🔍
Complete Audit & Compliance Matrix

280+ Automated Security Checks

Full transparency — every check, every compliance control, every AWS API call. AWS security checks plus Microsoft 365 coverage. 100% read-only. Zero agents. Seven frameworks.

280+
Security Checks
51
Critical Controls
7
Frameworks
40
Manual Controls
0
Agents Needed
CIS v3.0 ✓ SOC 2 ✓ ISO 27001 ✓ PCI-DSS v4 ✓ HIPAA ✓ 🇪🇺 GDPR ✓ 🔐 NIS2 ✓ NEW
⚠ Automated vs Manual Controls
Automated checks verify AWS infrastructure configuration via read-only API calls. Each framework also contains process and policy controls that cannot be verified via API — staff training, privacy notices, DPIAs, vendor contracts, physical security. These are shown in an orange Company Responsibility section under each framework.
Jump to Framework
🛡️ CIS AWS Foundations v3.060📋 SOC 2 Type II29🌍 ISO 27001:202240💳 PCI-DSS v4.034🏥 HIPAA Security Rule31🇪🇺 GDPR (EU) 2016/67929🔐 NIS2 Directive 202217NEW
🛡️

CIS AWS Foundations v3.0

Universal — every AWS account
The CIS AWS Foundations Benchmark is the industry-standard baseline for AWS security. Auditors for SOC 2, ISO 27001, and PCI-DSS all reference CIS as the starting point.
60
Automated
3 manual
1. Identity & Access Management
4 Critical 12 High 5 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
1.1
Root account MFA enabled
Root account without MFA can be taken over with just a password
iam:GetAccountSummaryCRITICAL✓ AUTO
1.2
Root account has no access keys
Root access keys provide unrestricted programmatic access to everything
iam:GetAccountSummaryCRITICAL✓ AUTO
1.3
Security alternate contact configured
Without security contact, AWS cannot reach the right team during incidents
account:GetAlternateContactHIGH✓ AUTO
1.4
IAM password policy — 14+ char minimum
Short passwords are brute-forceable in hours
iam:GetAccountPasswordPolicyHIGH✓ AUTO
1.5
IAM password policy — complexity required
Simple passwords are guessable or found in breach databases
iam:GetAccountPasswordPolicyHIGH✓ AUTO
1.6
Root uses hardware MFA (not virtual)
Virtual MFA can be compromised if the phone is stolen or cloned
iam:GenerateCredentialReportMEDIUM✓ AUTO
1.7
Password policy — expiry ≤ 90 days
Long-lived passwords remain valid after staff departures
iam:GetAccountPasswordPolicyMEDIUM✓ AUTO
1.8
MFA on all console IAM users
Console access without MFA is compromised by password alone
iam:ListMFADevicesCRITICAL✓ AUTO
1.9
No active access keys older than 90 days
Old keys are often forgotten and never rotated — high leak risk
iam:ListAccessKeysHIGH✓ AUTO
1.10
Unused credentials disabled after 45 days
Dormant accounts are prime targets for credential stuffing
iam:GenerateCredentialReportHIGH✓ AUTO
1.11
No root access keys active
Root keys = unrestricted API access to entire account
iam:GetAccountSummaryCRITICAL✓ AUTO
1.12
IAM Access Analyzer enabled
Without Analyzer, external resource sharing goes undetected
accessanalyzer:ListAnalyzersHIGH✓ AUTO
1.13
No admin-attached policies on users
Admin users can do anything — violates least privilege
iam:ListAttachedUserPoliciesHIGH✓ AUTO
1.14
No wildcard Action:* in custom policies
Wildcard policies grant far more access than intended
iam:GetPolicyVersionHIGH✓ AUTO
1.15
IAM support role exists for incidents
Without a support role, teams use root/admin to contact AWS Support
iam:ListRolesMEDIUM✓ AUTO
1.16
EC2 instances use IAM roles, not user keys
Hardcoded user keys on instances can leak via metadata or logs
ec2:DescribeInstancesHIGH✓ AUTO
1.17
No expired SSL certs in IAM store
Expired certs attached to ELBs cause silent TLS failures
iam:ListServerCertificatesHIGH✓ AUTO
1.18
Access Analyzer in ALL regions
Unmonitored regions have undetected external access
accessanalyzer:ListAnalyzers (multi-region)HIGH✓ AUTO
1.19
No IAM user access keys on EC2 instances
User keys on instances can be exfiltrated via SSRF attacks
ec2:DescribeInstancesHIGH✓ AUTO
1.20
Credential report — no never-used keys
Never-used keys are forgotten credentials waiting to be compromised
iam:GenerateCredentialReportMEDIUM✓ AUTO
1.21
No inline IAM policies on users
Inline policies bypass centralized policy management
iam:ListUserPoliciesMEDIUM✓ AUTO
2. Storage
7 Critical 3 High 3 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
2.1.1
S3 account-level public access block
Account-level block prevents any bucket from being made public
s3control:GetPublicAccessBlockCRITICAL✓ AUTO
2.1.2
S3 per-bucket public access block
Without per-bucket block, ACLs or policies can expose data
s3:GetPublicAccessBlockCRITICAL✓ AUTO
2.1.3
S3 MFA delete on versioned buckets
Without MFA delete, compromised admin can destroy all versions
s3:GetBucketVersioningMEDIUM✓ AUTO
2.1.4
S3 SSL/TLS enforced (deny HTTP)
HTTP transfers expose data in transit to interception
s3:GetBucketPolicyHIGH✓ AUTO
2.1.5
S3 bucket access logging enabled
Without logging, unauthorized access is undetectable
s3:GetBucketLoggingMEDIUM✓ AUTO
2.2.1
EBS default encryption enabled
New volumes without explicit encryption = compliance gap
ec2:GetEbsEncryptionByDefaultHIGH✓ AUTO
2.3.1
RDS storage encryption enabled
Unencrypted databases fail all compliance frameworks
rds:DescribeDBInstancesCRITICAL✓ AUTO
2.3.2
RDS not publicly accessible
Public RDS is directly attackable from the internet
rds:DescribeDBInstancesCRITICAL✓ AUTO
2.3.3
No public RDS snapshots
Public snapshots expose entire database to anyone
rds:DescribeDBSnapshotAttributesCRITICAL✓ AUTO
2.4.1
ECR repositories not public
Public container images may contain secrets or proprietary code
ecr-public:DescribeRepositoriesCRITICAL✓ AUTO
2.5.1
ECS task definitions — no plaintext secrets
Plaintext secrets in task definitions are visible to anyone with describe access
ecs:DescribeTaskDefinitionsCRITICAL✓ AUTO
2.6.1
EKS cluster endpoint not public
Public K8s API allows anyone to attempt authentication
eks:DescribeClusterHIGH✓ AUTO
3.1/3.2
S3 KMS CMK encryption (not just AES256)
AES256 uses AWS-managed keys with no customer audit trail
s3:GetBucketEncryptionMEDIUM✓ AUTO
3. Logging
2 Critical 4 High 14 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
3.1
CloudTrail enabled and logging
Without CloudTrail, no record of who did what in your account
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
3.2
CloudTrail log file validation enabled
Without validation, logs can be tampered to hide attacker tracks
cloudtrail:DescribeTrailsMEDIUM✓ AUTO
3.3
CloudTrail S3 bucket has access logging
Logging on the log bucket detects tampering with audit trail
s3:GetBucketLoggingMEDIUM✓ AUTO
3.4
CloudTrail logs encrypted with KMS
Unencrypted logs readable by anyone with S3 access
cloudtrail:DescribeTrailsMEDIUM✓ AUTO
3.5
AWS Config enabled and recording
Without Config, cannot track resource changes over time
config:DescribeConfigurationRecordersHIGH✓ AUTO
3.6
CloudTrail S3 bucket not public
Public CloudTrail bucket exposes all API activity to the internet
s3:GetBucketAclCRITICAL✓ AUTO
3.7
KMS CMK rotation enabled
Without rotation, a compromised key provides indefinite access
kms:GetKeyRotationStatusMEDIUM✓ AUTO
3.8
VPC Flow Logs enabled
Without flow logs, network attacks go undetected
ec2:DescribeFlowLogsHIGH✓ AUTO
3.9
CW alarm — unauthorized API calls
Probing attacks go undetected without unauthorized API alerting
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.10
CW alarm — console login without MFA
No-MFA logins may indicate compromised credentials
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.11
CW alarm — root account usage
Any root usage should trigger immediate investigation
logs:DescribeMetricFiltersHIGH✓ AUTO
3.12
CW alarm — IAM policy changes
Undetected IAM changes = undetected privilege escalation
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.13
CW alarm — CloudTrail config changes
Attackers disable CloudTrail to operate undetected
logs:DescribeMetricFiltersHIGH✓ AUTO
3.14
CW alarm — console auth failures
Brute-force attacks go undetected without failure alerting
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.15
CW alarm — NACL changes
NACL changes can open network to attacks undetected
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.16
CW alarm — network gateway changes
Gateway changes can expose private network segments
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.17
CW alarm — route table changes
Route changes can redirect traffic to attacker-controlled endpoints
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.18
CW alarm — VPC changes
VPC changes can expose private subnets
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.19
CW alarm — Organizations changes
Unauthorized account creation goes undetected
logs:DescribeMetricFiltersMEDIUM✓ AUTO
3.20
CW alarm — security group changes
SG changes can open ports to the internet undetected
logs:DescribeMetricFiltersMEDIUM✓ AUTO
4. Networking
2 Critical 2 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
4.1
No SSH open to 0.0.0.0/0
Open SSH allows brute-force from any attacker worldwide
ec2:DescribeSecurityGroupsCRITICAL✓ AUTO
4.2
No RDP open to 0.0.0.0/0
Open RDP is the #1 ransomware attack vector
ec2:DescribeSecurityGroupsCRITICAL✓ AUTO
4.3
Default SG restricts all inbound/outbound
Resources in default SG become exposed if misconfigured
ec2:DescribeSecurityGroupsHIGH✓ AUTO
4.4
NACLs not allowing unrestricted inbound
Permissive NACLs negate security group restrictions
ec2:DescribeNetworkAclsHIGH✓ AUTO
4.5
No resources in default VPC
Default VPCs have permissive settings unsuitable for production
ec2:DescribeVpcsMEDIUM✓ AUTO
5. Encryption
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
5.1
KMS pending deletion check
Deleted KMS keys make encrypted data permanently unrecoverable
kms:ListKeysHIGH✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
1.3Security questions registered with AWS supportAccount-level operational step — verify manually in AWS console under Account Settings.
1.6Hardware MFA device (YubiKey/FIDO2) for rootScanner detects virtual vs hardware MFA; procuring hardware token is an organisational purchase.
1.17IAM support role is properly staffedRole existence is verified; ensuring staff know when/how to use it is a process control.
↑ Back to top
📋

SOC 2 Type II

SaaS companies, tech startups handling customer data
SOC 2 Type II is required by most enterprise customers before signing contracts. A LeapScan audit provides technical evidence for the CC6 (Logical Access), CC7 (Monitoring), and CC9 (Risk) trust service criteria.
29
Automated
7 manual
CC6 — Logical and Physical Access Controls
5 Critical 5 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
CC6.1
MFA enforced on all console users
CC6.1 requires logical access security — MFA is the primary control
iam:ListMFADevicesCRITICAL✓ AUTO
CC6.1
Strong password policy configured
CC6.1: passwords must meet complexity requirements
iam:GetAccountPasswordPolicyHIGH✓ AUTO
CC6.1
Root account secured (MFA + no keys)
CC6.1: most privileged account must have strongest controls
iam:GetAccountSummaryCRITICAL✓ AUTO
CC6.2
IAM Permission Boundaries in use
CC6.2: technical control ensuring provisioning stays within authorized scope
iam:ListPoliciesMEDIUM✓ AUTO
CC6.3
Unused credentials disabled ≥45 days
CC6.3: access must be removed promptly when no longer needed
iam:GenerateCredentialReportHIGH✓ AUTO
CC6.6
Security groups restrict SSH/RDP from internet
CC6.6: network security controls restrict unauthorized access
ec2:DescribeSecurityGroupsCRITICAL✓ AUTO
CC6.6
S3 SSL/TLS enforced
CC6.6: encryption in transit required for all data transmission
s3:GetBucketPolicyHIGH✓ AUTO
CC6.7
EBS volumes encrypted at rest
CC6.7: encryption at rest required for all stored data
ec2:DescribeVolumesHIGH✓ AUTO
CC6.7
RDS encrypted at rest
CC6.7: database encryption is a core SOC 2 requirement
rds:DescribeDBInstancesCRITICAL✓ AUTO
CC6.7
S3 default encryption enabled
CC6.7: object storage must be encrypted at rest
s3:GetBucketEncryptionHIGH✓ AUTO
CC6.8
GuardDuty threat detection enabled
CC6.8: malicious software and threat detection required
guardduty:ListDetectorsCRITICAL✓ AUTO
CC7 — System Operations & Monitoring
2 Critical 3 High 2 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
CC7.1
AWS Config recording enabled
CC7.1: system monitoring requires tracking configuration changes
config:DescribeConfigurationRecordersHIGH✓ AUTO
CC7.1
Security Hub enabled
CC7.1: centralized security finding aggregation
securityhub:DescribeHubHIGH✓ AUTO
CC7.2
CloudTrail logging all API activity
CC7.2: security events must be monitored and logged
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
CC7.2
CW alarm — console auth failures
CC7.2: authentication failures indicate potential attacks
logs:DescribeMetricFiltersMEDIUM✓ AUTO
CC7.3
GuardDuty active (ML threat detection)
CC7.3: security incidents must be evaluated and responded to
guardduty:ListDetectorsCRITICAL✓ AUTO
CC7.4
SSM Automation IR runbooks exist
CC7.4: incident response procedures must be documented and testable
ssm:ListDocumentsMEDIUM✓ AUTO
CC7.5
RDS automated backups enabled
CC7.5: systems must be recoverable after security incidents
rds:DescribeDBInstancesHIGH✓ AUTO
CC8 — Change Management
1 Critical 1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
CC8.1
AWS Config tracks resource changes
CC8.1: all infrastructure changes must be tracked and auditable
config:DescribeConfigurationRecordersHIGH✓ AUTO
CC8.1
CloudTrail records all API changes
CC8.1: change management requires complete audit trail
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
CC9 — Risk Mitigation
2 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
CC9.1
Security Hub compliance standards active
CC9.1: formal risk assessment process requires continuous evaluation
securityhub:GetEnabledStandardsMEDIUM✓ AUTO
CC9.2
AWS Organizations governance configured
CC9.2: vendor risk management requires organizational governance
organizations:DescribeOrganizationMEDIUM✓ AUTO
A — Availability
1 High 2 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
A1.1
RDS Multi-AZ enabled
A1.1: systems must be available per committed SLA — Multi-AZ provides failover
rds:DescribeDBInstancesMEDIUM✓ AUTO
A1.2
RDS automated backups ≥ 7 days
A1.2: backup procedures must be in place for recovery
rds:DescribeDBInstancesHIGH✓ AUTO
A1.3
RDS manual snapshots exist (restore test)
A1.3: recovery must be tested — manual snapshots are the evidence
rds:DescribeDBSnapshotsMEDIUM✓ AUTO
PI / C — Privacy & Confidentiality
3 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
PI1.1
Amazon Macie enabled for PII discovery
PI1.1: PII must be identified and classified before it can be protected
macie2:GetMacieSessionHIGH✓ AUTO
PI1.2
Macie findings reviewed (active PII policy)
PI1.2: PII collection and use must be governed by a policy
macie2:GetFindingStatisticsMEDIUM✓ AUTO
C1.1
Macie active for confidential data
C1.1: confidential information must be identified
macie2:GetMacieSessionHIGH✓ AUTO
C1.2
S3 encryption protects confidential data
C1.2: confidential data must be protected in storage
s3:GetBucketEncryptionHIGH✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
CC6.2Formal new-hire access provisioning process documentedRequires HR process documentation, approval workflows, and onboarding checklists — not AWS config.
CC6.4Physical data centre access controlsAWS manages physical security under shared responsibility. Customer must document the BAA and shared model in their ISMS.
CC7.4Incident response plan tested and documentedScanner checks for SSM runbooks as a proxy; a full IR plan requires tabletop exercises, escalation paths, and documentation.
CC9.1Formal annual risk assessment processSecurity Hub provides continuous signals; a formal risk assessment also requires business context, risk appetite statements, and sign-off.
CC9.2Vendor risk management programmeAWS Organizations governance is checked; each third-party SaaS vendor requires individual risk assessment and contract review.
A1.3Recovery testing performed and documentedManual snapshots prove backup existence; a formal restore test requires documented RTO/RPO validation and sign-off.
PI1.2PII collection policy documented and publishedMacie detects PII in S3; a compliant collection policy requires privacy notices, consent mechanisms, and legal review.
↑ Back to top
🌍

ISO 27001:2022

Enterprises and companies selling to European customers
ISO 27001:2022 is the international standard for information security management. LeapScan maps AWS infrastructure findings to Annex A technical controls, providing evidence for your ISMS implementation.
40
Automated
9 manual
A.5 — Organizational Controls
2 Critical 8 High 5 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
A.5.1
Config Conformance Packs = policy evidence
A.5.1: information security policies must be defined and implemented
config:DescribeConformancePacksMEDIUM✓ AUTO
A.5.2
Security IAM roles exist (CISO, Audit)
A.5.2: roles and responsibilities must be defined and assigned
iam:ListRolesMEDIUM✓ AUTO
A.5.14
S3 SSL/TLS enforced in transit
A.5.14: information transfer must use secure channels
s3:GetBucketPolicyHIGH✓ AUTO
A.5.15
Least privilege — no wildcard policies
A.5.15: access control policy must restrict to minimum required
iam:GetPolicyVersionHIGH✓ AUTO
A.5.16
Unused users disabled (identity management)
A.5.16: identity lifecycle management requires removal of unused access
iam:GenerateCredentialReportHIGH✓ AUTO
A.5.17
Strong password policy enforced
A.5.17: authentication information must be strong and protected
iam:GetAccountPasswordPolicyHIGH✓ AUTO
A.5.18
No admin users (access rights control)
A.5.18: access rights must be based on least privilege
iam:ListAttachedUserPoliciesHIGH✓ AUTO
A.5.23
S3 account-level public access block
A.5.23: cloud service security requires blocking public exposure
s3control:GetPublicAccessBlockCRITICAL✓ AUTO
A.5.25
GuardDuty threat assessment active
A.5.25: information security events must be assessed and classified
guardduty:ListDetectorsHIGH✓ AUTO
A.5.26
Security Hub for incident response
A.5.26: response to incidents must be coordinated and tracked
securityhub:DescribeHubHIGH✓ AUTO
A.5.28
CloudTrail for forensic evidence
A.5.28: evidence collection requires complete audit logs
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
A.5.30
RDS Multi-AZ for ICT continuity
A.5.30: ICT readiness for business continuity
rds:DescribeDBInstancesMEDIUM✓ AUTO
A.5.31
Active Config rules as compliance evidence
A.5.31: legal and regulatory requirements must be identified and addressed
config:DescribeConfigRulesMEDIUM✓ AUTO
A.5.33
S3 versioning for record protection
A.5.33: records must be protected from loss, destruction, and falsification
s3:GetBucketVersioningMEDIUM✓ AUTO
A.5.36
Config rules enforce security policies
A.5.36: compliance with policies must be regularly reviewed
config:DescribeConfigurationRecordersHIGH✓ AUTO
A.6 — People Controls
1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
A.6.3
MFA adoption as training signal
A.6.3: security awareness and training required for all staff
iam:GenerateCredentialReportMEDIUM✓ AUTO
A.6.7
VPN/SSM for remote access (no open SSH)
A.6.7: remote working requires secure access controls
ec2:DescribeClientVpnEndpointsHIGH✓ AUTO
A.7 — Physical Controls
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
A.7.1
Config rules as AWS shared responsibility
A.7.1: AWS manages physical security — Config rules document the shared responsibility
config:DescribeConfigurationRecordersLOW✓ AUTO
A.8 — Technological Controls
4 Critical 12 High 4 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
A.8.2
No admin IAM users (privilege control)
A.8.2: privileged access rights must be restricted and monitored
iam:ListAttachedUserPoliciesHIGH✓ AUTO
A.8.3
Security groups restrict network access
A.8.3: access restriction must be implemented in all systems
ec2:DescribeSecurityGroupsCRITICAL✓ AUTO
A.8.5
MFA for secure authentication
A.8.5: secure authentication must use multi-factor mechanisms
iam:ListMFADevicesCRITICAL✓ AUTO
A.8.6
No idle EC2 instances (capacity management)
A.8.6: capacity must be monitored to avoid waste and risk
cloudwatch:GetMetricStatisticsLOW✓ AUTO
A.8.7
GuardDuty for malware protection
A.8.7: protection from malicious code required
guardduty:ListDetectorsHIGH✓ AUTO
A.8.8
Inspector v2 for vulnerability management
A.8.8: technical vulnerabilities must be identified and managed
inspector2:BatchGetAccountStatusHIGH✓ AUTO
A.8.9
AWS Config for configuration management
A.8.9: configurations must be established, documented, and monitored
config:DescribeConfigurationRecordersHIGH✓ AUTO
A.8.10
S3 MFA delete for data deletion control
A.8.10: information deletion must be authorized and controlled
s3:GetBucketVersioningMEDIUM✓ AUTO
A.8.12
Macie for data leakage prevention
A.8.12: DLP measures must be applied to sensitive information
macie2:GetMacieSessionHIGH✓ AUTO
A.8.13
RDS automated backups enabled
A.8.13: information backup copies must be maintained and tested
rds:DescribeDBInstancesHIGH✓ AUTO
A.8.14
RDS Multi-AZ for redundancy
A.8.14: redundancy of information processing facilities
rds:DescribeDBInstancesMEDIUM✓ AUTO
A.8.15
CloudWatch log groups KMS-encrypted
A.8.15: logs must be protected from unauthorized access and modification
logs:DescribeLogGroupsHIGH✓ AUTO
A.8.16
GuardDuty for monitoring activities
A.8.16: monitoring activities must detect anomalous behavior
guardduty:ListDetectorsHIGH✓ AUTO
A.8.17
CloudTrail timestamps (AWS NTP)
A.8.17: clock synchronization — AWS manages NTP, CloudTrail proves it
cloudtrail:DescribeTrailsLOW✓ AUTO
A.8.20
VPC Flow Logs for network security
A.8.20: network security must include traffic monitoring
ec2:DescribeFlowLogsHIGH✓ AUTO
A.8.21
Security groups for network service security
A.8.21: network services must be secured and access controlled
ec2:DescribeSecurityGroupsHIGH✓ AUTO
A.8.22
Custom VPC (not default VPC)
A.8.22: networks must be segregated based on data classification
ec2:DescribeVpcsMEDIUM✓ AUTO
A.8.24
KMS key rotation for cryptography
A.8.24: cryptographic keys must be managed including rotation
kms:GetKeyRotationStatusMEDIUM✓ AUTO
A.8.25
CodeBuild — no plaintext secrets in CI/CD
A.8.25: secure development lifecycle requires protecting secrets in pipelines
codebuild:BatchGetProjectsCRITICAL✓ AUTO
A.8.28
Lambda — no hardcoded secrets in env vars
A.8.28: secure coding requires no credentials in application code
lambda:GetFunctionCRITICAL✓ AUTO
A.8.29
ECR image scanning on push
A.8.29: security testing must be integrated into development
ecr:DescribeRepositoriesHIGH✓ AUTO
A.8.32
AWS Config for change management
A.8.32: changes must be managed in a controlled manner
config:DescribeConfigurationRecordersHIGH✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
A.5.1Information security policies formally approvedConformance Packs are a technical proxy; formal policies require board approval, version control, and annual review.
A.5.2CISO / DPO roles formally appointedSecurity roles in IAM are checked; formal appointment requires employment contracts, job descriptions, and documented responsibilities.
A.5.31Legal and regulatory requirements register maintainedConfig rules are a technical signal; a legal register requires input from legal counsel across all jurisdictions you operate in.
A.6.3Security awareness training completed by all staffMFA adoption is used as a proxy; formal training requires a Learning Management System, completion records, and testing.
A.6.7Remote working policy formally documentedVPN/SSM controls are verified; a policy document requires HR involvement, acceptable use clauses, and equipment standards.
A.7.1Physical security perimeters documentedAWS manages DC physical security; your office perimeters, visitor logs, and clean-desk policies are your responsibility.
A.8.1Endpoint device management policySSM Fleet Manager is checked; BYOD policies, MDM deployment, and device encryption standards are organisational controls.
A.8.11Data masking procedures for sensitive dataMacie detects raw PII; tokenisation, pseudonymisation, and masking implementations must be built into your applications.
A.8.17Clock synchronisation policy documentedAWS manages NTP for all services; document this in your ISMS as a shared responsibility control with evidence from CloudTrail.
↑ Back to top
💳

PCI-DSS v4.0

FinTech, e-commerce, payments — anyone processing card data
PCI-DSS v4.0 is mandatory for anyone storing, processing, or transmitting cardholder data (CHD). Non-compliance can result in fines up to $100,000/month and loss of card processing rights.
34
Automated
6 manual
Requirement 1 — Network Security Controls
2 Critical 2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 1.1
Security groups configured correctly
Req 1.1: network security controls must be installed and maintained
ec2:DescribeSecurityGroupsCRITICAL✓ AUTO
Req 1.2
NACLs restrict inbound traffic
Req 1.2: network access controls must restrict unauthorized traffic
ec2:DescribeNetworkAclsHIGH✓ AUTO
Req 1.3
VPC Flow Logs for CHD traffic monitoring
Req 1.3: network access to CHD environment must be restricted and logged
ec2:DescribeFlowLogsHIGH✓ AUTO
Req 1.3.2
No public S3 buckets with CHD
Req 1.3.2: cardholder data must not be publicly accessible
s3:GetBucketPolicyCRITICAL✓ AUTO
Requirement 2 — Secure Configurations
1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 2.1
Config Conformance Packs = secure config
Req 2.1: secure configuration processes must be defined
config:DescribeConformancePacksMEDIUM✓ AUTO
Req 2.2
Default SG restricts all traffic
Req 2.2: system components must be securely configured
ec2:DescribeSecurityGroupsHIGH✓ AUTO
Requirement 3 — Protect Stored Account Data
2 Critical 1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 3.2
S3 encryption for stored CHD
Req 3.2: stored account data must be protected
s3:GetBucketEncryptionCRITICAL✓ AUTO
Req 3.4
RDS encryption for CHD storage
Req 3.4: PAN must be rendered unreadable anywhere it is stored
rds:DescribeDBInstancesCRITICAL✓ AUTO
Req 3.5
KMS key rotation for CHD encryption keys
Req 3.5: cryptographic keys used for CHD must be managed securely
kms:GetKeyRotationStatusMEDIUM✓ AUTO
Req 3.7
No KMS keys pending unintended deletion
Req 3.7: cryptographic key management must include controlled lifecycle
kms:ListKeysHIGH✓ AUTO
Requirement 4 — Cryptography in Transit
1 Critical 1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 4.2
S3 HTTPS-only for CHD in transit
Req 4.2: strong cryptography must be used transmitting CHD
s3:GetBucketPolicyCRITICAL✓ AUTO
Req 4.2.1
API Gateway enforces TLS 1.2
Req 4.2.1: only trusted keys and certificates must be accepted
apigateway:GetDomainNamesHIGH✓ AUTO
Requirement 5 — Malware Protection
2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 5.2
GuardDuty ML-based threat detection
Req 5.2: malicious software must be detected and protected against
guardduty:ListDetectorsHIGH✓ AUTO
Req 5.3
Inspector v2 continuous CVE scanning
Req 5.3: anti-malware mechanisms must be active and monitored
inspector2:BatchGetAccountStatusHIGH✓ AUTO
Requirement 6 — Secure Systems & Applications
1 Critical 2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 6.2
CodeBuild — no secrets in CI/CD env vars
Req 6.2: bespoke and custom software must be protected from attacks
codebuild:BatchGetProjectsCRITICAL✓ AUTO
Req 6.3
ECR image scanning for CVEs
Req 6.3: security vulnerabilities must be identified and addressed
ecr:DescribeRepositoriesHIGH✓ AUTO
Req 6.4
WAF on ALBs serving CHD
Req 6.4: web-facing applications must be protected against attacks
wafv2:GetWebACLForResourceHIGH✓ AUTO
Requirement 7 — Access Control
2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 7.1
No admin users (least privilege)
Req 7.1: access to system components must be limited to least privilege
iam:ListAttachedUserPoliciesHIGH✓ AUTO
Req 7.2
No wildcard IAM policies
Req 7.2: access must be assigned based on business need-to-know
iam:GetPolicyVersionHIGH✓ AUTO
Requirement 8 — Identity & Authentication
2 Critical 3 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 8.2
No unused IAM users > 45 days
Req 8.2: all user IDs must be unique and access must be managed
iam:GenerateCredentialReportHIGH✓ AUTO
Req 8.3
MFA for all IAM users
Req 8.3: strong authentication required for all user accounts
iam:ListMFADevicesCRITICAL✓ AUTO
Req 8.4
MFA on root and all console users
Req 8.4: MFA required for access to CDE environments
iam:ListMFADevicesCRITICAL✓ AUTO
Req 8.5
No never-used access keys
Req 8.5: system/application accounts must be managed as user accounts
iam:GenerateCredentialReportHIGH✓ AUTO
Req 8.6
Service accounts have no console access
Req 8.6: interactive use of system accounts must be prevented
iam:GetLoginProfileHIGH✓ AUTO
Requirement 10 — Audit Logs
2 Critical 2 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 10.1
CloudTrail enabled and logging
Req 10.1: audit logs must be implemented to detect, deter, and minimize impact
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
Req 10.2
CloudTrail captures all required events
Req 10.2: audit log events must include all required event types
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
Req 10.3
CloudTrail S3 bucket not public
Req 10.3: audit logs must be protected from destruction and modification
s3:GetBucketAclHIGH✓ AUTO
Req 10.5
CloudWatch log retention configured
Req 10.5: audit log history must be retained for at least 12 months
logs:DescribeLogGroupsMEDIUM✓ AUTO
Req 10.7
GuardDuty detects control failures
Req 10.7: failures of security controls must be detected and reported
guardduty:ListDetectorsHIGH✓ AUTO
Requirement 11 — Testing & Detection
2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 11.4
GuardDuty for intrusion detection
Req 11.4: intrusion detection/prevention techniques must be used
guardduty:ListDetectorsHIGH✓ AUTO
Req 11.5
AWS Config for change detection
Req 11.5: change detection mechanisms must alert on critical file changes
config:DescribeConfigurationRecordersHIGH✓ AUTO
Requirement 12 — Security Policy
3 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Req 12.1
Config Conformance Pack = policy impl.
Req 12.1: overall information security policy must be established
config:DescribeConformancePacksMEDIUM✓ AUTO
Req 12.3
Security Hub continuous risk assessment
Req 12.3: targeted risk analysis must be performed for each requirement
securityhub:GetFindingAggregatorMEDIUM✓ AUTO
Req 12.10
SSM IR runbooks for incident response
Req 12.10: incident response plan must be implemented and tested
ssm:ListDocumentsMEDIUM✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
Req 8.6Documented procedures for interactive system account useConsole access is blocked for service accounts; the procedure for emergency interactive access must be documented separately.
Req 10.6Time synchronisation policy documentedAWS handles NTP; document the shared responsibility model and reference AWS CloudTrail timestamps as evidence.
Req 11.3Annual penetration test by qualified testerInspector provides continuous CVE scanning; a formal pen test by a QSA or certified tester is required annually and cannot be automated.
Req 12.1Information security policy signed and publishedConformance Packs are a proxy; the actual policy document requires executive sign-off, annual review, and distribution to all staff.
Req 12.3Targeted risk analysis for each PCI requirementSecurity Hub provides continuous assessment signals; a formal risk analysis requires documenting likelihood, impact, and mitigating controls per requirement.
Req 12.10Incident response plan tested annuallySSM runbooks are verified; the full IR plan requires tabletop exercises, communication trees, and forensic retention procedures.
↑ Back to top
🏥

HIPAA Security Rule

Healthcare companies, digital health, health-tech startups
HIPAA Security Rule requires administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). LeapScan's HIPAA scan covers all automatable technical safeguards.
31
Automated
7 manual
164.308 — Administrative Safeguards
1 Critical 5 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
164.308(a)(1)
GuardDuty for risk analysis
164.308(a)(1): risk analysis must identify threats to ePHI confidentiality
guardduty:ListDetectorsCRITICAL✓ AUTO
164.308(a)(1)
AWS Config for risk management
164.308(a)(1): risk management must reduce risks to ePHI to reasonable level
config:DescribeConfigurationRecordersHIGH✓ AUTO
164.308(a)(3)
No admin users — access authorization
164.308(a)(3): workforce access authorization must be limited to minimum necessary
iam:ListAttachedUserPoliciesHIGH✓ AUTO
164.308(a)(4)
Unused users disabled — access management
164.308(a)(4): access must be terminated when no longer required
iam:GenerateCredentialReportHIGH✓ AUTO
164.308(a)(5)
MFA adoption as training signal
164.308(a)(5): all workforce must receive security awareness training
iam:GenerateCredentialReportMEDIUM✓ AUTO
164.308(a)(6)
GuardDuty for incident response
164.308(a)(6): security incident procedures must identify and respond to incidents
guardduty:ListDetectorsHIGH✓ AUTO
164.308(a)(7)
RDS backup ≥ 7 days retention
164.308(a)(7): contingency plan must include data backup and emergency operations
rds:DescribeDBInstancesHIGH✓ AUTO
164.308(a)(8)
Trusted Advisor for evaluation
164.308(a)(8): periodic technical and non-technical evaluation required
support:DescribeTrustedAdvisorChecksLOW✓ AUTO
164.310 — Physical Safeguards
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
164.310(a)
AWS Config rules = facility control evidence
164.310(a): AWS manages physical facility — Config rules document shared responsibility
config:DescribeConfigurationRecordersLOW✓ AUTO
164.310(d)
EBS encryption for device/media control
164.310(d): media controls must ensure ePHI is unreadable on decommissioned media
ec2:DescribeVolumesHIGH✓ AUTO
164.312 — Technical Safeguards
2 Critical 5 High 4 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
164.312(a)(1)
No unused IAM users (unique ID)
164.312(a)(1): unique user identification required for accessing ePHI
iam:GenerateCredentialReportHIGH✓ AUTO
164.312(a)(2)
Break-glass emergency access role
164.312(a)(2): emergency access procedure for ePHI when normal access unavailable
iam:ListRolesMEDIUM✓ AUTO
164.312(a)(2)
Cognito session token expiry ≤ 24h
164.312(a)(2): automatic logoff must terminate sessions after inactivity
cognito-idp:DescribeUserPoolMEDIUM✓ AUTO
164.312(a)(2)
EBS encryption for PHI at rest
164.312(a)(2): encryption/decryption of ePHI required as addressable spec
ec2:DescribeVolumesHIGH✓ AUTO
164.312(b)
CloudTrail for ePHI audit controls
164.312(b): audit controls must track activity in systems containing ePHI
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
164.312(c)(1)
S3 versioning for PHI integrity
164.312(c)(1): integrity controls must protect ePHI from improper alteration
s3:GetBucketVersioningMEDIUM✓ AUTO
164.312(c)(1)
S3 Object Lock for PHI immutability
164.312(c)(1): WORM storage prevents unauthorized modification of audit records
s3:GetObjectLockConfigurationMEDIUM✓ AUTO
164.312(c)(2)
S3 SSL for PHI transmission integrity
164.312(c)(2): transmission integrity requires detecting unauthorized modification
s3:GetBucketPolicyHIGH✓ AUTO
164.312(d)
MFA for ePHI access authentication
164.312(d): authentication must verify identity before granting ePHI access
iam:ListMFADevicesCRITICAL✓ AUTO
164.312(e)(1)
WAF on ALBs serving PHI
164.312(e)(1): transmission security must protect ePHI over electronic networks
wafv2:GetWebACLForResourceHIGH✓ AUTO
164.312(e)(2)
S3 HTTPS-only for PHI in transit
164.312(e)(2): encryption of ePHI in transit required as addressable spec
s3:GetBucketPolicyHIGH✓ AUTO
164.314 — Organizational Requirements
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
164.314(a)
AWS Organizations = BAA evidence
164.314(a): Business Associate Agreements must be signed with all BAs including AWS
organizations:DescribeOrganizationHIGH✓ AUTO
164.316 — Documentation
1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
164.316(a)
Config rules as policy implementation
164.316(a): policies and procedures must be implemented and documented
config:DescribeConformancePacksMEDIUM✓ AUTO
HIPAA+ — AWS Best Practices for PHI
2 Critical 5 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
HIPAA+
Macie for PHI discovery in S3
Best practice: identify all S3 buckets containing PHI before protecting them
macie2:GetMacieSessionHIGH✓ AUTO
HIPAA+
Macie automated discovery enabled
Best practice: continuously scan for new PHI as data grows
macie2:GetAutomatedDiscoveryConfigurationHIGH✓ AUTO
HIPAA+
RDS encryption for PHI databases
Best practice: all databases holding ePHI must be encrypted at rest
rds:DescribeDBInstancesCRITICAL✓ AUTO
HIPAA+
S3 encryption for PHI storage
Best practice: all S3 buckets containing ePHI must be encrypted
s3:GetBucketEncryptionHIGH✓ AUTO
HIPAA+
CloudWatch log groups KMS-encrypted
Best practice: audit logs containing PHI access must be encrypted
logs:DescribeLogGroupsHIGH✓ AUTO
HIPAA+
Lambda — no PHI in environment variables
Best practice: PHI must never appear in Lambda env vars
lambda:GetFunctionCRITICAL✓ AUTO
HIPAA+
RDS backup retention ≥ 7 days
Best practice: PHI recovery requires adequate backup retention
rds:DescribeDBInstancesHIGH✓ AUTO
HIPAA+
S3 KMS CMK encryption for PHI
Best practice: KMS CMK provides customer-controlled key audit for PHI
s3:GetBucketEncryptionMEDIUM✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
164.308(a)(5)Security awareness training for all workforce membersMFA adoption is a proxy; HIPAA requires documented training records, completion tracking, and periodic refreshes for all staff with PHI access.
164.310(a)Facility access controls for PHI locationsAWS handles data centre physical security; your own offices, server rooms, and workstations with PHI access require documented physical controls.
164.310(d)Device and media controls policyEBS encryption is verified; a full media controls policy covers hardware disposal, media sanitisation, portable device handling, and chain-of-custody procedures.
164.312(a)(2)Emergency access procedure documentedBreak-glass IAM role is verified; the procedure for when/how to use it, approvals required, and post-use auditing must be documented separately.
164.312(a)(2)Automatic logoff policy communicated to usersCognito token expiry is configured; users must be informed of the policy and it must appear in your workforce training materials.
164.314(a)BAA signed with all Business AssociatesAWS BAA via Organizations is verified; every third-party vendor who touches PHI (cloud tools, contractors, analytics) requires their own signed BAA.
164.316(a)Policies and procedures documentation retained 6 yearsConfig Conformance Packs are a proxy; HIPAA requires retaining actual policy documents for a minimum of 6 years from creation or last effective date.
↑ Back to top
🇪🇺

GDPR (EU) 2016/679

Any company with EU/UK customers or processing EU personal data
GDPR applies to any organisation handling EU personal data, regardless of location. Non-compliance fines reach €20M or 4% of global annual turnover. LeapScan covers all automatable technical controls under Art.5, Art.25, Art.32, and Art.33.
29
Automated
8 manual
Art.5 — Data Principles (Technical Controls)
2 Critical 1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.5(1)(e)
S3 lifecycle policies — storage limitation
Data must not be kept longer than necessary. No lifecycle rule = indefinite retention.
s3:GetBucketLifecycleConfigurationHIGH✓ AUTO
Art.5(1)(e)
S3 Glacier/archive expiry rules
Archived data without expiry violates storage limitation principle.
s3:GetBucketLifecycleConfigurationMEDIUM✓ AUTO
Art.5(1)(f)
S3 encryption — confidentiality of personal data
Art.5(1)(f): personal data must be processed with appropriate security including encryption.
s3:GetBucketEncryptionCRITICAL✓ AUTO
Art.5(1)(f)
RDS encryption — database confidentiality
Unencrypted databases holding personal data violate Art.5(1)(f) confidentiality requirement.
rds:DescribeDBInstancesCRITICAL✓ AUTO
Art.25 — Privacy by Design & Default
2 Critical 1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.25(1)
Least privilege IAM — data minimisation by design
Art.25 requires limiting access to personal data to what is strictly necessary.
iam:GetPolicyVersionHIGH✓ AUTO
Art.25(2)
S3 account public access block — private by default
Art.25(2): default settings must not allow more data access than necessary.
s3control:GetPublicAccessBlockCRITICAL✓ AUTO
Art.25(2)
No public S3 buckets — private by default
Personal data must not be publicly accessible without explicit consent and purpose.
s3:GetPublicAccessBlockCRITICAL✓ AUTO
Art.28 — Processor Obligations
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.28
AWS BAA / DPA evidence via Organizations
Art.28: data processing with sub-processors (AWS) requires a signed DPA/BAA.
organizations:DescribeOrganizationHIGH✓ AUTO
Art.30 — Records of Processing Activities
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.30
AWS Config full recording — processing records
Art.30: records of processing must be maintained. Config provides the technical record of all resource configurations.
config:DescribeConfigurationRecordersHIGH✓ AUTO
Art.32 — Security of Processing
1 Critical 5 High 3 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.32(1)(a)
EBS encryption — pseudonymisation/encryption
Art.32: appropriate technical measures must include encryption of personal data.
ec2:DescribeVolumesHIGH✓ AUTO
Art.32(1)(a)
S3 KMS CMK — key-controlled encryption
KMS CMK provides customer-controlled encryption keys with audit trail for personal data.
s3:GetBucketEncryptionMEDIUM✓ AUTO
Art.32(1)(b)
GuardDuty — confidentiality & integrity monitoring
Art.32(1)(b): ability to ensure ongoing confidentiality and integrity of processing systems.
guardduty:ListDetectorsHIGH✓ AUTO
Art.32(1)(b)
RDS Multi-AZ — resilience of processing
Art.32(1)(b): ability to ensure resilience of processing systems and services.
rds:DescribeDBInstancesMEDIUM✓ AUTO
Art.32(1)(c)
RDS backup retention — restore after incident
Art.32(1)(c): ability to restore availability of personal data after an incident.
rds:DescribeDBInstancesHIGH✓ AUTO
Art.32(1)(d)
Inspector v2 — regular security testing
Art.32(1)(d): process to regularly test and evaluate effectiveness of security measures.
inspector2:BatchGetAccountStatusHIGH✓ AUTO
Art.32(1)(d)
Security Hub standards — ongoing evaluation
Art.32(1)(d): Security Hub provides continuous technical evaluation of security controls.
securityhub:GetEnabledStandardsMEDIUM✓ AUTO
Art.32(4)
MFA enforcement — authorised access only
Art.32(4): personal data must only be processed on instructions of the controller — MFA ensures only authorised persons access systems.
iam:ListMFADevicesCRITICAL✓ AUTO
Art.32
S3 object-level CloudTrail logging
Art.32/33: knowing who accessed personal data objects is essential for security and breach response.
cloudtrail:GetEventSelectorsHIGH✓ AUTO
Art.33 — Breach Notification (72-hour window)
2 Critical 1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.33
GuardDuty — breach detection capability
Art.33 requires detecting breaches to meet the 72-hour notification window. GuardDuty provides ML-based detection.
guardduty:ListDetectorsCRITICAL✓ AUTO
Art.33
CloudTrail — audit trail for breach investigation
Art.33: breach notification requires knowing what data was accessed. CloudTrail is the forensic record.
cloudtrail:DescribeTrailsCRITICAL✓ AUTO
Art.33
VPC Flow Logs — network breach evidence
Art.33: network-level breach evidence requires VPC Flow Logs to establish scope of a breach.
ec2:DescribeFlowLogsHIGH✓ AUTO
GDPR+ — Data Residency & Transfer Controls
3 High 5 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
GDPR+
S3 Cross-Region Replication — data residency check
Replication to non-EU regions may constitute an unlawful international data transfer without SCCs.
s3:GetBucketReplicationMEDIUM✓ AUTO
GDPR+
CloudTrail log region — audit trail location
Audit logs stored outside the EU may themselves constitute a data transfer requiring documentation.
s3:GetBucketLocationMEDIUM✓ AUTO
GDPR+
RDS instance regions — database data residency
RDS instances in non-EU regions storing EU personal data require a documented transfer mechanism.
rds:DescribeDBInstancesMEDIUM✓ AUTO
GDPR+
Macie — PII discovery and classification
You cannot protect personal data you cannot find. Macie identifies where PII is stored across S3.
macie2:GetMacieSessionHIGH✓ AUTO
GDPR+
Macie automated discovery — ongoing PII monitoring
Continuous PII scanning ensures new personal data is identified and classified as it is uploaded.
macie2:GetAutomatedDiscoveryConfigurationHIGH✓ AUTO
GDPR+
VPC S3 endpoint — personal data in private network
Personal data traffic to S3 should stay within AWS network and not traverse the public internet.
ec2:DescribeVpcEndpointsMEDIUM✓ AUTO
GDPR+
CloudWatch logs KMS-encrypted — audit log protection
Log groups containing personal data access records must be encrypted for GDPR Art.32 compliance.
logs:DescribeLogGroupsHIGH✓ AUTO
GDPR+
Cognito advanced security — identity protection
Compromised user identities = compromised personal data. Advanced security prevents account takeovers.
cognito-idp:DescribeUserPoolMEDIUM✓ AUTO
⚠ Company Responsibility — Cannot Be Automated
The controls below cannot be verified via AWS API. They require organisational policies, human processes, or legal documentation. These remain the sole responsibility of the account owner. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
Art.5(1)(b)Purpose limitation — data only used for stated purposeNot automatable via AWS API. Requires data flow mapping, privacy notices, and legal basis documentation for each processing activity.
Art.13/14Privacy notices provided to data subjectsNot automatable. Requires legal drafting of privacy notices, layered notices for different audiences, and delivery mechanisms in your product.
Art.17Right to erasure procedures implementedKMS key deletion is a partial technical control. Full erasure requires application-layer deletion workflows, backup purging procedures, and documented response SLAs.
Art.30Full Records of Processing Activities (RoPA)Config recording is a technical proxy. A complete RoPA also requires listing processing purposes, data categories, retention periods, and third-country transfers — a legal/operational document.
Art.35Data Protection Impact Assessment (DPIA) for high-risk processingInspector/Security Hub are checked as technical proxies. A DPIA is a formal documented assessment requiring DPO involvement and risk consultation.
Art.37DPO appointed where requiredNot automatable. Organisations meeting GDPR Art.37 criteria must formally appoint a DPO, register them with the supervisory authority, and publish contact details.
Art.46Transfer mechanisms for international data transfers (SCCs etc.)Data residency checks flag non-EU regions. The actual transfer mechanism (SCCs, adequacy decision, BCRs) requires legal review and contractual implementation.
Art.83GDPR fines avoidance — organisational accountabilityTechnical controls reduce risk but do not guarantee compliance. Accountability requires a full GDPR compliance programme including training, DPIAs, RoPA, and supervisory authority registration.
↑ Back to top
🔐

NIS2 Directive (EU) 2022/2555

Essential & important entities operating in the EU
NIS2 applies to essential and important entities providing critical services in the EU. Binding cybersecurity risk management measures are required under Art.21. Non-compliance fines reach €10M or 2% of global annual turnover. LeapScan covers all automatable technical controls under Art.21(2).
17
Automated
5 manual
Art.21(2)(a) — Risk Analysis & Network Security
1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(a)
WAF Web ACLs & Shield Advanced — perimeter protection
No WAF = application-layer attacks reach services unchecked. No Shield = no DDoS protection for critical public endpoints.
wafv2:ListWebACLsMEDIUM✓ AUTO
Art.21(2)(a)
Security groups — unrestricted inbound access (0.0.0.0/0)
Open admin ports exposed to the internet invite credential attacks and lateral movement across the network.
ec2:DescribeSecurityGroupsHIGH✓ AUTO
Art.21(2)(b) — Incident Handling & Notification Readiness
3 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(b)
EventBridge security event routing rules
No security event rules = no automated detection pipeline. Art.23 requires CSIRT notification within 24 hours — impossible without automated alerting.
events:ListRulesHIGH✓ AUTO
Art.21(2)(b)
GuardDuty threat detection in all regions
GuardDuty disabled = compromised credentials, crypto mining, and exfiltration go undetected — breaches go unreported to the CSIRT.
guardduty:ListDetectorsHIGH✓ AUTO
Art.21(2)(b)
CloudTrail multi-region audit logging
Without CloudTrail there is no forensic trail of who did what — incident analysis and regulatory reporting to the NCA become impossible.
cloudtrail:DescribeTrailsHIGH✓ AUTO
Art.21(2)(b)
VPC Flow Logs — network traffic visibility
No flow logs = no network-level forensics. Post-incident analysis cannot identify lateral movement, exfiltration paths, or attack origin.
ec2:DescribeFlowLogsMEDIUM✓ AUTO
Art.21(2)(c) — Business Continuity & Backup Management
1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(c)
AWS Backup — centralised backup plans active
No backup plans = no recoverable state after ransomware or accidental deletion. No documented continuity programme for regulators.
backup:ListBackupPlansHIGH✓ AUTO
Art.21(2)(c)
S3 versioning — data recovery capability
Without versioning, overwritten or deleted objects are permanently lost — ransomware on object stores leaves no recovery path.
s3:GetBucketVersioningMEDIUM✓ AUTO
Art.21(2)(d) — Supply Chain Security
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(d)
ECR Enhanced Scanning — continuous container image CVE detection
Basic scan only runs on push. New CVEs in already-deployed images from third-party suppliers go undetected until exploitation.
ecr:GetRegistryScanningConfigurationHIGH✓ AUTO
Art.21(2)(e) — Vulnerability Management
1 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(e)
Inspector v2 — continuous vulnerability scanning (EC2, ECR, Lambda)
Without Inspector v2 there is no programme for identifying and remediating CVEs — a fundamental NIS2 security baseline requirement.
inspector2:BatchGetAccountStatusHIGH✓ AUTO
Art.21(2)(f) — Effectiveness Evaluation & Posture Reporting
2 High
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(f)
Security Hub — compliance standards active
No Security Hub standards = no automated measurement of security posture. Cannot demonstrate continuous control effectiveness to a NIS2 auditor.
securityhub:GetEnabledStandardsHIGH✓ AUTO
Art.21(2)(f)
AWS Config — full resource recording active
Config disabled = no change history for all resources. Cannot prove configuration compliance at any point in time to a regulator.
configservice:DescribeConfigurationRecordersHIGH✓ AUTO
Art.21(2)(g)/(i) — Cyber Hygiene & Access Control
1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(g)
CloudWatch log group retention ≥ 90 days
Logs deleted after 30 days cannot support forensic investigations or demonstrate hygiene practices to auditors after an incident.
logs:DescribeLogGroupsMEDIUM✓ AUTO
Art.21(2)(h) — Cryptographic Policy & Key Management
2 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(h)
KMS automatic key rotation — customer-managed keys
Static encryption keys that never rotate increase the blast radius if a key is ever exposed or exfiltrated via a long-term compromise.
kms:GetKeyRotationStatusMEDIUM✓ AUTO
Art.21(2)(h)
EBS default encryption — encryption at rest
Unencrypted EBS volumes expose data-at-rest if a snapshot is shared or a volume is detached — violating NIS2 cryptographic requirements.
ec2:GetEbsEncryptionByDefaultMEDIUM✓ AUTO
Art.21(2)(j) — Multi-Factor Authentication
1 High 1 Medium
ControlWhat LeapScan Checks + Risk If FailedAWS APISeverityStatus
Art.21(2)(j)
MFA adoption & SCP enforcement — IAM user coverage
Low MFA coverage = phished or leaked credentials grant direct console access. NIS2 mandates MFA for all network and information system access.
iam:GetAccountSummaryHIGH✓ AUTO
Art.21(2)(j)
IAM account password policy — minimum strength requirements
Weak password policy allows trivially guessable credentials — undermining MFA requirements and enabling account takeover without brute-force protections.
iam:GetAccountPasswordPolicyMEDIUM✓ AUTO
⚠ Company Responsibility — Manual Controls
The 5 controls below require organisational evidence that cannot be verified via AWS API. LeapScan documents them in your audit report as a checklist for auditors.
ControlRequirementWhy Manual Evidence Is Required
Art.20Board-level governance & oversightNIS2 Art.20 makes management bodies personally liable. Requires board approval of cybersecurity risk management measures and documented oversight — cannot be verified via AWS API.
Art.21(2)(g)Cybersecurity training programmeArt.21(2)(g) requires basic cyber hygiene practices and cybersecurity training for all staff. Training records, completion rates, and course content must be documented for auditors.
Art.23Incident reporting procedure (CSIRT / NCA)Art.23 requires early warning to CSIRT within 24h, full notification within 72h, and a final report within 1 month. A documented runbook is required — AWS cannot enforce this process.
Art.21(2)(d)Supplier due diligence & contractsArt.21(2)(d) requires addressing security in supplier relationships. This means documented vendor risk assessments, contractual security clauses, and third-party audit rights — all organisational, not AWS-checkable.
Art.26Registration with competent authorityArt.26 requires essential and important entities to register with their national competent authority. This is an organisational and legal obligation — AWS configuration cannot evidence or substitute for this registration.
↑ Back to top
LeapScan LeapScan
280+ Checks · 7 Frameworks · 100% Read-Only · support@leaptrix.com
New Coverage

🪟 Microsoft 365 Security Checks

10 automated checks covering your M365 tenant — identity, access, email security, and compliance controls.

# Check Category Severity
M01 MFA Enforcement Status Identity & Access CRITICAL
M02 Admin Role Assignments Identity & Access CRITICAL
M03 Conditional Access Policies Identity & Access HIGH
M04 Guest User Access Identity & Access HIGH
M05 Legacy Authentication Protocols Identity & Access CRITICAL
M06 OAuth App Permissions App Security HIGH
M07 External Sharing Settings Data Protection HIGH
M08 Email Forwarding Rules Email Security CRITICAL
M09 Mailbox Audit Logging Logging & Monitoring HIGH
M10 Safe Links & Safe Attachments (Defender) Email Security HIGH