Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureAuto Checks Integration Guide for AzureAuto Checks Integration Guide for GCP
AWS Auto Checks Detailed Explanations

Auto Checks: AWS

Auto Checks is a feature that verifies technical configurations in your cloud environment against ISO 27001 requirements. These checks are run automatically and linked to your implementation steps within Kertos.

Feature Overview

Auto Checks for AWS enable automated detection of misconfigurations in your AWS cloud environment โ€” mapped to ISO 27001:2022 controls and curated with auditor input. It helps your organization continuously validate compliance posture across key services like IAM, CloudTrail and Access Analyzer.

How It Works

How to activate Auto Checks for AWS in Kertos? 
Steps to enable Auto Checks for AWS:

  • Go to Integrations Page
  • Click Setup on the AWS Integration card
  • Click Reconfigure
  • Toggle Auto Checks ON
  • Click Save
  • Start a discovery run by clicking Start Scan

Once completed, relevant Auto Checks for the AWS services in use will be linked automatically to controls and implementation steps.

What Are the AWS Auto Checks Based On?

The AWS Auto Checks are based on the CIS Amazon Web Services Foundations Benchmark v5.0.0 - 03-31-2025. This Benchmark is an industry-standard security guideline developed by the Center for Internet Security, which defines best-practice configurations to reduce risk in cloud environments.

In close collaboration with auditors we curated a selection of the most relevant auto checks for compliance and security, and aligned them with ISO 27001:2022 controls to provide clear audit evidence and actionable remediation guidance.

Which Auto Checks are available for AWS, and how are they mapped to ISO 27001:2022 controls?

Each Auto Check is mapped to a specific ISO 27001:2022 control, helping to demonstrate technical implementation of key requirements. Below is the full list of our supported AWS Auto Checks and their control mappings:

ISO Control IDISO Control TitleAuto Check Title
A.5.15Access ControlEnsure custom IAM policies do not allow overly permissive role assumption
A.5.15Access ControlProtect IAM service roles from confused deputy attacks using proper trust policies
A.5.17Authentication informationAvoid provisioning access keys during initial IAM user creation when console login is enabled
A.5.17Authentication informationDetect IAM users with multiple active access keys and enforce key rotation
A.5.18Access RightsConfirm IAM Access Analyzer is enabled to monitor access permissions
A.5.24Information security incident management planning and preparationMaintain accurate and up-to-date AWS account contact information
A.5.24Information security incident management planning and preparationRegister a valid security contact in the AWS account settings
A.8.2Privileged access rightsEnsure no IAM AWS-managed policies grant full administrative access
A.8.2Privileged access rightsEnsure customer-managed IAM policies do not grant full administrative access
A.8.2Privileged access rightsPrevent IAM identities from having inline policies with unrestricted access
A.8.2Privileged access rightsBlock IAM inline policies that enable privilege escalation
A.8.2Privileged access rightsPrevent creation of IAM inline policies with full CloudTrail access
A.8.2Privileged access rightsPrevent creation of IAM inline policies with full KMS access
A.8.2Privileged access rightsBlock customer-managed IAM policies that could lead to privilege escalation
A.8.2Privileged access rightsAvoid IAM policies granting unrestricted CloudTrail access
A.8.2Privileged access rightsAvoid IAM policies granting unrestricted KMS access
A.8.2Privileged access rightsPrevent IAM roles from assigning ReadOnlyAccess permissions to external AWS accounts
A.8.3Information access restrictionPrevent IAM roles from assigning ReadOnlyAccess permissions to external AWS accounts
A.8.5Secure authentificationEnforce MFA for the AWS root account
A.8.5Secure authentificationEnsure the root account does not have any active access keys
A.8.15LoggingVerify CloudTrail is logging management events across all AWS regions
A.8.15LoggingConfigure a log metric filter and alarm for unauthorized API calls
A.8.16Monitoring activitiesConfirm that Amazon GuardDuty is enabled for threat detection
A.8.16Monitoring activitiesConfigure a log metric filter and alarm for root account usage

FAQs

Do I need to modify anything in AWS to activate Auto Checks?
No. If your integration is already configured with the right permissions, just enable Auto Checks in Kertos.

What AWS services are currently supported?
We currently support Auto Checks for the following AWS services:

  • IAM
  • CloudTrail
  • CloudWatch
  • GuardDuty
  • Access Analyzer

Can I disable Auto Checks for AWS?
Yes. Go to the AWS integration in Kertos, click Reconfigure, and toggle Auto Checks off.

Was this article helpful?

Powered by Product Fruits