What AWS services does Vigilare monitor?

Vigilare monitors 7+ AWS services: Billing (cost anomalies and usage spikes), IAM (policy drift, root account usage, missing MFA), GuardDuty (threat findings), SES (sending reputation), CloudTrail (suspicious API patterns), Service Quotas (limit utilisation), and Account Health (AWS notifications). Coverage is continuously expanded.

How does Vigilare access my AWS account?

Vigilare uses a read-only cross-account IAM role that you provision using our open-source Terraform module. The role grants only the minimum permissions required for monitoring — no write access, no credential storage, and no data leaves your account except what is needed to display findings in your dashboard.

How quickly will I be alerted?

Depending on your plan, Vigilare scans every 1, 5, or 15 minutes. Alerts are delivered in real time via email, Slack, or PagerDuty the moment a threshold is crossed. The typical end-to-end latency from event to alert is under 90 seconds.

Can I monitor multiple AWS accounts?

Yes. The Solo plan covers 1 account, Team supports up to 10, Agency up to 50, and Enterprise is unlimited. All accounts appear in a single dashboard with per-account risk scores and consolidated alert feeds.

Is my AWS data secure?

All data is encrypted at rest with AES-256 and in transit with TLS 1.2+. Vigilare's control plane runs on AWS infrastructure in dedicated, isolated tenants. We never store raw AWS credentials. The platform is SOC 2 Type II compliant and we provide reports on request for Enterprise customers.

Is there a free trial?

Yes — all paid plans include a 14-day free trial. No credit card is required to get started. You can connect your first AWS account and see findings within 5 minutes of signing up.

What happens if I exceed my account limit?

We'll notify you as you approach your account limit and give you the option to upgrade. We won't stop monitoring your existing accounts without notice.

Can I cancel at any time?

Yes. There are no long-term contracts. You can cancel your subscription at any time from the billing settings page. Your access continues until the end of the current billing period.

Compliance Automation on AWS: Scaling SOC 2, PCI, and HIPAA Programs

The Manual Compliance Tax

Every quarter, teams preparing for SOC 2, PCI DSS, or HIPAA audits face the same experience: a frantic week of screenshots, CSV exports, and evidence gathering. Someone runs a script to list all IAM users. Someone else screenshots every Config compliance check. A third person pulls 90 days of CloudTrail logs for specific API calls. The auditor asks a follow-up question, and the process starts again.

This is expensive, error-prone, and doesn't have to happen this way. AWS provides the raw material for compliance evidence — CloudTrail logs, Config compliance data, Security Hub findings, access logs — and a set of tools to collect and organize it. Compliance automation means using those tools to continuously collect evidence, so that audit preparation is a matter of hours rather than weeks.

This guide covers how to automate compliance evidence collection and continuous control monitoring for the most common AWS compliance frameworks.

The Evidence Collection Problem

Compliance frameworks require evidence of two things: that controls are in place and that they're effective. For AWS environments, this breaks down into:

Configuration evidence: Are resources configured correctly? (Encryption enabled, MFA enforced, logging active)
Activity evidence: What actions were taken and by whom? (Access logs, API call history, change records)
Continuous monitoring evidence: Are you detecting and responding to issues? (Alert configurations, incident tickets, response documentation)

AWS native tools produce all of this evidence continuously. The automation challenge is collecting it in a format that auditors can review.

AWS Security Hub as a Compliance Control Center

Security Hub provides a pre-built compliance framework implementation through its security standards. The AWS Foundational Security Best Practices (FSBP) standard maps to controls required by SOC 2, PCI DSS, HIPAA, and ISO 27001. Enable it for continuous, scored assessment:

aws securityhub enable-security-hub   --enable-default-standards   --no-auto-enable-controls

Security Hub automatically evaluates controls and produces findings for each failing check. For audit evidence, export your compliance findings to S3 on a scheduled basis — this creates a time-stamped record of your control effectiveness over the audit period.

For SOC 2 specifically, Security Hub's controls map to the Trust Services Criteria. A control that's been "passing" in Security Hub for the entire audit period is strong evidence of a properly implemented control. For more on SOC 2, see our SOC 2 compliance guide.

AWS Config: Continuous Configuration Evidence

AWS Config provides two compliance-critical capabilities: a continuously updated record of resource configurations, and managed rules that evaluate compliance automatically.

Config as Audit Evidence

For any point in time during an audit period, Config can answer: what was the configuration of resource X? This is essential for demonstrating that encryption was enabled, logging was active, and public access was blocked — not just that it is now, but that it was during the audit period. Config's configuration history provides this retroactively.

Conformance Packs for Framework Compliance

AWS provides pre-built conformance packs that implement controls for specific frameworks:

aws configservice put-conformance-pack   --conformance-pack-name "OperationalBestPracticesForPCI"   --template-s3-uri "s3://aws-configservice-us-east-1/conformance-packs/Operational-Best-Practices-for-PCI-DSS.yaml"

Available packs include PCI DSS, HIPAA, NIST CSF, SOC 2, and CIS Benchmarks. Each pack deploys a set of Config rules that map to framework controls. Compliance evidence is the conformance pack status report, exportable as CSV. See our conformance packs guide for detailed setup.

Automating Evidence Collection

A Lambda function on a weekly schedule can collect compliance evidence and store it in S3 for auditor review:

import boto3
import json
from datetime import datetime

def collect_compliance_evidence(event, context):
    timestamp = datetime.utcnow().strftime('%Y-%m-%d')
    s3 = boto3.client('s3')
    config = boto3.client('config')
    securityhub = boto3.client('securityhub')

    # Export Config compliance summary
    rules_response = config.describe_compliance_by_config_rule()
    rules_summary = {
        rule['ConfigRuleName']: rule['Compliance']['ComplianceType']
        for rule in rules_response['ComplianceByConfigRules']
    }

    # Export Security Hub findings count by status
    findings = securityhub.get_findings(
        Filters={
            'WorkflowStatus': [{'Value': 'NEW', 'Comparison': 'EQUALS'}],
            'ComplianceStatus': [{'Value': 'FAILED', 'Comparison': 'EQUALS'}]
        }
    )

    evidence = {
        'timestamp': timestamp,
        'config_compliance': rules_summary,
        'security_hub_failing_controls': len(findings['Findings'])
    }

    s3.put_object(
        Bucket='my-compliance-evidence',
        Key=f'weekly-reports/{timestamp}.json',
        Body=json.dumps(evidence, indent=2)
    )

CloudTrail as Audit Evidence

CloudTrail provides the immutable record of who did what, when — essential for SOC 2 CC6, PCI DSS requirement 10, and HIPAA audit controls. Key CloudTrail configurations for compliance:

Enable multi-region trail in every account
Enable S3 data events for sensitive buckets
Enable log file integrity validation (creates a tamper-evident hash chain)
Store logs in a dedicated logging account with SCPs preventing deletion

For audit evidence, CloudTrail log integrity validation lets you prove to auditors that logs haven't been modified. The validation status is downloadable and provides cryptographic proof of log integrity. See our log integrity guide.

IAM Evidence: Access Control Documentation

Compliance frameworks require evidence that access is restricted to those who need it (least privilege) and that access is reviewed periodically. Automate IAM credential reports:

aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d > iam-credential-report.csv

Schedule this monthly and store in your compliance evidence bucket. The credential report shows all IAM users, their last login, key age, and MFA status — evidence of access control hygiene. See our access key rotation guide for key management practices.

Compliance Dashboard: Real-Time Posture

Rather than collecting evidence only at audit time, build a continuous compliance dashboard:

Security Hub compliance score by standard (FSBP, PCI, HIPAA)
Config conformance pack compliance percentage
GuardDuty findings count by severity (see findings guide)
CloudTrail coverage (all regions enabled, integrity validation enabled)
Encryption coverage (% of EBS volumes encrypted, % of RDS with encryption)
MFA coverage (% of IAM users with MFA enabled)

Vigilare provides this view out of the box for AWS accounts it monitors, surfacing the key compliance metrics continuously rather than requiring point-in-time evidence collection.

Vendor Management and Third-Party Evidence

Compliance frameworks require not just evidence about your environment but evidence about your vendors. For AWS specifically:

AWS publishes compliance reports (SOC 2, PCI AOC, HIPAA BAA) in AWS Artifact — download them annually for your compliance package
Document which AWS services are in scope for each framework
Review AWS's Shared Responsibility Model documentation for your specific services

FAQ

Can I achieve SOC 2 compliance using only AWS native tools?

Yes, for most controls. AWS native tools (CloudTrail, Config, Security Hub, GuardDuty) provide evidence for the majority of SOC 2 Trust Services Criteria. You'll still need non-AWS evidence for HR controls, physical security (handled by AWS), and organizational policies, but the infrastructure evidence is largely automatable with native tools.

How far back does Config keep configuration history?

By default, AWS Config retains configuration history for 7 years. For compliance purposes, the standard audit period (12 months for SOC 2, point-in-time for PCI) is well within this retention window.

Does Security Hub map to specific SOC 2 criteria?

Security Hub's FSBP standard doesn't explicitly map controls to SOC 2 criteria, but many controls correspond. AWS publishes a mapping document in the Security Hub documentation. Your auditor may want to review this mapping as part of the audit. Most SOC 2 audit firms have developed their own mappings for common AWS configurations.

Protect your AWS accounts before it's too late

Vigilare monitors your AWS accounts for suspension risks — billing anomalies, IAM issues, GuardDuty findings, and more — and alerts you before AWS takes action.

See Vigilare pricing Talk to us about securing your AWS Browse documentation →

Written by Viktor B.

Co-founder & CEO