CIS AWS Foundations

Evidence the identity controls in the CIS AWS Foundations Benchmark.

Securitain assesses the IAM, credential, MFA, and root-account control areas of the CIS AWS Foundations Benchmark and produces repeatable evidence for each scan.

Start a read-only assessmentSee the Compliance Center

Technical evidence support, not certification. Securitain does not certify CIS AWS Foundations Benchmark compliance. It assesses the benchmark’s identity and credential control areas and maps findings to them as supporting technical evidence.

Why it matters

The problem teams bring to CIS AWS Foundations

The CIS AWS Foundations Benchmark gives teams a concrete baseline for securing an AWS account, and its identity and credential recommendations are among the most impactful. Checking them by hand across accounts is tedious and easy to let drift. Securitain assesses these IAM control areas on demand and on a schedule, so you can see where you stand and evidence it.

What Securitain evaluates today

AWS access controls, assessed read-only

MFA on console users and privileged identities
Root-account usage and access-key presence
Access-key rotation, age, and inactivity
IAM password and credential hygiene signals
Least-privilege and wildcard-permission gaps
Permission boundaries and policy attachment patterns
Finding evidence and remediation guidance
Example findings

From observation to evidence

Root account has active access keysAccount ID, credential report observation, scan timestamp
Console user without MFAUser ARN, MFA status, login profile presence
Access key older than rotation thresholdKey ID, age, last-used date
Wildcard action in attached policyIdentity ARN, policy statement, effective permission
In the Compliance Center

How CIS AWS Foundations results appear

Each finding maps to the relevant CIS AWS Foundations control areas, with a justification drawer showing the check used, expected vs observed configuration, the affected account and ARN, an evidence timestamp, and remediation guidance. Securitain describes control areas rather than asserting authoritative control IDs.

Explore the Compliance Center
1Finding generated with evidence
2Mapped to CIS AWS Foundations control areas
3Justification drawer with observed config
4Remediation guidance attached
5Included in the assessment report
Shared responsibility

What stays manual and organizational

Securitain supports

  • Repeatable evidence for IAM and credential control areas
  • MFA, root-usage, and key-rotation findings with remediation
  • Least-privilege findings across accounts
  • Mapping of IAM findings to CIS control areas

Your program completes

  • Logging, monitoring, and networking benchmark sections
  • Storage and database configuration controls
  • Organizational interpretation of benchmark profiles
  • Independent assessment and sign-off
Next phase

Planned — not current coverage

Coverage of non-IAM benchmark sections (logging, networking, storage)
Benchmark profile-level scoring
Automated evidence packages beyond IAM scope
CIS AWS Foundations FAQ

Common questions

Does Securitain certify CIS compliance?

No. Securitain assesses the identity and credential control areas of the benchmark and maps findings to them; it does not certify benchmark compliance.

Does it cover the whole benchmark?

It focuses on the IAM, credential, MFA, and root-account control areas today. Logging, monitoring, networking, and storage sections are on the roadmap or remain manual.

Are exact control IDs published as authoritative?

No. Securitain describes control areas rather than asserting authoritative control IDs, to avoid implying coverage it does not guarantee.

Strengthen your CIS AWS Foundations access controls

Connect a read-only role and see how your AWS IAM findings support your CIS AWS Foundations evidence — with mapping, justification, and remediation guidance on every scan.

Book a product walkthroughExplore IAM Security