Skip to main content
InfraAudit’s compliance engine evaluates your infrastructure against a library of controls from industry-standard frameworks. Each control is a rule that checks a specific attribute of a specific resource type. When a control check fails, InfraAudit links the failure directly to the resources that caused it.

Supported frameworks

FrameworkIDVersion
CIS AWS Foundations Benchmarkcis-awsv2.0
CIS GCP Foundations Benchmarkcis-gcpv2.0
CIS Azure Foundations Benchmarkcis-azurev2.0
SOC 2 Type IIsoc2
NIST SP 800-53nist-800-53Rev 5
PCI-DSSpci-dssv3.2.1
HIPAA Security Rulehipaa

How a control works

Each control defines what to check and how to interpret the result: 
{
  "id": "cis-aws-2.1.1",
  "framework": "cis-aws",
  "category": "Storage",
  "title": "Ensure all S3 buckets employ encryption-at-rest",
  "description": "S3 Managed Encryption (SSE-S3) or AWS KMS encryption must be enabled for all S3 buckets.",
  "severity": "high",
  "resource_types": ["s3_bucket"],
  "check": "s3_bucket.encryption.enabled == true"
}
The check expression is evaluated against each resource’s latest configuration snapshot. If it returns false, the control fails for that resource.

How an assessment runs

When an assessment runs (on schedule or triggered manually):
  1. InfraAudit fetches all active resources of the types required by each enabled control.
  2. It evaluates each control’s check expression against the resource’s cached configuration.
  3. It stores pass/fail results with a link to the specific resource.
  4. It calculates a compliance score: passed_controls / total_controls.
No live cloud API calls are made during an assessment — all evaluation runs against cached configuration data, so assessments are fast regardless of account size.

Control-to-resource mapping

Failed controls link directly to the resources that caused the failure. For large accounts, a single failing control might affect many resources. The assessment detail view shows:
  • Control title and description
  • Pass/fail status
  • For failures: the list of resources that failed, with a link to each resource’s detail page

Compliance scores

InfraAudit calculates scores at several levels:
  • Per-control score — pass or fail for each control
  • Per-framework score — percentage of controls passing within a framework
  • Per-provider score — percentage of controls passing for each connected cloud account
  • Aggregate score — weighted average across all connected providers
  • By-category breakdown — scores grouped by category (IAM, logging, storage, networking, etc.)

Remediation guidance

Each control includes built-in remediation guidance. For controls with automated remediation support, InfraAudit can create a remediation action directly from the compliance finding — see Remediation workflow.

Export for auditors

Export assessment results as a PDF or CSV to provide evidence for compliance audits: 
# Export as PDF (suitable for audit evidence)
infraudit compliance export \
  --assessment <assessment-id> \
  --format pdf \
  --output report.pdf

# Export as CSV (for import into audit management tools)
infraudit compliance export \
  --assessment <assessment-id> \
  --format csv \
  --output results.csv
The PDF report includes the control list, pass/fail status, resource mapping, and a score summary.

Custom controls

Custom controls are not yet supported through the UI. Contact support to request a custom compliance framework for your account.