Compliance Center

Turn AWS security findings into control-level evidence.

Map each IAM finding to the control areas in the frameworks you report on, with a full evidence chain — technical assessment and finding-to-control mapping, not certification.

See control-level evidenceExplore supported frameworks
Securitain Compliance Center showing framework tabs (HIPAA, SOC 2, PCI DSS, CIS, NIST, ISO 27001), an automated control score, passed/failed/partial counts, and a controls table
The Compliance Center — framework tabs, an automated control score, and a control-level breakdown.

Technical assessment, not certification

Securitain provides automated AWS technical-control assessment and finding-to-control mapping with archived evidence. It does not calculate a framework compliance percentage, perform a full framework assessment, or issue certification. Any attestation output is an Assessment Report or Self-Attestation Draft and does not constitute certification or legal compliance advice.

Framework-aware findings

One finding, many frameworks

A single IAM finding — say, an admin user without MFA — often touches several frameworks at once. Securitain maps it to every affected control area, so fixing it advances all of them and you can prioritize by cross-framework impact.

Finding

Admin IAM user without MFA

HIPAA — access control
SOC 2 — logical access
PCI DSS — restrict access
CIS AWS — MFA
Control-level justification

Every mapping shows its work

Justification drawer

The check Securitain used
Expected vs observed configuration
Affected account and resource (ARN)
Evidence timestamp from the scan
The related finding
Any missing permissions that limited the check
Remediation guidance
How much it contributes to the score
Score is not coverage

Two distinct measures, never conflated

A good score on a narrow set of checks is not the same as broad coverage. Securitain shows both, separately.

Automated Technical Control Score

A severity-weighted result of the automated AWS technical checks in this scan. It tells you how the checks Securitain ran turned out — it is not a framework compliance percentage.

Assessment Coverage

How much of the relevant control area Securitain could actually evaluate, given the role's permissions and current scope. It tells you how much of the picture the score reflects.

About the legacy 37%: any single percentage you may have seen is an IAM-finding severity index — a measure of IAM finding severity in a scan. It is not a HIPAA, SOC 2, PCI, or ISO compliance percentage and should never be read as one.

Scoring language

The terms we use, defined

Automated Technical Control ScoreA severity-weighted view of the automated AWS technical-control checks Securitain ran in this scan. Not a framework compliance percentage.
Assessment CoverageHow much of the relevant control area Securitain could evaluate automatically, given the role’s permissions and current scope.
Manual Evidence RequiredControls that depend on policy, process, or human review and cannot be evidenced by an automated AWS scan.
Not AssessedControl areas outside Securitain’s current automated scope, or not reachable by the connected role.
Exception ApprovedA finding your team has formally accepted, with a recorded reason, so it is reflected accurately in reporting.
Evidence chain

Traceable from scan to report

Every step preserves the scan ID, ARN, and timestamp — so an auditor can follow any claim back to the exact observation.

1Scan runs against your read-only role
2AWS configuration is observed
3A finding is generated with evidence
4Finding maps to affected control areas
5Remediation status is tracked
6Everything appears in the report
Audit-prep workflow

Automation and human review, kept apart

Securitain automatesYour program completes
Automated technical checks Human review & sign-off
Per-scan evidence archive Policy & process documentation
Finding-to-control mapping Management assertions
Remediation status tracking Independent auditor examination
Supported frameworks

Map findings to the frameworks you report on

HIPAA
Access controls for ePHI
View page
SOC 2
Logical & privileged access
View page
PCI DSS
Restrict access to data
View page
CIS AWS
Foundations Benchmark
View page
NIST 800-53
Access control families
View page
ISO 27001
Annex A access control
View page
Reports & attestation

Honest report artifacts

Securitain produces an Assessment Report and a Self-Attestation Draft you and your auditor can build on. There is no one-click attestation and no certification — formal attestation is performed by independent auditors.

Assessment Report Self-Attestation Draft PDF / Markdown / CSV / JSON

Turn IAM findings into audit evidence

Connect a read-only role and see how your IAM findings map to control areas across every framework you report on — with evidence preserved on every scan.

Try Securitain freeView pricing