Get the AWS half of your audit done - signed evidence your auditor accepts - in minutes.
Connect a read-only role. We scan your AWS against the controls behind SOC 2, ISO 27001 & PCI and hand you a signed, timestamped report your auditor (or your customer's security team) can verify as genuine. No agent, no write access - we hold only your scan results, not your data. Pay by card, no sales call.
From connect to evidence in three steps
CloudProof scans with read-only access - nothing is installed in your account and no data plane runs there.
Connect
Deploy a read-only IAM role with one CloudFormation template (or run our CLI for air-gapped accounts).
Scan
We evaluate 118 controls across your accounts and every region, mapped to the frameworks you care about.
Prove it
Get a signed, timestamped report (HTML/PDF/CSV/SARIF). Your auditor or customer confirms it's genuine and unedited at /verify - no "trust us." Track drift between audits.
Deep AWS posture - not another noisy dashboard
Built for the platform/security engineer to adopt, and the CISO or compliance lead to sign off.
Signed & verifiable evidence
Every report is cryptographically signed and timestamped. Anyone you send it to confirms it's genuine and unedited at /verify - the thing free scanners and raw JSON dumps can't hand your auditor.
Framework-mapped
One technical check satisfies many controls - CIS 3.1 is also PCI 10.2.1 and NIST AU-2. Plus attestation for the policy/process controls scanners ignore.
Remediation that ships
Every finding comes with AWS CLI, Terraform, CDK and Pulumi fixes - with cost impact and a rollback path.
Drift & history
Timestamped, archivable reports. See what regressed, what got fixed, and your posture trend over time.
Org-wide
Audit a single account or an entire AWS Organization with cross-account role assumption.
Air-gapped option
Regulated or isolated? Run the same engine as a signed, offline-licensed binary on-prem - no SaaS access required.
EU-hosted
Run in the EU with data residency that helps your own GDPR story.
The frameworks your auditor asks for
Technical controls auto-checked; organizational controls captured via attestation with evidence links.
Simple plans. Pick once, get back to work.
Start free for 7 days, then choose a plan. Most teams land on CloudProof Pro - full framework coverage (SOC 2, ISO 27001, HIPAA and more) at a price you can put on a card without a sign-off.
Free
- 1 AWS account How many AWS accounts you can connect and scan.
- CIS + AWS FSBP frameworks CIS + AWS FSBP are the universal AWS baselines; paid plans add SOC 2, ISO 27001, PCI, HIPAA, NIST and GDPR.
- Manual scans How often we re-scan. Manual = you click Run scan; Daily ≈ every 24h; Continuous ≈ every 4h.
- 7-day history How far back you can open past reports and the widest period an audit evidence pack can cover.
- Scans all your enabled regions Every scan checks regional resources across all the regions you've enabled — included on every plan.
- Report exports (PDF / CSV / SARIF) Download your report as PDF, CSV or SARIF. On Free, available during your 7-day trial.
- Audit evidence pack A signed, over-time record proving your controls held up across the period — what a SOC 2 Type II / ISO auditor samples. On Free, during the 7-day trial.
- Auditor share links Revocable, expiring read-only links to share a report or pack with your auditor — no account needed. On Free, during the 7-day trial.
- Drift alerts on new critical/high Get an email the moment a new critical or high-severity problem appears.
- Single sign-on (SSO) Your team signs in through your company identity provider (OIDC) instead of magic-link emails.
- Connect a whole AWS Organization Onboard every member account under your AWS Organization from a single connection.
- Custom frameworks Define your own control→check mappings to match an internal or industry-specific standard.
- Air-gapped licensed binary Run scans entirely inside your own network with a signed offline binary — nothing leaves your environment.
Single
- 1 AWS account How many AWS accounts you can connect and scan.
- All frameworks CIS + AWS FSBP are the universal AWS baselines; paid plans add SOC 2, ISO 27001, PCI, HIPAA, NIST and GDPR.
- Daily automated scans How often we re-scan. Manual = you click Run scan; Daily ≈ every 24h; Continuous ≈ every 4h.
- 1-year history How far back you can open past reports and the widest period an audit evidence pack can cover.
- Scans all your enabled regions Every scan checks regional resources across all the regions you've enabled — included on every plan.
- Report exports (PDF / CSV / SARIF) Download your report as PDF, CSV or SARIF. On Free, available during your 7-day trial.
- Audit evidence pack A signed, over-time record proving your controls held up across the period — what a SOC 2 Type II / ISO auditor samples. On Free, during the 7-day trial.
- Auditor share links Revocable, expiring read-only links to share a report or pack with your auditor — no account needed. On Free, during the 7-day trial.
- Drift alerts on new critical/high Get an email the moment a new critical or high-severity problem appears.
- Single sign-on (SSO) Your team signs in through your company identity provider (OIDC) instead of magic-link emails.
- Connect a whole AWS Organization Onboard every member account under your AWS Organization from a single connection.
- Custom frameworks Define your own control→check mappings to match an internal or industry-specific standard.
- Air-gapped licensed binary Run scans entirely inside your own network with a signed offline binary — nothing leaves your environment.
Cancel anytime · 14-day money-back
Pro
- Up to 15 AWS accounts How many AWS accounts you can connect and scan.
- All frameworks CIS + AWS FSBP are the universal AWS baselines; paid plans add SOC 2, ISO 27001, PCI, HIPAA, NIST and GDPR.
- Daily automated scans How often we re-scan. Manual = you click Run scan; Daily ≈ every 24h; Continuous ≈ every 4h.
- 1-year history How far back you can open past reports and the widest period an audit evidence pack can cover.
- Scans all your enabled regions Every scan checks regional resources across all the regions you've enabled — included on every plan.
- Report exports (PDF / CSV / SARIF) Download your report as PDF, CSV or SARIF. On Free, available during your 7-day trial.
- Audit evidence pack A signed, over-time record proving your controls held up across the period — what a SOC 2 Type II / ISO auditor samples. On Free, during the 7-day trial.
- Auditor share links Revocable, expiring read-only links to share a report or pack with your auditor — no account needed. On Free, during the 7-day trial.
- Drift alerts on new critical/high Get an email the moment a new critical or high-severity problem appears.
- Single sign-on (SSO) Your team signs in through your company identity provider (OIDC) instead of magic-link emails.
- Connect a whole AWS Organization Onboard every member account under your AWS Organization from a single connection.
- Custom frameworks Define your own control→check mappings to match an internal or industry-specific standard.
- Air-gapped licensed binary Run scans entirely inside your own network with a signed offline binary — nothing leaves your environment.
Cancel anytime · 14-day money-back
Unlimited
- Unlimited AWS accounts How many AWS accounts you can connect and scan.
- All frameworks CIS + AWS FSBP are the universal AWS baselines; paid plans add SOC 2, ISO 27001, PCI, HIPAA, NIST and GDPR.
- Continuous scans (~4h) How often we re-scan. Manual = you click Run scan; Daily ≈ every 24h; Continuous ≈ every 4h.
- 2+ year history How far back you can open past reports and the widest period an audit evidence pack can cover.
- Scans all your enabled regions Every scan checks regional resources across all the regions you've enabled — included on every plan.
- Report exports (PDF / CSV / SARIF) Download your report as PDF, CSV or SARIF. On Free, available during your 7-day trial.
- Audit evidence pack A signed, over-time record proving your controls held up across the period — what a SOC 2 Type II / ISO auditor samples. On Free, during the 7-day trial.
- Auditor share links Revocable, expiring read-only links to share a report or pack with your auditor — no account needed. On Free, during the 7-day trial.
- Drift alerts on new critical/high Get an email the moment a new critical or high-severity problem appears.
- Single sign-on (SSO) Your team signs in through your company identity provider (OIDC) instead of magic-link emails.
- Connect a whole AWS Organization Onboard every member account under your AWS Organization from a single connection.
- Custom frameworks Define your own control→check mappings to match an internal or industry-specific standard.
- Air-gapped licensed binary Run scans entirely inside your own network with a signed offline binary — nothing leaves your environment.
Cancel anytime · 14-day money-back
Why a subscription? A SOC 2 (Type II) audit checks your controls over a 3-12 month period - auditors want a continuous record, not a one-off scan. A paid plan keeps scanning and builds that timeline; you can't recreate it after the fact.
Pro covers up to 15 AWS accounts with drift history and alerts. Billed monthly or annually (save up to 17% annually). Also available via AWS Marketplace - pay on your existing AWS bill.