⌘K
v2026.1 Open Portal ↗
On this page

Compliance Center

Compliance Frameworks

The StackFlow Compliance Center checks your cloud infrastructure against industry compliance frameworks and custom organizational policies. Supported frameworks include CIS AWS Foundations Benchmark, SOC 2 Type II, PCI DSS, HIPAA, and NIST 800-53. Each framework is implemented as a set of policy checks that query your CMDB and live cloud configuration.

⚙️ Minimum Requirements
  • AWS Config: AWS Config enabled in all connected accounts with at least the managed rules: encrypted-volumes, iam-password-policy, s3-bucket-public-read-prohibited
  • IAM: StackFlowDiscoveryRole with config:GetComplianceDetailsByResource, config:DescribeConfigRules
  • DynamoDB: StackFlow_ComplianceScore table for tracking per-account compliance over time

Compliance Scoring

Each framework generates an overall compliance score (0-100%) calculated from the weighted average of individual check scores. Checks are weighted by severity: CRITICAL (weight 4), HIGH (weight 3), MEDIUM (weight 2), LOW (weight 1). The score dashboard shows trends over time and comparisons across accounts and frameworks.

Score RangeStatusAction Required
90-100%CompliantMonitor and maintain
75-89%Mostly CompliantAddress HIGH findings
50-74%Partially CompliantImmediate remediation plan required
Below 50%Non-CompliantEscalate to CISO, expedited remediation
Security Findings: Critical compliance failures are published to the stackflow-security-findings SNS topic immediately upon detection. Ensure this topic has appropriate subscriptions for your security team's alerting system.

Policy Checks

Policy checks run against live AWS API data and the StackFlow CMDB. Examples of checks: S3 buckets without server-side encryption (CRITICAL), IAM users with console access and no MFA (HIGH), security groups allowing 0.0.0.0/0 inbound on port 22 (CRITICAL), RDS instances without encryption at rest (HIGH), and Lambda functions with public URL access enabled (MEDIUM).

Remediation Workflows

Each compliance finding links to a pre-built remediation workflow. For automated remediations (e.g., enabling S3 bucket encryption), the workflow can be executed directly from the finding. For manual remediations, the workflow generates a Change record with step-by-step instructions for the compliance team.

Compliance Reports

Generate compliance reports for auditors directly from Cloud Management → Compliance → Reports. Reports can be generated as PDF or CSV and include a point-in-time snapshot of all checks and findings. Historical reports are retained for 7 years in S3 for audit evidence retention. Reports are signed with a hash to prevent tampering.

← Previous
Cloud Optimization
Cost and resource right-sizing
FinOps Hub
Cloud spend analysis and forecasting