{ "artifact_type": "illustrative-cloud-control-scan", "title": "Illustrative Cloud Control Scan artifact", "source_note": "Illustrative example based on the current Vishcore scanner report shape. The example is sanitized, client-safe, and not presented as a client endorsement.", "boundaries": { "read_only": "Discovery uses read-only cloud metadata. It does not create, change, delete, remediate, or read secret values.", "audit": "This is not an audit opinion, compliance certification, or guarantee that an environment will meet SOC 2 requirements." }, "counts": { "evaluated_controls": 147, "ok": 79, "observed_gaps": 39, "blocked_or_explicit_approval": 6, "not_observed": 23 }, "gap_triage": { "confirmed_fix": 18, "owner_context_needed": 21, "permission_limited_or_blocked": 6 }, "remediation_queue": [ { "priority": "P1", "control": "S3 public-access guardrails", "action": "Enable or confirm account and bucket-level Block Public Access where the owner confirms public access is not intended.", "evidence_after_fix": "Follow-up scan shows S3 public access controls OK and references redacted API evidence hashes." }, { "priority": "P1", "control": "Root and IAM access hygiene", "action": "Confirm root MFA and rotate or retire stale active IAM access keys.", "evidence_after_fix": "Follow-up scan shows root MFA OK and stale key findings cleared or documented as exceptions." }, { "priority": "P1", "control": "Default security group posture", "action": "Remove broad ingress and egress rules from default security groups unless a documented exception exists.", "evidence_after_fix": "Follow-up scan shows default security groups closed or owner-approved exceptions attached." }, { "priority": "P2", "control": "Security Hub and Inspector enablement", "action": "Decide whether the account joins vulnerability and security-finding workflows before enabling services.", "evidence_after_fix": "Follow-up scan records service posture and remaining owner decisions." }, { "priority": "P2", "control": "Load balancer logging, alarms, and WAF", "action": "Enable logging and alerting for production-facing load balancers; decide WAF scope for public endpoints.", "evidence_after_fix": "Follow-up scan shows logging, alarm, and WAF posture by service-safe aliases." } ], "owner_context_worksheet": [ { "control": "S3 bucket policy may allow public access", "owner_input_needed": "Which buckets are intended to be public, and which should be private?", "decision_options": ["Fix", "Approved public asset", "Accepted exception", "Needs investigation"] }, { "control": "SSH ingress appears open to the world", "owner_input_needed": "What administration path is approved for this account?", "decision_options": ["Fix", "Temporary exception", "Replace access path", "Needs investigation"] }, { "control": "Security Hub enablement decision", "owner_input_needed": "Should this account join centralized security monitoring?", "decision_options": ["Enable", "Defer", "Out of scope", "Cost or workflow review"] }, { "control": "Security Hub standards decision", "owner_input_needed": "Which standards are expected, and who owns triage?", "decision_options": ["Enable selected standards", "Defer", "Out of scope", "Needs standards scoping"] }, { "control": "Inspector EC2 coverage decision", "owner_input_needed": "Are EC2 instances in scope, and is Inspector cost/workflow approved?", "decision_options": ["Enable", "Defer", "No EC2 scope", "Needs investigation"] }, { "control": "Inspector Lambda coverage decision", "owner_input_needed": "Are Lambda workloads in scope, and who reviews vulnerability findings?", "decision_options": ["Enable", "Defer", "No Lambda scope", "Needs investigation"] }, { "control": "Load balancer access logging decision", "owner_input_needed": "Which load balancers are production-facing and subject to retention requirements?", "decision_options": ["Enable logs", "Approved exception", "Non-production", "Needs retention decision"] }, { "control": "Load balancer alerting decision", "owner_input_needed": "Who owns alert review, and are matching monitors already active?", "decision_options": ["Add alarms", "Map existing monitoring", "Approved exception", "Needs owner routing"] }, { "control": "Public load balancer WAF decision", "owner_input_needed": "Which public endpoints need WAF, and who accepts exceptions?", "decision_options": ["Attach WAF", "Accepted exception", "Out of scope", "Needs app-owner review"] }, { "control": "Managed credential rotation decision", "owner_input_needed": "Which stored credentials are production credentials, and can dependent systems rotate?", "decision_options": ["Enable rotation", "Migration plan", "Accepted exception", "Needs dependency review"] }, { "control": "Managed credential KMS decision", "owner_input_needed": "Do credential stores require customer-managed keys, or are AWS-managed keys acceptable?", "decision_options": ["Use customer-managed key", "Accept AWS-managed key", "Document exception", "Needs data-boundary decision"] }, { "control": "ECS Container Insights decision", "owner_input_needed": "Are ECS services production-like, and does current monitoring provide matching evidence?", "decision_options": ["Enable", "Map existing monitoring", "Non-production", "Needs monitoring-owner input"] } ], "evidence_after_remediation": [ "Before scan: original scan-result.json and client-safe report.", "Approved remediation: Terraform plan, pull request, or manual change ticket outside scanner execution.", "After scan: new scan-result.json, evidence diff, and evidence packet for client or auditor handoff." ] }