> For the complete documentation index, see [llms.txt](https://docs.nullify.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.nullify.ai/capabilities/cloud-audits.md). # Cloud Audits ## Overview Nullify continuously audits your cloud infrastructure to detect security weaknesses and misconfigurations. It understands the business context of each workload—what data it processes, who accesses it, and where it runs—then validates whether infrastructure issues pose a real risk through active testing and analysis. This context-driven approach separates genuine security issues from harmless configuration variations. ## How It Works 1. **Cloud Resource Inventory**: Nullify's context engine scans your cloud accounts 2. **Event Trigger**: When an account scan completes, Cloud Audits automatically runs in response to the account-scan-completed event 3. **Infrastructure Analysis**: All resources are evaluated for security weaknesses and misconfigurations 4. **Workload Context**: Nullify correlates resources to the applications they support, understanding business criticality and data sensitivity 5. **Risk Validation**: Active testing and analysis determines whether each finding represents a genuine risk or a benign configuration 6. **Notification & Remediation**: Real risks flow into Jira, Slack, and GitHub with ownership mapping and remediation guidance Cloud Audits are **event-driven**: a scan runs whenever an account inventory completes rather than on a fixed daily or weekly cron, so findings stay in step with changes to your infrastructure. ## Supported Cloud Providers Nullify audits **AWS, GCP, Azure, and Kubernetes** with multi-account scanning. Coverage spans the core resource categories of each provider, including: * **Storage & data**: object storage buckets, block volumes and snapshots, managed databases * **Compute & network**: instances, security groups, load balancers, public exposure * **Identity & access**: users, roles, policies, key management, password requirements * **Logging & audit**: audit trails, log integrity, monitoring configuration * **Kubernetes**: workload, RBAC, and cluster configuration checks See the connector guides for setup: [AWS](/connectors/aws.md), [GCP](/connectors/gcp.md). ## Security Rules Nullify ships managed rulesets per provider mapped to compliance frameworks: roughly **385 AWS rules**, **151 GCP rules**, and **109 Azure rules**, plus a dedicated **Kubernetes ruleset**. Rules are grouped by category rather than enumerated individually: ### Storage & Encryption Detects publicly accessible storage buckets, validates server-side and at-rest encryption, prevents public snapshot exposure, and enforces managed-database encryption. ### Network Security Identifies public-facing compute, security groups exposing sensitive ports (e.g. SSH/RDP) to the internet, overly permissive default network rules, and publicly accessible databases. ### Identity & Access Flags root/break-glass access keys, weak password and key-rotation policies, and overly broad IAM permissions. ### Logging & Compliance Ensures audit logging is enabled, validates log file integrity, and checks monitoring coverage. ### Backup & Recovery Verifies adequate backup retention and recovery configuration on managed data stores. ## Code-to-Cloud Mapping Nullify correlates cloud resources back to source code and business context: * **Repository Links**: Maps resources to the repos that deployed them * **Ownership Inference**: Uses CODEOWNERS and service metadata to assign findings * **Workload Context**: Understands what data each resource processes and which applications depend on it * **Business Impact**: Evaluates risk within the context of data sensitivity, customer exposure, and service criticality ## Compliance Mapping Every finding includes compliance framework mapping: * **CIS Foundations Benchmarks** (per provider) * **PCI-DSS** * **HIPAA** (select controls) * **SOC2** (select controls) ## Configuration Configure cloud access during [Onboarding](/getting-started/getting-started.md#4-integrate-cloud-aws-setup). Setup is provider-specific — connect each AWS, GCP, or Azure account (and any Kubernetes clusters) with a least-privilege role or service account. See the connector guides for step-by-step instructions: [AWS](/connectors/aws.md), [GCP](/connectors/gcp.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.nullify.ai/capabilities/cloud-audits.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.