Early access — AWS · SOC 2

Know what your SOC 2 auditor will ask about your AWS. And the exact fix.

Connect a read-only role in 15 minutes. Umber Cloud scans your AWS, translates every finding into plain English, hands you the exact command that fixes it — and turns your passing controls into dated, auditor-ready evidence.

Get my free scan See a real finding

Free scan, real report, no card. Read-only access — revoke anytime by deleting one IAM role.

umber-cloud — scan
$ umber scan --profile production
Umber Cloud scan — 10 checks, agentless, read-only
 
[PASS] UC-001 S3 public access · CC6.1, CC6.6
[FAIL] UC-002 Security group open to internet · CC6.6
sg-0a1b2c3d 'api-servers': port 22 open to 0.0.0.0/0
Risk: anyone on the internet can attempt SSH logins to your API servers
Fix: aws ec2 revoke-security-group-ingress --group-id sg-0a1b2c3d ...
[PASS] UC-003 Root account MFA · CC6.1
[PASS] UC-005 CloudTrail multi-region logging · CC7.2
 
Evidence exported: evidence-2026-07-02.md — 9 controls EFFECTIVE, 1 EXCEPTION
$
The problem

The audit is coming. Your scanner speaks robot.

You closed an enterprise deal — congratulations, now they want your SOC 2. Free tools dump 300 raw findings and walk away. You don't need more findings. You need answers.

Raw findings aren't answers

"S3 bucket ACL grants READ to AllUsers" means nothing at 11pm before a customer security review. "Your database backups are reachable from the public internet" does.

Auditors want evidence, not screenshots

SOC 2 isn't about being perfect — it's about proving your controls work over time. Ad-hoc screenshots the night before don't cut it. Dated, repeated scan records do.

Nobody tells you the fix

Detection without remediation is homework. Every Umber Cloud finding ships with the exact AWS CLI command or Terraform snippet — copy, paste, fixed, re-scan, green.

Three outputs, every finding

This is a real finding. Redacted, not staged.

Every check emits three things: what we detected, what it means for your business, and exactly what to type to fix it.

HIGH sg-0•••••••• 'api-servers' · us-east-1 UC-002 · CIS 5.2 · SOC 2 CC6.6
1Detection
Inbound port 22 (SSH) open to 0.0.0.0/0 Source: every IPv4 address on the internet
2Plain-English risk

Anyone on the internet can attempt to log in to the servers behind this rule. SSH ports are scanned constantly and brute-forced within hours of appearing online.

3The fix
aws ec2 \ revoke-security-group-ingress \ --group-id sg-0•••••••• \ --protocol tcp --port 22 \ --cidr 0.0.0.0/0
How it works

Fifteen minutes to your first evidence file.

No agents to install, no sidecars, no traffic mirroring. One read-only IAM role that you can revoke by deleting it.

01

Connect read-only

Create one IAM role with AWS's own SecurityAudit policy and an external ID. We can read configurations — never your data, and we can never change anything.

✓ ~15 minutes, guided
02

Scan & translate

Agentless checks aligned to the CIS AWS Foundations Benchmark run against your account. Every finding arrives in plain English with its severity and its exact fix.

✓ First results in minutes
03

Export evidence

Findings map to SOC 2 Trust Services Criteria. Passing controls become dated EFFECTIVE records; scans over time become the Type 2 story your auditor samples.

✓ CSV + Markdown, auditor-ready
Coverage

The checks that decide your audit.

Quality over noise: we skip the findings founders do on purpose (like ports 80/443 for your website) and focus on what auditors and attackers actually look at.

UC-001S3 buckets exposed to the public internetCC6.1 · CC6.6LIVE
UC-002Security groups open to the world (SSH, RDP, databases)CC6.6LIVE
UC-003Root account without MFA / root access keysCC6.1LIVE
UC-004IAM policies granting full admin (*:*)CC6.1 · CC6.3LIVE
UC-005CloudTrail disabled or not multi-regionCC7.2LIVE
UC-006Access keys older than 90 daysCC6.1LIVE
UC-007Unencrypted EBS volumesCC6.7LIVE
UC-008Publicly shared RDS snapshotsCC6.1 · CC6.6LIVE
UC-009EC2 instances allowing IMDSv1CC6.6LIVE
UC-010Over-privileged Lambda execution rolesCC6.3LIVE
UC-020AI agents & Bedrock roles with god-mode credentialsCC6.3LIVE
UC-021Bots & automations running on never-expiring keysCC6.1LIVE
UC-022OpenAI/Anthropic API keys sitting in plaintext configCC6.1LIVE

Deploying AI agents? We're the only scanner that audits your agents' blast radius — what your AI can actually do in AWS if a prompt injection lands.

Pricing

Less than an hour of your consultant's time.

A SOC 2 readiness consultant runs $200+ an hour. A failed customer security review costs the deal.

Founding customer
$99/mo

per AWS account · early access

Start with a free scan

Early-access pricing locked in for life. Cancel anytime.

Free scan

Get your AWS audit-readiness score. Free.

Leave your email and you'll get the 15-minute read-only setup guide. We run the full 13-check scan and send back your score (0–100) and a PDF evidence report — the same deliverable paying customers get, once, on us. No card, no commitment, and you keep the report.