ComplyJet's AWS integration gives you always-on visibility across your entire cloud stack - compute, containers, storage, databases, networking, serverless, and identity. The moment you connect your AWS account, ComplyJet begins pulling configuration and runtime state directly from AWS APIs, mapping every signal to 20+ security and privacy frameworks including SOC 2, ISO 27001, HIPAA, and GDPR - and surfacing drift the instant it appears.
Whether you run a handful of EC2 instances and an RDS database or a full microservices architecture spanning EKS, Lambda, and dozens of S3 buckets, ComplyJet turns your entire AWS footprint into a single, always-current source of audit-ready evidence - built for the speed and budgets of SaaS startups.
24/7
Continuous monitoring
Compliance automation
How ComplyJet automates SOC 2 / ISO 27001 for AWS
Proving your AWS environment is secure used to mean screenshots, manual configuration reviews, and a scramble of spreadsheets every time an auditor asked a question. Most teams spend weeks just collecting evidence - and that evidence is already out of date by the time it's submitted.
1
Connect once
Grant ComplyJet a read-only cross-account IAM role using our one-click CloudFormation template - no root credentials, no ongoing maintenance, takes under 10 minutes.
2
Monitor continuously
ComplyJet polls your AWS environment around the clock, tracking configuration state across compute, storage, databases, identity, and networking in every region you use.
3
Collect evidence automatically
Every passing and failing check is timestamped and stored as audit evidence - no manual screenshots, no spreadsheets, no last-minute prep.
4
Get alerted on drift
The moment a misconfiguration appears - a bucket goes public, MFA is disabled, a backup lapses - ComplyJet flags it in real time so your team can remediate before it becomes an audit finding.
The result: your SOC 2 and ISO 27001 evidence is always current, your auditor gets a clean documented trail, and your engineers never have to stop shipping to prepare for a review.
See the AWS integration live
30 minutes. We'll walk through exactly how ComplyJet monitors your AWS environment, collects evidence, and maps checks to SOC 2, ISO 27001, and HIPAA.
Book a Demo →
AWS resources
What Resources does ComplyJet sync from AWS?
ComplyJet pulls and monitors the following AWS services in real time. Click any resource to see what's tracked.
Amazon EC2
Instances, security groups, network ACLs, metadata service settings, CPU performance metrics for every instance in scope.
Amazon ECS
Service tasks, standalone tasks, network interfaces, and security group attachments on all running workloads.
Amazon EKS
Clusters, control plane logging configuration, API endpoint access settings, security group attachments, and IAM role policies for every cluster.
Amazon S3
Buckets, server-side encryption configuration, versioning status, and public access block settings on every bucket in scope.
Amazon RDS
Database instances, backup retention settings, encryption configuration, security group rules, and CloudWatch alarm coverage across all instances.
Amazon DynamoDB
Tables, server-side encryption status, and point-in-time recovery configuration for every table in scope.
Amazon DocumentDB
Clusters, encryption at rest configuration, backup retention settings, and performance alarm coverage for CPU, memory, and I/O.
Elastic Load Balancing (ALB / NLB / CLB)
Load balancer configuration, listener rules and redirect settings, and alarm coverage for latency, server errors, and unhealthy host count.
AWS Lambda
Functions and their associated error rate alarm configuration.
Amazon SQS
Queues and message age alarm configuration to surface processing backlogs.
AWS IAM
Users, roles, access keys and their age, policy attachment patterns, password policy, root account posture, and service role usage across the account.
AWS CloudTrail
Trail status, regional coverage, and log file integrity validation across all enabled regions.
Amazon GuardDuty
Detector status and finding notification configuration in every active region.
Continuous checks
What automated tests does ComplyJet run on AWS?
ComplyJet covers every critical security dimension of your AWS environment - identity, compute, containers, storage, databases, networking, and observability - continuously, with every result stored as audit evidence. Click any area to see the checks.
Identity & Access
IAM users, roles, root account, access keys
Admin accounts protected with multi-factor authentication: Verifies MFA is enforced on all IAM user accounts with console access.
Root account secured with multi-factor authentication: Confirms the root account has MFA enabled.
Root account not used for day-to-day operations: Checks that no active programmatic credentials exist on the root account.
Cloud access revoked on employee departure: Verifies no active IAM accounts are mapped to former employees.
Shared account use detected and flagged: Ensures every IAM account is linked to exactly one individual.
Programmatic credentials rotated within policy window: Checks that IAM access keys have been rotated within the required timeframe.
Permissions managed through roles, not direct user assignments: Flags any IAM user with policies attached directly rather than through groups or roles.
Non-human access uses dedicated service roles: Confirms service-to-service access is handled through IAM roles, not user accounts.
Account password complexity requirements enforced: Validates that a compliant IAM password policy is configured for the account.
Compute - EC2
Firewalls, metadata hardening, public access, monitoring
Network firewall attached to every compute instance: Verifies each EC2 instance has at least one security group or network ACL applied.
Instance metadata endpoint hardened against credential theft: Confirms IMDSv1 is disabled, requiring session-based metadata access only.
Public internet access limited to required ports: Checks that security groups and NACLs restrict inbound public traffic to only necessary ports.
Remote shell access blocked from public internet: Verifies SSH is not reachable from public IP ranges on any EC2 instance.
Compute CPU utilization monitored and alarmed: Confirms an alarm is active for CPU utilization on each instance.
Containers - ECS
Task firewalls, public port exposure
Network firewall attached to all container workloads: Verifies every ECS service task and standalone task has a security group or NACL on its network interface.
Container public exposure restricted to required ports: Checks that security groups on container task interfaces don't allow unnecessary public access.
Kubernetes - EKS
Control plane, API access, roles, network security
Kubernetes control plane activity logged: Verifies audit logging is enabled on every EKS cluster's control plane.
Kubernetes API server accessible only over private network: Confirms the cluster's public endpoint is disabled, enforcing private-only access.
Kubernetes private endpoint enabled: Verifies private endpoint access is active so internal workloads can reach the API server.
Kubernetes workload roles use least-privilege permissions: Checks that no IAM role associated with a cluster grants wildcard actions or resources.
Kubernetes cluster protected by network firewall: Confirms at least one security group is attached to each EKS cluster.
Storage - S3
Encryption, versioning, public access
Object storage encrypted at rest: Verifies server-side encryption is configured on every S3 bucket in scope.
Object version history preserved: Checks that versioning is enabled so objects can be recovered after deletion or overwrite.
Public object storage access blocked: Confirms S3 public access block settings are fully enabled at the bucket level.
Databases - RDS, DynamoDB, DocumentDB
Backups, encryption, public access, performance monitoring
Relational database automated backups enabled: Verifies backup retention is configured on every RDS instance.
Relational database not exposed to public internet: Checks security groups don't allow unrestricted public inbound access on database ports.
Relational database performance metrics monitored: Confirms alarms are active for CPU, memory, I/O, and storage on each database instance.
NoSQL tables encrypted at rest: Verifies server-side encryption is enabled on every DynamoDB table.
NoSQL point-in-time recovery enabled: Confirms PITR is active so tables can be restored to any point within the retention window.
Document database encrypted, backed up, and performance-monitored: Checks encryption, backup retention, and alarm coverage across document database clusters.
Load Balancing
Configuration, HTTPS enforcement, health monitoring
Traffic distributed through a managed load balancer: Verifies an active load balancer exists for the inventory resource.
HTTP traffic automatically redirected to HTTPS: Confirms the load balancer has a listener rule enforcing HTTPS-only traffic.
Load balancer health, latency, and errors monitored: Checks alarms are configured for unhealthy host count, response time, and error rates.
Audit & Threat Detection
Audit trail, log integrity, threat detection, alerting
API activity audit trail active across all regions: Verifies audit logging is enabled and capturing in every region you have active.
Audit log integrity verification enabled: Confirms log file validation is active so tampering can be detected.
Threat detection running across all regions: Verifies the threat detection service is enabled in every active region.
Threat findings routed to a notification channel: Confirms finding publication is configured so alerts are delivered in real time.
Serverless & Messaging
Lambda error rates, SQS queue health
Serverless function error rates monitored: Verifies an alarm is configured for error rates on each Lambda function.
Message queue processing delays alarmed: Checks that an alarm is active for message age on SQS queues to catch processing backlogs early.
AWS customers
Teams already running AWS with ComplyJet
Real startups. Real AWS stacks. Real audit outcomes.
Setup
How to Integrate AWS with ComplyJet
Takes under 10 minutes. No code required - just a read-only IAM role.
1
Log in to ComplyJet and go to Integrations
Find AWS in the integrations list and click Connect.
2
Deploy the read-only IAM role
ComplyJet provides a one-click CloudFormation template that creates a cross-account IAM role with read-only permissions scoped to exactly the services we monitor. No root credentials required.
3
Enter your AWS Account ID and confirm the role ARN
ComplyJet validates the connection and confirms which regions are in scope.
4
ComplyJet begins syncing immediately
Your AWS resources appear in the inventory within minutes, automated tests start running, and evidence collection begins.
Need help connecting multiple AWS accounts or configuring AWS Organizations? Reach out to our support team.
Framework coverage
What Controls Are Automated Across SOC 2 / ISO 27001 / HIPAA
ComplyJet maps every AWS check to the relevant framework controls and maintains an always-current evidence record for your auditor.
SOC 2
Logical access, network security, monitoring, audit trail, availability
CC6.1
Logical access security - IAM MFA enforcement, unique account assignment, access revocation on termination, password policy, root account controls.
CC6.3
Access authorization - Role-based permission management, least-privilege service roles, prevention of direct policy attachments.
CC6.6
Network access restrictions - Security group enforcement, public port restrictions, SSH access controls, container network firewall coverage.
CC6.7
Encryption in transit - HTTPS enforcement on load balancers, TLS-only traffic handling.
CC6.8
Detection and prevention of unauthorized access - Threat detection coverage, security group configuration, public access blocks on storage.
CC7.1
System monitoring - Alarm coverage across compute, databases, load balancers, serverless, and messaging services.
CC7.2
Security event evaluation - Threat detection alert routing, audit trail logging across all regions.
CC8.1
Change management audit trail - API activity logging enabled with log integrity validation.
A1.2
Recovery and availability - Automated database backups, point-in-time recovery for NoSQL, object version preservation for storage.
ISO 27001
Access control, authentication, logging, network security, cryptography, backup
A.5.15
Access control - MFA enforcement, account uniqueness, access revocation on departure.
A.5.17
Authentication information - Password complexity policy, credential rotation, root account MFA.
A.5.18
Access rights management - Role-based access, least-privilege roles, no direct user policy attachments.
A.8.5
Secure authentication - MFA on all accounts, hardened root account posture.
A.8.6
Capacity management - Performance alarms for compute, database CPU, memory, I/O, and storage utilization.
A.8.15
Logging - API activity audit trail active across all regions with file integrity validation.
A.8.16
Monitoring activities - Threat detection enabled and alerting, alarm coverage across key services.
A.8.20
Network security - Security group and NACL controls, public port restrictions, container network firewall, SSH denial.
A.8.24
Use of cryptography - Encryption at rest for object storage and all database types; HTTPS enforced at the load balancer.
A.8.32
Information backup - Automated backups for relational and document databases, point-in-time recovery for NoSQL, object versioning for storage.
HIPAA
Access control, encryption, audit controls, integrity, transmission security
§164.312(a)(1)
Access control - IAM MFA, unique user identification, access revocation on termination.
§164.312(a)(2)(i)
Unique user identification - Each IAM account linked to one individual, shared accounts flagged.
§164.312(a)(2)(iv)
Encryption and decryption - Encryption at rest across all storage and database services.
§164.312(b)
Audit controls - API activity logging across all regions with tamper-evident log integrity checks.
§164.312(c)(2)
Integrity - Object versioning on storage, point-in-time recovery for databases.
§164.312(e)(2)(ii)
Transmission security - HTTPS enforced on load balancers, TLS-only traffic.
.svg){kind=logo}
.png)
.png)
.png)
