Compliance
cloud-audit includes a built-in compliance engine that maps scan findings to specific compliance framework controls. Each control gets a PASS/FAIL/PARTIAL assessment with evidence statements and per-control remediation.
Supported Frameworks
| Framework | Status | Controls | Automated |
|---|---|---|---|
| CIS AWS v3.0 | Available | 62 | 55 (89%) |
| SOC 2 Type II | Planned | 64 | - |
| ISO 27001:2022 | Planned | 93 | - |
| BSI C5:2020 | Planned | 121 | - |
| HIPAA | Planned | 36 | - |
| NIS2 | Planned | ~40 | - |
How It Works
- cloud-audit runs all 80 checks against your AWS account
- The compliance engine maps findings to framework controls
- Each control gets a status: PASS, FAIL, PARTIAL, or NOT_ASSESSED
- Evidence statements are generated per control
- A readiness score shows your compliance posture
Compliance Output
The compliance report includes:
- Readiness score - percentage of assessed controls passing
- Per-control status - PASS/FAIL with evidence statements
- Attack chain violations - which chains violate which controls
- Remediation per control - AWS CLI + Terraform code grouped by control
- Manual review items - controls that require human verification
Compliance is not certification
cloud-audit generates evidence and readiness assessments. It does not constitute official compliance certification. Work with a qualified auditor for formal assessments.
Architecture
Compliance mappings are stored as JSON files in src/cloud_audit/compliance/frameworks/. Each file maps cloud-audit check IDs to framework controls with evidence templates and remediation context.
Community contributions of new framework mappings are welcome. See Contributing.