Replace 40-80 hours of manual evidence collection per audit. Prove compliance posture to any auditor, anytime.
Metadata-Only. Agentless. Read-Only. Audit-Ready.
“I managed 290+ AWS accounts and $80M in annual AWS spend. Every audit cycle, my team spent weeks taking screenshots, exporting configs, and pasting them into spreadsheets. The evidence was stale the moment we collected it. I built Cloud Evidence because I needed it — and because every cloud team I talked to had the same problem.”
John Gamble, Founder — Former Principal Cloud Architect
Compliance evidence is scattered across consoles, screenshots, and stale spreadsheets. We fix that.
Our agentless scanner reads configuration metadata through a read-only IAM role. We never see your data.
Deploy a read-only IAM role via CloudFormation. 2 minutes. Each tenant gets a cryptographically unique External ID. No agents, no software to install.
Our engine scans IAM, S3, VPC, CloudTrail, RDS, KMS, EKS, Route53, and more — across every enabled region. One scan maps to all 8 compliance frameworks.
Every scan result is SHA-256 hashed at collection time. Export a signed evidence package your auditor can verify independently. No trust required — just math.
Every scan automatically maps your AWS configuration to all supported compliance and risk frameworks. No extra setup.
43 controls
Trust Service Criteria for service organizations. The standard for B2B SaaS.
190 controls
Federal security controls. Required for FedRAMP. The most comprehensive framework.
30 controls
Security Rule safeguards for protected health information (PHI).
123 controls
Payment card data security. Required if you process, store, or transmit cardholder data.
6 safeguards
Financial data protection under the Gramm-Leach-Bliley Act.
64 controls
AWS Foundations Benchmark. The prescriptive security baseline for AWS accounts.
93 controls
International information security standard. Required for many enterprise customers.
8 categories
Detect misconfigurations from AI coding tools. The framework auditors don't have yet.
Cursor, Copilot, Amazon Q, and other AI coding tools are deploying infrastructure faster than security teams can review it. Every AI-generated Terraform module, CDK stack, and CloudFormation template changes your compliance posture. We detect the drift.
AI defaults to AdministratorAccess and Action:* to avoid errors. We detect every wildcard policy.
AI-generated S3 buckets, RDS instances, and security groups often lack public access blocks. We catch it.
AI skips encryption because it adds complexity. We verify every storage bucket, database, and volume.
AI opens SSH to 0.0.0.0/0 for convenience. We detect every overly permissive security group rule.
“We don't scan your code or intercept AI output. We scan the actual deployed state of your AWS infrastructure. Whether a human or an AI deployed it, a misconfigured security group is a misconfigured security group.”
8 risk categories. 30+ checks. Runs on every scan alongside your compliance frameworks.
One read-only IAM role gives us visibility across your entire AWS footprint. Here's what we check.
MFA, password policy, credential rotation, admin detection, inline policies, access keys
Encryption, public access, versioning, bucket policies, secure transport
Security groups, NACLs, flow logs, open SSH/RDP, unrestricted ingress
Multi-region, log validation, data events, S3/Lambda event selectors
Key rotation, key policies, deletion protection
Encryption, public access, backups, multi-AZ, deletion protection, IAM auth
Endpoint access, logging, secrets encryption, cluster version
All 14 CIS metric filters, alarm actions, SNS targets
DNSSEC signing status on public hosted zones
Rotation enabled, rotation schedule, last rotation date
Recorder active in each region, resource coverage
SCP policies, org trail, account structure
Connect your AWS account. Get your first compliance report in minutes. No credit card required.