Frequently asked questions

# How does CloudProof scan my account?

You create a read-only IAM role (AWS-managed SecurityAudit + ViewOnlyAccess) that trusts our scanner. We assume it, read your configuration, and produce a report. Nothing is installed in your account, and we never have write or delete access.

# Can CloudProof change anything in my AWS account?

No. The role we assume grants read-only permissions only. We cannot create, modify, or delete any resource. You can revoke access at any time by deleting the CloudFormation stack / role.

# Where is my data processed and stored?

The application and your report data run in eu-central-1 (Frankfurt). Cross-account access uses a global AWS identity endpoint (no data). You choose which of your own regions to scan.

# How does the report integrity (tamper-evidence) feature work?

Every report is digitally signed when generated. The signature covers the full report contents, so if even one character changes afterwards, the signature no longer matches. Anyone — your auditor, a customer — can confirm a report is genuine and unaltered by downloading its JSON version and pasting it into our public verifier at /verify. A valid result means the report is exactly as CloudProof produced it.

# What are CIS, NIST, PCI-DSS, SOC 2…? Do I need them?

These are recognised security standards. You don't pick one — the same read-only fixes raise your score across all of them, and CloudProof automatically maps every check to each framework it satisfies. No specific obligation yet? Start with CIS. Here's what CloudProof supports and who needs each.

Technical baselines — CloudProof checks these automatically from your AWS configuration:

CIS AWS Foundations Benchmark (Center for Internet Security) — a prescriptive, hands-on hardening baseline for AWS accounts. The universal starting point — good for everyone.
AWS Foundational Security Best Practices (FSBP) (Amazon Web Services) — AWS's own broad set of foundational controls, mapped to Security Hub. Any AWS workload.
PCI-DSS 4.0 (PCI Security Standards Council) — mandatory controls for handling cardholder data. Required if you store, process, or transmit payment-card data.
NIST SP 800-53 Rev. 5 (U.S. NIST) — the federal control catalog that many other frameworks map onto. U.S. federal systems/contractors and regulated enterprises.

Organizational & audited standards — CloudProof evidences the technical controls; the policy/process parts you attest:

SOC 2 (AICPA Trust Services Criteria) — security/availability/confidentiality assurance audited by a CPA firm. B2B SaaS whose customers demand it. CloudProof automates the CC6 (access) & CC7 (monitoring) technical controls.
HIPAA Security Rule (U.S. HHS) — safeguards for health data (PHI/ePHI). Anyone handling U.S. health data. Sign a BAA with AWS; encryption/access/audit controls are checked here.
ISO/IEC 27001:2022 (ISO/IEC) — a certifiable Information Security Management System. International & enterprise B2B sales. CloudProof supports the Annex A technical controls.
ISO/IEC 27017 (ISO/IEC) — a cloud-specific extension of ISO 27001. Once you hold or pursue ISO 27001 in the cloud.
GDPR (European Union) — EU regulation on processing personal data (not a certification). Anyone processing EU/EEA personal data. The Article 32 technical measures are auditable; the rest is legal/process.
CCPA (State of California) — California consumer-privacy rights. For-profits handling California residents' data. Its “reasonable security” maps to the same AWS controls.
NIST Cybersecurity Framework 2.0 (U.S. NIST) — a voluntary, risk-based way to organise a security program (Govern · Identify · Protect · Detect · Respond · Recover). For a maturity view rather than a pass/fail audit.

# Which framework do I actually need?

Short version: you don't pick a framework because you want one — a customer or a deal makes you. So start from who you sell to, not from the list.

Right now, regardless of anything — CIS. It's a free, practical AWS hardening baseline and it makes every later audit easier. CloudProof scans it by default, so just fix what fails. If you do nothing else, do this.
Selling software to other (US) businesses? → SOC 2 (Type II). It's what their security questionnaires ask for. It's a report by a CPA firm over a 3–12 month window — pursue it when a deal needs it, not before.
Selling to EU / international / large enterprise? → ISO 27001. The global certification equivalent; heavier (a formal ISMS). Choose it over SOC 2 when customers specifically ask, or you're enterprise/EU-focused.
Handle credit-card data? → PCI-DSS (required, not optional).
Handle US health data? → HIPAA (required).
Have EU users? → GDPR applies by law — but it's mostly legal/process, not a certificate.

Bottom line for most companies: CIS now, then SOC 2 (or ISO 27001) once a real deal demands it. One — maybe two — driven by customers, not collected.

Worth knowing: a framework is roughly half AWS-technical (encryption, IAM, logging, public exposure — what CloudProof checks and evidences) and half policies/process plus an auditor (what you attest and a CPA/assessor signs off). CloudProof gets the technical half done fast and gives you the evidence; the process half is on you.

# What does “attestation” mean — and what's the difference between a SOC 2 report and an ISO certificate?

The word gets used two ways; here's both, in plain English.

1. Your attestation (inside CloudProof). Some audit requirements aren't about your AWS settings — they're about having the right policies and habits (e.g. “do you review who has access at least once a year?”, “do you have an incident-response plan?”). A scan can't detect those, so you answer a short set of yes/no questions — that's your self-attestation, and it fills the non-technical half of your score. Frameworks like ISO 27001 and SOC 2 are mostly this kind of requirement, which is why their attested half stays empty until you answer.

2. The auditor's deliverable (what you actually hand a customer). When you're ready, an outside professional reviews you and produces the thing your customer wants. It comes in two shapes:

An attestation report — e.g. SOC 2. A licensed CPA firm examines your controls and writes a formal opinion (they “attest”) on whether they're designed and operating effectively, usually over a 3–12 month window (a Type II report). You hand the customer the report — often 30–80 pages. There's no “SOC 2 certified” badge; their security team reads it.
A certification — e.g. ISO 27001. An accredited body audits your security-management system and issues a certificate (valid ~3 years, with annual check-ins). This one you can display as a badge.

Where CloudProof fits: we get you ready — the technical half scanned and evidenced, the policy half captured as your self-attestation, and an organized package to hand over. We don't issue the SOC 2 report or the ISO certificate ourselves (only a CPA firm or certification body can) — we get you to the door prepared, so that final step is faster and cheaper.

# When does the daily scan run? (Is it midnight UTC?)

No — it's not pinned to midnight UTC. Daily scans run automatically roughly every 24 hours, measured from each account's own last scan. Our scheduler wakes up every hour and re-scans any account once a full day has passed since it last ran — so your scans land at about the same time each day (within ~1 hour), tracking whenever your previous scan happened.

By plan: Pro / Single — daily (~every 24h); Enterprise — continuous (~every 4h); Free — manual only (runs when you click Run scan). You can always trigger an extra scan manually at any time, and every scan covers all enabled regions of the account.

# How many AWS accounts can I connect?

It depends on your plan — Free/Single: 1 account, Pro: up to 15, Enterprise: unlimited (and whole-Organization connect). Your dashboard and billing page show how many you've used of your limit.

# I'm air-gapped / can't grant a role. Any other way?

Yes — run our CLI inside your environment and upload the resulting report via the API (agent mode). No inbound access to your account is needed.