{
  "schema_version": 1,
  "checks": [
    {
      "id": "s3.public_access_block",
      "label": "S3 public access posture",
      "namespace": "s3",
      "key": "public_access_block",
      "status": "ok",
      "note": "0 buckets exposed"
    },
    {
      "id": "iam.root_mfa_enabled",
      "label": "Root MFA and IAM control basics",
      "namespace": "iam",
      "key": "root_mfa_enabled",
      "status": "ok",
      "note": "MFA present"
    },
    {
      "id": "cloudtrail.multi_region_logging",
      "label": "CloudTrail multi-region logging and validation",
      "namespace": "cloudtrail",
      "key": "multi_region_logging",
      "status": "gap",
      "note": "validation off",
      "detail": "no multi-region trail with log-file validation"
    },
    {
      "id": "rds.encryption_at_rest",
      "label": "RDS encryption and backup posture",
      "namespace": "rds",
      "key": "encryption_at_rest",
      "status": "ok",
      "note": "3/3 encrypted"
    },
    {
      "id": "ec2.sg_open_ingress",
      "label": "Security group open ingress on sensitive ports",
      "namespace": "ec2",
      "key": "sg_open_ingress",
      "status": "gap",
      "note": "tcp/22 open",
      "detail": "security-group:1 allows 0.0.0.0/0 on tcp/22"
    }
  ]
}