ Enable GuardDuty for continuous threat monitoring
Evidence Collection Guide
  • 1. Go to GuardDuty
  • 2. Enable for all regions
  • 3. Configure threat intel feeds
Open Console →
7. [CC3.3] Risk Analysis
FAIL
Issue: No automated fraud detection mechanisms in place
$ Enable GuardDuty with IAM finding types
8. [CC4.1] Monitoring Activities
FAIL
Issue: AWS Config not enabled - no continuous compliance monitoring
$ Enable AWS Config to track configuration changes
Evidence Collection Guide
  • 1. Go to AWS Config
  • 2. Set up configuration recorder
  • 3. Enable compliance rules
Open Console →
9. [CC4.1] Monitoring Activities
FAIL
Issue: No CloudWatch alarms configured
$ Set up CloudWatch alarms for critical metrics
10. [CC4.2] Evaluation of Deficiencies
FAIL
Issue: No Config Rules configured for compliance checking
$ Deploy Config Rules for compliance requirements
11. [CC5.1] Control Activities
FAIL
Issue: No AWS Backup plans configured - data at risk
$ Create backup plans for critical resources
Evidence Collection Guide
  • 1. Go to AWS Backup
  • 2. Create backup plan
  • 3. Assign resources
Open Console →
12. [CC5.2] Technology Controls
FAIL
Issue: No KMS keys configured - using default encryption only
$ Create customer-managed KMS keys for sensitive data
13. [CC6.1] Logical and Physical Access Controls
FAIL
Issue: CRITICAL: 1 security groups with admin ports open to internet
$ Restrict SSH/RDP/database ports to specific IPs only
Evidence Collection Guide
  • 1. Go to EC2 → Security Groups
  • 2. Review inbound rules
  • 3. Remove 0.0.0.0/0 from ports 22, 3389, 3306
Open Console →
14. [CC6.3] Encryption at Rest
FAIL
Issue: 1 VPCs but no VPC endpoints - traffic goes over public internet
$ Create VPC endpoints for AWS services (S3, DynamoDB, etc.)
Evidence Collection Guide
  • 1. Go to VPC → Endpoints
  • 2. Create endpoints for S3, DynamoDB
  • 3. Route table associations
15. [CC6.6] Authentication Controls
FAIL
Issue: No CloudTrail configured - cannot detect unauthorized access
$ Enable CloudTrail for all regions
16. [CC6.7] Password Policy
FAIL
Issue: No password policy configured
$ Configure strong IAM password policy
17. [CC6.8] Access Key Rotation
FAIL
Issue: Only 0% of S3 buckets have versioning enabled
$ Enable versioning on all S3 buckets
18. [CC7.1] Security Monitoring and Logging
FAIL
Issue: No CloudTrail configured
$ Enable CloudTrail for comprehensive logging
19. [CC7.3] Security Event Analysis
FAIL
Issue: No patch groups configured in Systems Manager
$ Configure SSM Patch Manager for automated security patching
20. [A1.2] Backup and Recovery
FAIL
Issue: 1 buckets lack versioning (needed for data recovery) | Required for PCI DSS 10.5.5 (secure audit trails)
$ Enable versioning on: auditkit-test-public-1759976302
Evidence Collection Guide
  • 1. Open S3 Console
  • 2. Click bucket 'auditkit-test-public-1759976302'
  • 3. Go to 'Properties' tab
  • 4. Screenshot 'Bucket Versioning' showing 'Enabled'
Open Console →
21. [CC6.7] Password Policy
FAIL
Issue: No password policy configured | Violates PCI DSS 8.2.3-8.2.5 (password requirements)
$ Run: aws iam update-account-password-policy See PDF for required parameters
Evidence Collection Guide
  • 1. Go to IAM → Account settings
  • 2. Screenshot 'Password policy' section
  • 3. Must show all requirements enabled
  • 4. PCI DSS requires minimum 7 chars, we recommend 14+
Open Console →
22. [CC6.1] Logical and Physical Access Controls
FAIL
Issue: 1 security groups have critical ports open to 0.0.0.0/0: sg-0ab56571076bcff37 (port 22/SSH open to world!) | Violates PCI DSS 1.2.1 (firewall config)
$ Close open ports on SG: sg-0ab56571076bcff37 Run: aws ec2 revoke-security-group-ingress
Evidence Collection Guide
  • 1. Go to EC2 → Security Groups
  • 2. Click on the flagged security group
  • 3. Go to 'Inbound rules' tab
  • 4. Screenshot showing NO rules with Source '0.0.0.0/0' for ports 22, 3389, or databases
  • 5. Critical: SSH/RDP must never be open to internet
  • 6. For PCI DSS: Document business justification for any public access
Open Console →
23. [CC7.1] Security Monitoring and Logging
FAIL
Issue: CRITICAL: NO CloudTrail configured! Zero audit logging | Violates PCI DSS 10.1 (implement audit trails) & HIPAA 164.312(b)
$ aws cloudtrail create-trail --name audit-trail --s3-bucket-name YOUR_BUCKET && aws cloudtrail start-logging --name audit-trail
Evidence Collection Guide
  • 1. Go to CloudTrail Console
  • 2. Click 'Create trail'
  • 3. Enable for all regions
  • 4. Screenshot showing trail is 'Logging' status
  • 5. This is MANDATORY for SOC2, PCI, and HIPAA!
Open Console →
24. [CC7.1] Security Monitoring and Logging
FAIL
Issue: AWS Config NOT enabled! Cannot track configuration changes!
$ Enable AWS Config to record all resource configurations
Evidence Collection Guide
  • 1. Go to AWS Config Console
  • 2. Click 'Get started'
  • 3. Enable recording for all resources
  • 4. Screenshot showing 'Recorder is ON'
Open Console →
25. [CC7.2] Incident Detection and Response
FAIL
Issue: GuardDuty NOT enabled - missing threat detection!
$ Enable GuardDuty for automated threat detection
Evidence Collection Guide
  • 1. Go to GuardDuty Console
  • 2. Click 'Get Started'
  • 3. Enable GuardDuty
  • 4. Screenshot showing 'GuardDuty is ENABLED'
Open Console →
26. [CC7.1] Security Monitoring and Logging
FAIL
Issue: CRITICAL: No VPC Flow Logs enabled - can't track network traffic!
$ Enable VPC Flow Logs immediately
Evidence Collection Guide
  • 1. Go to VPC Console
  • 2. Select your VPC
  • 3. Go to 'Flow logs' tab
  • 4. Screenshot showing flow logs enabled
Open Console →
1. [CC2.3] External Communication
PASS
No cross-account access detected - good isolation
2. [CC6.4] Security Control
PASS
All S3 buckets properly restrict public access
3. [CC6.5] Security Control
PASS
No inactive users with old credentials detected
4. [CC9.2] Vendor Management
PASS
All S3 buckets have encryption enabled
5. [CC6.2] Network Security
PASS
All 1 S3 buckets block public access | Meets SOC2 CC6.2, PCI DSS 1.2.1, HIPAA 164.312(a)(1)
6. [CC6.3] Encryption at Rest
PASS
All 1 S3 buckets have encryption enabled | Meets SOC2 CC6.3, PCI DSS 3.4, HIPAA 164.312(a)(2)(iv)
7. [CC7.1] Security Monitoring and Logging
PASS
S3 logging check placeholder | Required for PCI DSS 10.2 (implement audit trails)
8. [CC6.6] Authentication Controls
PASS
Root account has MFA enabled | Meets SOC2 CC6.6, PCI DSS 8.3.1, HIPAA 164.312(a)(2)(i)
9. [CC6.8] Access Key Rotation
PASS
All access keys rotated within 90 days | Meets SOC2 CC6.8, PCI DSS 8.2.4, HIPAA 164.308(a)(4)(ii)(B)
10. [CC6.7] Password Policy
PASS
No unused credentials found | Meets PCI DSS 8.1.4 (remove inactive accounts within 90 days)
11. [CC6.3] Encryption at Rest
PASS
All 0 EBS volumes are encrypted | Meets SOC2 CC6.3, PCI DSS 3.4, HIPAA 164.312(a)(2)(iv)
12. [CC6.1] Logical and Physical Access Controls
PASS
0/0 instances properly use private IPs | Meets PCI DSS 1.3.1 network segmentation
13. [CC7.2] Incident Detection and Response
PASS
All AMIs are recent and likely patched | Meets PCI DSS 6.2 patch management
1. [CC1.5] Accountability
MANUAL
Documentation Required: No explicit deny policies found
2. [CC3.2] Risk Identification
MANUAL
Documentation Required: Inspector v2 status checked - manual review required
3. [CC3.4] Risk Management
MANUAL
Documentation Required: Manual review required: Verify change management process includes risk assessment
4. [CC5.3] Policy Implementation
MANUAL
Documentation Required: Manual review required: Verify security policies are documented and enforced
5. [CC6.2] Network Security
MANUAL
Documentation Required: 2 users created in last 30 days - verify approval process
6. [CC7.2] Incident Detection and Response
MANUAL
Documentation Required: No automated anomaly detection functions found
7. [CC7.4] Performance Monitoring
MANUAL
Documentation Required: Manual review required: Verify incident response procedures are documented
8. [CC8.1] Change Management Process
MANUAL
Documentation Required: No custom AMIs found - consider creating golden images

Generated by AuditKit - Multi-Cloud Compliance Scanner

Learn More