[ PLATFORM // AWS ]

Security for AWS.
Built for builders.

Read-only cross-account assessment across IAM, S3, VPC, GuardDuty, Security Hub, and Config — normalized to OCSF and scored without write access to your estate.

Start onboarding View pricing

40+

APIs assessed

<15m

Connector deploy

800+

Findings / scan

Full coverage

aws://posture.scan — account 884210READ-ONLY

IAM · 12 users without MFA
S3 · bucket logs-prod public ACL
SG · 0.0.0.0/0:22 on i-0a8f…
GD · 3 GuardDuty highs open

[ DOMAINS // COVERAGE ]

What we assess
in AWS.

Platform-native domains — not a generic cloud checklist pasted from another provider.

IAM & identity

Credential report, excessive policies, MFA gaps, privilege paths.

S3 & data

Public ACLs, bucket policies, encryption, Macie classifications.

Network

Security groups, NACLs, exposed admin ports, VPC flow gaps.

Logging

CloudTrail coverage, log integrity, centralized storage.

Detections

GuardDuty, Security Hub, Inspector2 findings unified.

Compliance

Config rules mapped to SOC 2 and CIS AWS Foundations.

KMS & secrets

Key rotation, cross-account grants, Secrets Manager exposure.

Organizations

SCP drift, OU inheritance, delegated admin misconfigs.

[ RUNBOOK // ONBOARDING ]

Onboarding preview
from checklist.

Steps align with NNSEC_Onboarding_Checklist — full runbook generates after discovery wizard.

01
External ID + role
Deploy CloudFormation template with read-only managed policy.
02
Validate assume-role
NNSEC connector tests STS from isolated account.
03
Scope accounts
Pick org units; exclude sandboxes via tag.
04
Baseline scan
First full ingest to tenant S3 prefix, KMS encrypted.
05
Dashboard live
Risk categories: IAM, Network, Data, Logging, Compliance, Vuln.
06
Monthly cadence
Scheduled Lambda + executive PDF from live findings.

Complete discovery wizard

[ TOOLING // OSS ]

Tools we deploy
and integrate.

Open-source and native cloud APIs — no proprietary agent required unless noted for on-prem.

CloudTrail

GuardDuty

Security Hub

Config

Inspector2

Macie

IAM Access Analyzer

Prowler-style checks

Connector · AssumeRole with external ID per NorthSec AI architecture §2.1 — cross-account read-only.

[ COMPLIANCE // MAP ]

Framework mapping
for AWS.

Evidence exports attach findings to auditor-friendly control IDs.

CIS AWS 1.5

CIS · SOC 2 CC6

PCI DSS 1.3

PCI · network segmentation

NIST CSF PR.AC

Identity · access

[ TIERS ]

Connector included by tier

foundation · $3,500	☑
growth · $5,000	☑
scale · $8,000	☑
enterprise · $12,000	☑

Customer story

412 IAM findings closed

Multi-account fintech reduced public S3 and stale keys in 60 days.

Fintech

Other platforms

Microsoft Azure Google Cloud Oracle Cloud

All platforms

FAQ

Read-only: List/Get/Describe across assessed services. No Create/Delete/Update.

Connect AWS to NorthSec AI

Full coverage · read-only · per-tenant KMS

Book technical scoping See SOC automation

Security for AWS.Built for builders.

What we assessin AWS.

Onboarding previewfrom checklist.

Tools we deployand integrate.