Understanding Controls

Controls are the building blocks of compliance. Each compliance framework defines a set of controls -- specific requirements or best practices that your infrastructure should meet. Guardian Pro evaluates these controls automatically by mapping them to its automated checks, giving you a clear picture of which requirements your environment satisfies and where gaps exist.

What Is a Control?

A control is a single, specific requirement from a compliance framework. For example:

CIS 1.5: "Ensure MFA is enabled for the root user account"
SOC 2 CC6.1: "Logical access security measures to protect against unauthorised access"
GDPR Article 32: "Implement appropriate encryption of personal data"
Well-Architected REL-2: "Design your workload to withstand component failures"

Each control represents a discrete aspect of compliance that can be evaluated independently.

How Controls Are Evaluated

Guardian Pro maps one or more automated checks to each control. The control's status is determined by the combined results of all its mapped checks:

Control Statuses

Status	Icon	Meaning	Effect on Score
PASS	Green check	Every mapped check is passing across all evaluated resources	Counts as a passing control
FAIL	Red cross	At least one mapped check has found an issue on one or more resources	Counts as a failing control
NOT APPLICABLE	Grey dash	The control targets services or configurations not present in your environment	Excluded from score calculation

Key Rule

A control passes only when all of its mapped checks pass across all resources. If even a single resource fails a single check, the entire control is marked as FAIL. This strict evaluation ensures that your compliance score reflects your actual posture with no blind spots.

Multi-Check Controls

Many controls map to more than one automated check. For example, a control requiring "comprehensive logging" might map to checks for CloudTrail, VPC flow logs, and S3 access logging. All three checks must pass for the control to pass.

When a multi-check control fails, the control detail view shows exactly which checks are failing and which are passing, so you can focus your remediation efforts on the specific gaps.

Resource-Level Evaluation

Each check evaluates every relevant resource in your environment. A check for "S3 bucket encryption" examines every S3 bucket across all accounts. If 99 out of 100 buckets are encrypted but one is not, the check fails, and any control that includes that check also fails.

The control detail view shows the affected resources, making it easy to identify exactly what needs to be fixed.

Viewing Controls

The Controls List

The Compliance Dashboard includes a controls list that shows every control across your subscribed frameworks. For each control, you can see:

Control ID -- The framework-specific identifier (e.g., CIS 1.5, SOC2 CC6.1)
Title -- A human-readable description of the requirement
Framework -- Which framework defines this control
Status -- PASS, FAIL, or NOT APPLICABLE
Severity -- The impact level (Critical, High, Medium, Low)
Exception badge -- Indicates if an exception has been created for this control

Filtering Controls

You can filter the controls list to focus on what matters most:

Filter	Options
Status	PASS, FAIL, NOT APPLICABLE
Framework	CIS AWS Foundations Benchmark, SOC 2, GDPR, Well-Architected
Severity	Critical, High, Medium, Low
Service	Filter by AWS service (IAM, S3, EC2, RDS, etc.)

tip

To quickly find your highest-priority compliance gaps, filter by Status: FAIL and Severity: Critical to see the most impactful failures first.

Grouping Controls

Controls can be grouped in several ways to suit your workflow:

By framework -- See all controls for a specific framework together
By service -- Group controls by the AWS service they evaluate (useful for assigning remediation by team)
By status -- Group all passing, failing, and not-applicable controls together

Control Detail View

Clicking on a control opens a detailed view showing:

Summary

The control's full title and description
The framework and section it belongs to
Current status and severity
When it was last evaluated

Mapped Checks

A list of all automated checks that map to this control, showing:

Check name and description
Pass/fail status for each check individually
Number of resources evaluated and number of resources failing

Affected Resources

For failing controls, a list of the specific resources that are causing the failure:

Resource ID and name
AWS account and region
The specific check that the resource is failing

Exception and Evidence

Whether an exception has been created for this control
Any evidence that has been attached

Navigating from Controls to Remediation

One of Guardian Pro's most valuable features is the seamless link between compliance failures and remediation:

View a failing control in the Compliance Dashboard.
Click "View in Action Centre" to navigate to the Action Centre with findings pre-filtered to show only the issues relevant to this control.
Remediate the findings using the Action Centre's remediation capabilities -- either automated one-click fixes or step-by-step manual guidance.
Re-scan to verify the fix. The next scan re-evaluates the control, and if all checks now pass, the control status updates to PASS.

note

Remediating a finding does not instantly update the control status. The control is re-evaluated during the next scan. You can trigger a scan manually from the Dashboard to see updated results sooner.

Controls Across Multiple Accounts

In multi-account environments, a control is evaluated across all accounts in your organisation:

The control's overall status reflects results from all accounts
A control that passes in 9 accounts but fails in 1 account is still marked as FAIL at the organisation level
You can filter the controls list by account to see per-account compliance status

This ensures that your compliance score reflects your entire organisation's posture, not just a single account.

Controls Shared Across Frameworks

Many automated checks are relevant to multiple frameworks. For example, a check for "S3 bucket encryption" might be mapped to controls in CIS, SOC 2, GDPR, and Well-Architected simultaneously.

This means that fixing a single check can improve your compliance score across multiple frameworks at once. Guardian Pro highlights these shared checks, helping you prioritise remediations that have the broadest compliance impact.

Frequently Asked Questions

Why is a control marked NOT APPLICABLE?

A control is marked NOT APPLICABLE when the services or resources it evaluates are not present in your environment. For example, if you do not use Amazon RDS, controls related to RDS security will be marked as NOT APPLICABLE.

NOT APPLICABLE controls are excluded from your compliance score calculation.

A control was PASS but is now FAIL. What happened?

This can occur when:

New resources were added that do not meet the control's requirements
An existing resource's configuration was changed
A previously remediated resource reverted to a non-compliant state

Check the control detail view to see which resources and checks are now failing.

Can I hide controls that do not apply to us?

Use exceptions to mark controls as accepted deviations. Excepted controls are tracked separately and do not affect your compliance score.

What Is a Control?​

How Controls Are Evaluated​

Control Statuses​

Multi-Check Controls​

Resource-Level Evaluation​

Viewing Controls​

The Controls List​

Filtering Controls​

Grouping Controls​

Control Detail View​

Summary​

Mapped Checks​

Affected Resources​

Exception and Evidence​

Navigating from Controls to Remediation​

Controls Across Multiple Accounts​

Controls Shared Across Frameworks​

Frequently Asked Questions​

Why is a control marked NOT APPLICABLE?​

A control was PASS but is now FAIL. What happened?​

Can I hide controls that do not apply to us?​

Related Pages​