Home Integrations AWS Integration User Guide

AWS Integration User Guide

Last updated on Dec 29, 2025

Humadroid Compliance Platform

Overview

Humadroid's AWS integration automatically collects compliance evidence from your Amazon Web Services infrastructure. Once connected, it continuously monitors your AWS environment and gathers evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks.

Key Benefits

  • Automated evidence collection - No more manual screenshots or exports

  • Compliance-focused collection - Evidence collected on schedule (weekly or monthly)

  • Auto-verification - Many evidence sources are automatically checked against compliance rules

  • Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001

Security Model

  • Read-only access - Humadroid cannot modify your AWS resources

  • Cross-account role assumption - Secure AWS STS-based authentication

  • External ID protection - Prevents confused deputy attacks

  • Full audit trail - All API calls logged in your CloudTrail

Evidence Sources

The AWS integration collects 17 distinct evidence types across six categories:

Identity & Access Management

IAM Password Policy

  • Description: Verifies password complexity, length, expiration, and reuse requirements

  • Frequency: Monthly

  • Auto-Verify: Yes

IAM MFA Status

  • Description: Verifies multi-factor authentication is enabled for all users including root

  • Frequency: Monthly

  • Auto-Verify: Yes

IAM Access Keys

  • Description: Monitors access key rotation, usage patterns, and lifecycle

  • Frequency: Monthly

  • Auto-Verify: Yes

Logging & Monitoring

CloudTrail Configuration

  • Description: Verifies audit logging is enabled and properly configured

  • Frequency: Monthly

  • Auto-Verify: Yes

CloudTrail Events

  • Description: Audit trail of API calls and management events

  • Frequency: Monthly

  • Auto-Verify: No

CloudWatch Alarms

  • Description: System monitoring and alerting configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

VPC Flow Logs

  • Description: Network traffic logging configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

Security Services

GuardDuty Status

  • Description: Threat detection service status and configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

GuardDuty Findings

  • Description: Security threats and anomalies detected

  • Frequency: Weekly

  • Auto-Verify: No

Security Hub Status

  • Description: Consolidated security findings service status

  • Frequency: Monthly

  • Auto-Verify: Yes

AWS Config Status

  • Description: Configuration change tracking service status

  • Frequency: Monthly

  • Auto-Verify: Yes

Network Security

Security Groups

  • Description: Network security rules and firewall configuration

  • Frequency: Monthly

  • Auto-Verify: Yes

Network ACLs

  • Description: Network access control list rules

  • Frequency: Monthly

  • Auto-Verify: Yes

Encryption & Data Protection

S3 Bucket Encryption

  • Description: Verifies all S3 buckets have encryption enabled

  • Frequency: Monthly

  • Auto-Verify: Yes

S3 Public Access Block

  • Description: Verifies S3 buckets block public access

  • Frequency: Monthly

  • Auto-Verify: Yes

RDS Encryption

  • Description: Verifies RDS instances have encryption enabled

  • Frequency: Monthly

  • Auto-Verify: Yes

EBS Volume Encryption

  • Description: Verifies EBS volumes are encrypted

  • Frequency: Monthly

  • Auto-Verify: Yes

KMS Key Rotation

  • Description: Verifies KMS keys are configured for automatic rotation

  • Frequency: Monthly

  • Auto-Verify: Yes

Backup & Recovery

AWS Backup Jobs

  • Description: Backup execution and success monitoring

  • Frequency: Weekly

  • Auto-Verify: Yes

RDS Snapshots

  • Description: Database backup snapshots

  • Frequency: Monthly

  • Auto-Verify: Yes

SOC 2 Control Coverage

The AWS integration provides evidence for the following SOC 2 (2017) Trust Services Criteria:

CC6 - Logical and Physical Access Controls

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures to protect information assets

  • IAM Password Policy - Password complexity requirements are enforced

  • IAM MFA Status - Multi-factor authentication is enabled

  • IAM Access Keys - Access credentials are properly managed

  • S3 Encryption - Data at rest is encrypted

  • S3 Public Access Block - Data is not publicly exposed

  • RDS Encryption - Databases are encrypted

  • EBS Volume Encryption - Storage volumes are encrypted

  • KMS Key Rotation - Encryption keys are properly rotated

CC6.2 - User Registration and Authorization

Prior to issuing system credentials and granting access, the entity registers and authorizes new users

  • IAM MFA Status - Complete inventory of IAM users with access details

  • IAM Access Keys - Access key creation and authorization records

CC6.3 - Removal of Access Rights

The entity removes credentials and disables system access when no longer required

  • CloudTrail Events - Access revocation events are logged

  • IAM Access Keys - Inactive or unused access keys identified

CC6.6 - Logical Access Security Measures

The entity implements controls to prevent or detect and act upon unauthorized logical access

  • Security Groups - Firewall rules restrict access appropriately

  • Network ACLs - Network-level access controls are in place

  • VPC Flow Logs - Network traffic is monitored

  • GuardDuty Status - Threat detection is active

  • GuardDuty Findings - Security threats are identified and tracked

CC6.7 - Data Transmission Controls

The entity restricts transmission and movement of data

  • S3 Encryption - Data is encrypted during storage and transfer

  • RDS Encryption - Database data is encrypted

CC7 - System Operations

CC7.1 - Security Monitoring

The entity monitors system components for anomalies and security events

  • GuardDuty Status - Threat detection service is active

  • Security Hub Status - Security monitoring is consolidated

  • CloudWatch Alarms - Alerts are configured for security events

CC7.2 - Security Event Logging

The entity identifies and logs security events

  • CloudTrail Configuration - Audit logging is properly configured

  • CloudTrail Events - Security events are recorded

  • VPC Flow Logs - Network activity is logged

CC7.3 - Security Incident Response

The entity evaluates security events and responds to identified incidents

  • GuardDuty Findings - Threats are detected and tracked

  • CloudWatch Alarms - Incident alerts are configured

CC8 - Change Management

CC8.1 - Change Management

The entity authorizes, documents, and controls infrastructure changes

  • CloudTrail Events - Infrastructure changes are logged

  • AWS Config Status - Configuration changes are tracked

A1 - Availability

A1.1 - System Availability

The entity maintains, monitors, and evaluates current processing capacity

  • Backup Jobs - Data can be recovered

  • RDS Snapshots - Database backups are maintained

  • CloudWatch Alarms - Availability monitoring is active

A1.2 - Recovery Procedures

The entity's recovery procedures support system recovery in accordance with recovery objectives

  • Backup Jobs - Backup procedures are executed successfully

  • RDS Snapshots - Point-in-time recovery is available

ISO 27001:2022 Control Coverage

The AWS integration provides evidence for the following ISO 27001:2022 Annex A controls:

A.5 - Organizational Controls

A.5.15 - Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented

  • IAM Password Policy - Password policies enforce access security

  • IAM MFA Status - Strong authentication is required

  • IAM Access Keys - Access credentials are managed

  • Security Groups - Network access is controlled

A.5.16 - Identity Management

The full life cycle of identities shall be managed

  • IAM MFA Status - Complete inventory of identities

  • IAM Access Keys - Access key lifecycle management

A.5.17 - Authentication Information

Allocation and management of authentication information shall be controlled

  • IAM Password Policy - Authentication requirements are enforced

  • IAM MFA Status - MFA is properly configured

  • IAM Access Keys - Credentials are properly managed

A.5.18 - Access Rights

Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed

  • IAM Access Keys - Access key usage is reviewed

  • CloudTrail Events - Access changes are logged

A.5.23 - Cloud Services Security

Processes for acquisition, use, management and exit from cloud services shall be established

  • GuardDuty Status - Cloud threat detection is active

  • Security Hub Status - Cloud security posture is monitored

  • CloudTrail Configuration - Cloud activity is logged

A.8 - Technological Controls

A.8.1 - User Endpoint Devices

Information stored on, processed by or accessible via user endpoint devices shall be protected

  • EBS Volume Encryption - Storage attached to instances is encrypted

A.8.3 - Information Access Restriction

Access to information and other associated assets shall be restricted

  • S3 Public Access Block - Data is not publicly accessible

  • Security Groups - Network access is restricted

  • Network ACLs - Network-level access controls exist

A.8.9 - Configuration Management

Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed

  • AWS Config Status - Configuration changes are tracked

  • Security Groups - Security configurations are documented

A.8.10 - Information Deletion

Information stored shall be deleted when no longer required

  • S3 Encryption - S3 lifecycle and deletion policies

A.8.11 - Data Masking

Data masking shall be used in accordance with the organization's topic-specific policy

  • RDS Encryption - Database encryption protects sensitive data

A.8.12 - Data Leakage Prevention

Data leakage prevention measures shall be applied

  • S3 Public Access Block - Public exposure is prevented

  • GuardDuty Findings - Data exfiltration attempts are detected

  • VPC Flow Logs - Data transfers are monitored

A.8.13 - Information Backup

Backup copies of information, software and systems shall be maintained and regularly tested

  • Backup Jobs - Backups are executed regularly

  • RDS Snapshots - Database backups are maintained

A.8.14 - Redundancy

Information processing facilities shall be implemented with sufficient redundancy to meet availability requirements

  • RDS Encryption - Multi-AZ deployment status

  • Backup Jobs - Cross-region backup configuration

A.8.15 - Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed

  • CloudTrail Configuration - API activity is logged

  • VPC Flow Logs - Network activity is logged

  • CloudWatch Alarms - Logs are monitored for anomalies

A.8.16 - Monitoring Activities

Networks, systems and applications shall be monitored for anomalous behaviour

  • GuardDuty Status - Threat monitoring is active

  • GuardDuty Findings - Anomalies are detected and tracked

  • CloudWatch Alarms - System monitoring is configured

  • Security Hub Status - Security posture is monitored

A.8.20 - Networks Security

Networks and network devices shall be secured, managed and controlled

  • Security Groups - Network security rules are configured

  • Network ACLs - Network access controls are in place

  • VPC Flow Logs - Network traffic is monitored

A.8.24 - Use of Cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented

  • S3 Encryption - Object storage is encrypted

  • RDS Encryption - Databases are encrypted

  • EBS Volume Encryption - Block storage is encrypted

  • KMS Key Rotation - Encryption keys are rotated

Verification Rules

Auto-verified evidence sources are checked against the following compliance thresholds:

IAM Password Policy

  • Minimum password length: 14 characters

  • Require uppercase letters: Yes

  • Require lowercase letters: Yes

  • Require numbers: Yes

  • Require symbols: Yes

  • Maximum password age: 90 days

  • Password reuse prevention: 24 passwords

IAM MFA Status

  • All users have MFA: 100%

  • Root account has MFA: Required

IAM Access Keys

  • Maximum key age: 90 days

  • No unused keys: Required

CloudTrail

  • CloudTrail enabled: Required

  • Multi-region trail: Required

  • Log file validation: Required

  • Encryption enabled: Required

S3 Security

  • All buckets encrypted: Required

  • Default encryption enabled: Required

  • Public access blocked: Required

RDS Security

  • All instances encrypted: Required

  • Automated backups enabled: Required

  • Retention period: 7+ days

Network Security

  • No open SSH (0.0.0.0/0:22): Required

  • No open RDP (0.0.0.0/0:3389): Required

  • VPC Flow Logs enabled: Required

Security Services

  • GuardDuty enabled: Required

  • Security Hub enabled: Recommended

  • AWS Config enabled: Recommended

Summary: Control Coverage Matrix

SOC 2 Controls by Evidence Source

IAM Password Policy

  • CC6.1: Yes

IAM MFA Status

  • CC6.1: Yes

  • CC6.2: Yes

IAM Access Keys

  • CC6.1: Yes

  • CC6.2: Yes

  • CC6.3: Yes

CloudTrail Config

  • CC7.2: Yes

CloudTrail Events

  • CC6.3: Yes

  • CC7.2: Yes

  • CC8.1: Yes

CloudWatch Alarms

  • CC7.1: Yes

  • CC7.3: Yes

  • A1.1: Yes

VPC Flow Logs

  • CC6.6: Yes

  • CC7.2: Yes

GuardDuty Status

  • CC6.6: Yes

  • CC7.1: Yes

GuardDuty Findings

  • CC6.6: Yes

  • CC7.3: Yes

Security Hub

  • CC7.1: Yes

AWS Config

  • CC8.1: Yes

Security Groups

  • CC6.6: Yes

Network ACLs

  • CC6.6: Yes

S3 Encryption

  • CC6.1: Yes

  • CC6.7: Yes

S3 Public Access

  • CC6.1: Yes

RDS Encryption

  • CC6.1: Yes

  • CC6.7: Yes

EBS Encryption

  • CC6.1: Yes

KMS Key Rotation

  • CC6.1: Yes

Backup Jobs

  • A1.1: Yes

  • A1.2: Yes

RDS Snapshots

  • A1.1: Yes

  • A1.2: Yes

ISO 27001 Controls by Evidence Source

IAM Password Policy

  • A.5.15: Yes

  • A.5.17: Yes

IAM MFA Status

  • A.5.15: Yes

  • A.5.16: Yes

  • A.5.17: Yes

IAM Access Keys

  • A.5.15: Yes

  • A.5.16: Yes

  • A.5.17: Yes

  • A.5.18: Yes

CloudTrail Config

  • A.5.23: Yes

  • A.8.15: Yes

CloudTrail Events

  • A.5.18: Yes

CloudWatch Alarms

  • A.8.15: Yes

  • A.8.16: Yes

VPC Flow Logs

  • A.8.12: Yes

  • A.8.15: Yes

  • A.8.20: Yes

GuardDuty Status

  • A.5.23: Yes

  • A.8.16: Yes

GuardDuty Findings

  • A.8.12: Yes

  • A.8.16: Yes

Security Hub

  • A.5.23: Yes

  • A.8.16: Yes

AWS Config

  • A.8.9: Yes

Security Groups

  • A.5.15: Yes

  • A.8.3: Yes

  • A.8.9: Yes

  • A.8.20: Yes

Network ACLs

  • A.8.3: Yes

  • A.8.20: Yes

S3 Encryption

  • A.8.24: Yes

S3 Public Access

  • A.8.3: Yes

  • A.8.12: Yes

RDS Encryption

  • A.8.24: Yes

EBS Encryption

  • A.8.24: Yes

KMS Key Rotation

  • A.8.24: Yes

Backup Jobs

  • A.8.13: Yes

RDS Snapshots

  • A.8.13: Yes

Getting Started

To set up the AWS integration:

  1. Navigate to Settings > Integrations > AWS

  2. Click Connect AWS Account

  3. Follow the setup wizard to create an IAM role in your AWS account

  4. Paste the Role ARN and validate the connection

  5. Enable evidence sources for your compliance controls

AWS Permissions Required

The integration requires read-only permissions via the AWS-managed SecurityAudit policy plus additional permissions:

Core Permissions

iam:GetAccountPasswordPolicy
iam:ListUsers
iam:ListMFADevices
iam:ListAccessKeys
iam:GetAccessKeyLastUsed
cloudtrail:DescribeTrails
cloudtrail:GetTrailStatus
cloudtrail:LookupEvents
cloudwatch:DescribeAlarms
guardduty:ListDetectors
guardduty:GetDetector
guardduty:GetFindings
securityhub:GetEnabledStandards
securityhub:GetFindings
ec2:DescribeFlowLogs
ec2:DescribeVpcs
ec2:DescribeSecurityGroups
ec2:DescribeNetworkAcls
ec2:DescribeVolumes
s3:ListAllMyBuckets
s3:GetBucketEncryption
s3:GetBucketPublicAccessBlock
rds:DescribeDBInstances
rds:DescribeDBSnapshots
kms:ListKeys
kms:GetKeyRotationStatus
backup:ListBackupJobs
backup:ListBackupPlans
config:DescribeConfigurationRecorders
config:DescribeConfigurationRecorderStatus

Support

If you need help with your AWS integration: