How control evidence is generated
Cloudryption links cloud findings and configurations to security control evidence through business-relevant context:
| Field | Example | Finding Type | Evidence Link | Related Identities | Business Context | Decision Impact | Recommended Action |
|---|---|---|---|---|---|---|---|
| Public S3 bucket | prod-backups-2024 | Misconfiguration | AccessControl-001 | S3-admin-role (5 users) | Contains customer data backups (PII) | Blocks compliance attestation for data residency | Add bucket policy to restrict public access |
| Over-privileged IAM role | Lambda-automation-prod | Permission gap | AccessControl-002 | Assumed by 3 Lambda functions | Production workload, non-critical | Enables lateral movement to data tier | Scope permissions to specific resources |
| Unencrypted RDS instance | app-database-prod | Control gap | Encryption-001 | RDS-access-role | Stores application state (medium sensitivity) | Fails encryption-at-rest control requirement | Enable encryption with AWS KMS |
| Missing MFA on IAM user | engineering-admin (shared account) | Control gap | AuthN-001 | Engineer team (12 people) | Admin access to production AWS account | Increases incident response time if compromised | Enforce MFA for all console users |
Important limitations
Control evidence derives from cloud metadata, configuration, identity relationships, and business context. Accuracy depends on:
- Cloud configuration accuracy and business context accuracy
- Third-party controls and authorization (not visible in cloud metadata)
- Application-layer encryption and access controls (outside cloud scope)
- Compliance framework mapping accuracy
- Review with stakeholders to validate compliance relevance
Ready to generate control evidence?
Start with a pilot to explore control evidence in your environment.