Book a Demo

Cloud Audits

Overview

Nullify continuously audits your cloud infrastructure to detect security weaknesses and misconfigurations. It understands the business context of each workload—what data it processes, who accesses it, and where it runs—then validates whether infrastructure issues pose a real risk through active testing and analysis. This context-driven approach separates genuine security issues from harmless configuration variations.

How It Works

  1. Cloud Resource Inventory: Nullify's context engine periodically scans your cloud accounts (configurable frequency)

  2. Event Trigger: When inventory scan completes, Cloud Audits automatically runs

  3. Infrastructure Analysis: All resources are evaluated for security weaknesses and misconfigurations

  4. Workload Context: Nullify correlates resources to the applications they support, understanding business criticality and data sensitivity

  5. Risk Validation: Active testing and analysis determines whether each finding represents a genuine risk or a benign configuration

  6. Notification & Remediation: Real risks flow into Jira, Slack, and GitHub with ownership mapping and remediation guidance

The scan frequency is fully configurable—daily, weekly, or on-demand.

Supported Cloud Providers

Currently supports AWS with multi-account scanning:

  • S3 (buckets, access controls, encryption)

  • EC2 (instances, security groups, network exposure)

  • IAM (users, roles, policies, password requirements)

  • RDS (databases, public accessibility, encryption, backups)

  • EBS (volumes, snapshots, encryption)

  • CloudTrail (logging, log validation)

Security Rules

Nullify evaluates 15 AWS security rules mapped to compliance frameworks:

Storage & Encryption

  • S3 Bucket Public Access: Detects publicly accessible buckets (CIS 2.1.5, PCI-DSS 1.2.1)

  • S3 Encryption: Validates server-side encryption enabled (CIS 2.1.1, HIPAA 164.312)

  • EBS Encryption: Ensures volumes encrypted at rest (CIS 2.2.1, PCI-DSS 3.4)

  • EBS Snapshot Public Access: Prevents public snapshot exposure (CIS 2.2.2)

  • RDS Encryption: Validates database encryption at rest (CIS 2.3.1, HIPAA 164.312)

Network Security

  • EC2 Public IP: Identifies instances with public IP addresses (CIS 5.1)

  • Security Group SSH Access: Detects SSH (port 22) open to 0.0.0.0/0 (CIS 5.2, PCI-DSS 1.2)

  • Security Group RDP Access: Detects RDP (port 3389) open to 0.0.0.0/0 (CIS 5.2)

  • Default Security Group: Ensures default SG denies all traffic (CIS 5.3)

  • RDS Public Access: Prevents publicly accessible databases (CIS 2.3.1, PCI-DSS 1.2.1)

Identity & Access

  • IAM Root Access Keys: Detects root account access keys (CIS 1.4, PCI-DSS 7.2.1)

  • IAM Password Policy: Validates password complexity requirements (CIS 1.8)

Logging & Compliance

  • CloudTrail Enabled: Ensures CloudTrail logging active (CIS 3.1, SOC2 CC7.2, HIPAA 164.312)

  • CloudTrail Log Validation: Validates log file integrity enabled (CIS 3.2, PCI-DSS 10.5.2)

Backup & Recovery

  • RDS Backup Retention: Ensures adequate backup retention periods (CIS 2.3.2, PCI-DSS 9.5)

Code-to-Cloud Mapping

Nullify correlates cloud resources back to source code and business context:

  • Repository Links: Maps resources to the repos that deployed them

  • Ownership Inference: Uses CODEOWNERS and service metadata to assign findings

  • Workload Context: Understands what data each resource processes and which applications depend on it

  • Business Impact: Evaluates risk within the context of data sensitivity, customer exposure, and service criticality

Compliance Mapping

Every finding includes compliance framework mapping:

  • CIS AWS Foundations Benchmark 1.4.0

  • PCI-DSS 3.2.1

  • HIPAA (select controls)

  • SOC2 (select controls)

Configuration

Configure cloud access during Onboarding:

  • Add AWS account IDs

  • Deploy least-privilege IAM cross-account role

  • Specify S3 bucket for inventory storage

  • Configure KMS encryption key

PreviousConfidential Data DetectionNextBug Hunts

Last updated

Was this helpful?