Your First Compliance Audit
After discovering your infrastructure, run compliance audits to identify security gaps and policy violations.
How Compliance Auditing Worksβ
Infracast evaluates your infrastructure graph against compliance rules mapped to industry frameworks:
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Node Graph ββββββΆβ Audit Engine ββββββΆβ Findings β
β (167 nodes) β β (776 rules) β β (violations) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββ
β Framework β
β Mappings β
β NIST, CIS, etc β
ββββββββββββββββββββ
Step 1: Enable Compliance Frameworksβ
Navigate to Settingsβ
- Click Settings in the left sidebar
- Select the Compliance Frameworks tab
Enable Frameworksβ
Toggle on the frameworks relevant to your organization:
| Framework | Best For |
|---|---|
| NIST 800-53 | Federal agencies, government contractors |
| CMMC | Defense contractors (DoD supply chain) |
| FedRAMP | Cloud services for federal agencies |
| PCI-DSS | Organizations handling credit cards |
| SOC 2 | SaaS companies, service providers |
| HIPAA | Healthcare organizations |
| CIS Benchmarks | General security hardening |
| STIGs | DoD systems, high-security environments |
If you're unsure, start with CIS Benchmarks β they provide practical, actionable security guidance for AWS, Azure, and common platforms.
Save Settingsβ
Click Save to enable the selected frameworks.
Step 2: View Findingsβ
Navigate to Findingsβ
Click Findings in the left sidebar. You'll see compliance violations discovered in your infrastructure.
Findings Overviewβ
Each finding includes:
| Field | Description |
|---|---|
| Severity | CRITICAL, HIGH, MEDIUM, LOW, INFO |
| Risk Score | 0-100 calculated risk score |
| Framework | Which compliance framework (e.g., NIST 800-53) |
| Control | Specific control ID (e.g., AC-2) |
| Resource | Affected node (e.g., sg-legacy-open) |
| Description | What's wrong and why it matters |
Example Findingβ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β οΈ HIGH β Security Group Allows Unrestricted SSH β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Framework: CIS AWS Foundations v1.5 β
β Control: 5.2 β Ensure no security groups allow 0.0.0.0/0 β
β Resource: aws:us-east-1:aws.ec2.security_group:sg-legacy β
β Risk Score: 78 β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Description: β
β Security group sg-legacy allows inbound SSH (port 22) from β
β 0.0.0.0/0. This exposes the associated instances to brute β
β force attacks from the entire internet. β
β β
β Remediation: β
β Restrict the source IP range to known bastion hosts or VPN β
β CIDR blocks. Consider using AWS Systems Manager Session β
β Manager for SSH-less access. β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Step 3: Prioritize by Riskβ
Sort by Risk Scoreβ
The Risk Score (0-100) combines:
- Severity of the finding
- Exposure (internet-facing vs internal)
- Asset criticality (production vs dev)
- Exploitability
Sort by risk score to tackle highest-impact issues first.
Filter by Severityβ
Use the severity filter to focus on specific levels:
- CRITICAL β Fix immediately (data exposure, credential leak)
- HIGH β Fix within 1 week (public-facing misconfigurations)
- MEDIUM β Fix within 1 month (hardening gaps)
- LOW β Fix when convenient (best practices)
Step 4: Investigate a Findingβ
Click to Expandβ
Click any finding to see:
- Full Description β Detailed explanation
- Remediation Steps β How to fix it
- Evidence β Node properties that triggered the finding
- Related Nodes β Other affected resources
- Framework Mapping β Which controls this violates
View in Topologyβ
Click View in Topology to see the resource in context:
- What VPC/subnet is it in?
- What's connected to it?
- Is it internet-exposed?
Trace Pathβ
For network-related findings, use Trace Path:
- Check if the misconfigured resource is actually reachable from the internet
- Identify chokepoints where you could add controls
- Validate that your network segmentation works
Step 5: Remediateβ
Direct Remediationβ
For IaC-managed resources, Infracast can generate fixes:
resource "aws_security_group_rule" "ssh_restricted" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
# Changed from 0.0.0.0/0 to bastion CIDR
cidr_blocks = ["10.0.100.0/24"]
security_group_id = aws_security_group.legacy.id
}
Create Ticketβ
Click Create Ticket to send the finding to Jira, ServiceNow, or your configured ticketing system.
Mark as Accepted Riskβ
If you've reviewed the finding and decided to accept the risk:
- Click Accept Risk
- Provide justification
- Set review date (when to revisit)
Accepted risks don't count toward compliance percentages but remain visible for auditors.
Step 6: Generate Reportsβ
Compliance Summary Reportβ
Navigate to Reports and generate a summary:
| Report Type | Contents |
|---|---|
| Executive Summary | Overall compliance posture, trends, top risks |
| Framework Detail | Per-framework control status (NIST, CIS, etc.) |
| Finding Detail | Full list of findings with evidence |
| Remediation Plan | Prioritized fix list with effort estimates |
Export Formatsβ
- PDF β For executives and auditors
- CSV β For importing into GRC tools
- JSON β For API/automation integration
Schedule Reportsβ
Set up automated weekly or monthly reports:
- Click Schedule Report
- Select report type and format
- Choose recipients (email addresses)
- Set frequency (weekly, monthly)
Understanding Compliance Scoresβ
Overall Scoreβ
The compliance score is calculated as:
Score = (Passing Controls / Total Applicable Controls) Γ 100
For example, if NIST 800-53 has 300 applicable controls and 240 pass:
Score = (240 / 300) Γ 100 = 80%
By Frameworkβ
Each framework shows its own score:
| Framework | Passing | Applicable | Score |
|---|---|---|---|
| NIST 800-53 | 240 | 300 | 80% |
| CIS AWS | 42 | 50 | 84% |
| PCI-DSS | 180 | 200 | 90% |
Trend Trackingβ
Infracast tracks your compliance score over time:
- Weekly trend charts
- Month-over-month improvement
- Regression alerts (score dropped)
Continuous Monitoringβ
Automatic Re-Evaluationβ
Every discovery run triggers compliance re-evaluation:
- Discovery finds new/changed resources
- Audit engine runs applicable rules
- New findings appear (or existing ones resolve)
- Compliance scores update
Real-Time Alertsβ
Configure alerts for compliance events:
- New CRITICAL finding detected
- Compliance score drops below threshold
- Previously fixed issue regressed
Integration with CI/CDβ
Block deployments that introduce compliance violations:
- name: Check Compliance
run: |
SCORE=$(curl -s -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/compliance/score" | jq '.score')
if [ "$SCORE" -lt 80 ]; then
echo "Compliance score $SCORE below threshold (80)"
exit 1
fi
What's Next?β
- Compliance Deep Dives β Detailed guides for each framework
- Set Up Integrations β Connect Jira, Slack, ServiceNow
- Generate SSP β Auto-generate System Security Plans