AWS security scanner with CIS v8 → ISO 27001 → DPDPA Rules 2025 triple mapping. Every misconfiguration mapped to the exact Rule 6 clause it violates — with score impact per fix.
CIS 3.1 — Ensure S3 bucket ACLs are not used
CIS Controls v8 are the gold standard for cloud security configuration baselines.
A.8.5 — Secure authentication
ISO 27001 is the international standard your enterprise clients and auditors expect.
Rule 6(1)(a) — Encryption of personal data
The exact legal obligation that each finding violates under India's data protection law.
Read-only STS AssumeRole — no access keys ever stored. IAM SecurityAudit managed policy. Works with any AWS account in any region.
S3 (public access + encryption), CloudTrail (multi-region logging), RDS (encryption at rest), IAM (password policy, MFA, key rotation), CloudWatch (alarm coverage). All run in parallel, typically complete in under 60 seconds.
Every finding shows three badges: CIS v8 control number, ISO 27001:2022 clause, and the DPDPA Rules 2025 section violated. Evidence for auditors, not just noise.
Fix S3 public access → +8 pts. Enable CloudTrail → +12 pts. Every finding shows the exact score delta so you always know which fix delivers the highest compliance return.
Findings rated INFO / LOW / MEDIUM / HIGH / CRITICAL. CRITICAL findings trigger immediate in-app drift alerts. Filter by severity to focus on what matters most.
GitHub Actions triggers scans daily at 1am IST across all connected accounts. Compliance score recalculates automatically — no manual trigger needed.
Cloud Security Mapping is available on Business and Enterprise plans. Business: 1 AWS account. Enterprise: unlimited accounts.
The scanner requires a read-only IAM role with AWS's SecurityAudit managed policy (arn:aws:iam::aws:policy/SecurityAudit). This gives read access to security configuration metadata — it cannot read S3 object contents, database data, or any personal data. We use STS AssumeRole with an External ID for security — no access keys are stored in DPDPA Shield. You create the role in your AWS console and provide only the Role ARN.
The primary obligation is DPDPA Rule 6(1): Security Safeguards. Rule 6(1)(a) requires encryption of personal data in transit and at rest — directly mapped to RDS encryption and S3 encryption findings. Rule 6(1)(b) requires access control — mapped to IAM policy findings. Rule 6(1)(c) covers monitoring and logging — mapped to CloudTrail and CloudWatch findings. Each finding in the dashboard shows the exact rule clause it violates.
Phase 1 (current): S3 (public access blocking, default encryption), CloudTrail (multi-region logging enabled, log file validation), RDS (encryption at rest on all instances), IAM (password policy strength, MFA on root, access key rotation), CloudWatch (billing alarm, root account activity alarm). GCP and Azure support is on the roadmap for a future phase.
Each finding has a scoreImpact value (e.g., +12) that represents the compliance score points you gain by resolving it. The impact is calculated from the control weight, severity, and the number of active findings in that category. The total score improvement shown when you filter by severity tells you the maximum compliance score improvement available from fixing those issues.
Business plan: 1 connected AWS account. Enterprise plan: unlimited accounts. Each account has its own connection, scanning schedule, and findings list. The compliance score aggregates findings across all connected accounts.
Business plan includes 1 AWS account, daily scans, and full CIS → ISO → DPDPA mapping. No access keys stored.
Prove every consent. Court-admissible SHA-256 proof.
Learn moreOTP-verified portal. 30-day SLA countdown.
Learn moreNever miss the 72-hour Board notification window.
Learn moreReal-time 0–100 compliance health score.
Learn moreMap every asset, processor, and data flow. Auto-generate RoPA.
Learn moreTrack, score, and treat every DPDPA risk. Growth+.
Learn moreAutomated security scoring for every data processor. Growth+.
Learn moreAI co-pilot with DPDPA citations, policy drafts, PII classification.
Learn moreChildren's data, DPIA, SDF — highest-penalty coverage.
Learn more40+ Indian PII types. Scan and auto-populate Data Inventory. Free.
Learn more