Compliance Frameworks
Guardian Pro continuously assesses your AWS infrastructure against industry-standard compliance frameworks. The Frameworks settings page lets you choose which frameworks are relevant to your organisation, enabling targeted compliance monitoring, scoring, and reporting.
Accessing Framework Settings
Navigate to Settings > Frameworks from the left sidebar. You need the org:read permission to view framework subscriptions and org:write to modify them.
Available Frameworks
Guardian Pro supports four compliance frameworks out of the box:
CIS AWS Foundations Benchmark (v5.0)
The CIS AWS Foundations Benchmark is published by the Center for Internet Security and provides a set of security configuration best practices for AWS. It is one of the most widely adopted cloud security benchmarks globally.
- Focus: Security configuration and hardening.
- Use case: Organisations that need a recognised security baseline for their AWS environment.
- Controls: Covers identity and access management, logging, monitoring, networking, and storage.
The CIS AWS Foundations Benchmark is the most commonly subscribed framework and is a strong starting point for any organisation focused on cloud security.
SOC 2
SOC 2 (System and Organisation Controls 2) is a compliance framework designed for service organisations that store customer data in the cloud. It is based on the AICPA Trust Services Criteria.
- Focus: Security, availability, processing integrity, confidentiality, and privacy.
- Use case: SaaS providers, technology companies, and any organisation that needs to demonstrate trust and security to customers and partners.
- Controls: Maps to Guardian Pro checks across access control, encryption, monitoring, incident response, and data protection.
GDPR
GDPR (General Data Protection Regulation) is the European Union's data protection regulation. Guardian Pro maps relevant infrastructure checks to GDPR requirements related to data security and privacy.
- Focus: Data protection, encryption, access control, and audit logging.
- Use case: Organisations that process personal data of EU residents.
- Controls: Maps to checks for encryption at rest and in transit, access logging, data retention, and security monitoring.
Guardian Pro's GDPR framework maps technical infrastructure controls to GDPR requirements. GDPR compliance also involves organisational and procedural measures (data processing agreements, privacy policies, etc.) that are outside the scope of infrastructure scanning.
AWS Well-Architected Framework
The AWS Well-Architected Framework provides a set of best practices across six pillars for building secure, high-performing, resilient, and efficient cloud architectures.
- Focus: Operational excellence, security, reliability, performance efficiency, cost optimisation, and sustainability.
- Use case: Organisations that want to align their AWS architecture with AWS's own recommended practices.
- Controls: Covers a broad range of checks across all Guardian Pro modules, from security hardening to cost optimisation.
Subscribing to Frameworks
To subscribe to a compliance framework:
- Navigate to Settings > Frameworks.
- You will see a card for each available framework with a description and the number of controls.
- Click the Subscribe toggle for each framework you want to enable.
- Click Save.
Once subscribed, Guardian Pro begins scoring your environment against the framework's controls at the next scan. Historical data from previous scans is also evaluated, so you will see an initial score immediately.
Framework Limits by Subscription Tier
| Tier | Framework Limit |
|---|---|
| Starter | 1 framework |
| Business | All 4 frameworks |
| Enterprise | All 4 frameworks + custom control mappings |
If you are on the Starter tier and want to switch frameworks, unsubscribe from your current framework before subscribing to a different one. Your historical compliance data for the previous framework is retained.
Unsubscribing from a Framework
To unsubscribe from a framework:
- Navigate to Settings > Frameworks.
- Click the Subscribe toggle to turn it off for the framework you want to remove.
- Confirm the action.
- Click Save.
When you unsubscribe:
- The framework no longer appears on the Compliance Dashboard.
- Compliance scores for that framework are no longer calculated.
- Historical compliance data is preserved and will be available if you re-subscribe later.
- Findings related to that framework's controls remain visible in the Action Centre (they are still valid security or best-practice findings regardless of framework mapping).
Understanding Controls
Each framework consists of controls -- specific requirements that are evaluated by mapping them to one or more Guardian Pro checks. For example:
- CIS control "Ensure CloudTrail is enabled in all regions" maps to the Guardian Pro check that verifies CloudTrail configuration.
- SOC 2 control for encryption at rest maps to multiple Guardian Pro checks across RDS, S3, EBS, and other storage services.
A control can be in one of three states:
| Status | Description |
|---|---|
| Pass | All checks mapped to this control are passing across your environment |
| Fail | One or more checks mapped to this control have active findings |
| Not Applicable | The checks for this control could not be evaluated (e.g., the service is excluded from scanning, or the resource type does not exist in your environment) |
Your framework compliance score is calculated as the percentage of applicable controls that are passing.
Compliance Reporting
For each subscribed framework, you can generate compliance reports from the Compliance Dashboard:
| Report Format | Description | Availability |
|---|---|---|
| On-screen | Interactive control-by-control breakdown | All tiers |
| Formatted compliance report for sharing with auditors | Business and Enterprise | |
| CSV | Raw control data for custom analysis | Business and Enterprise |
| JSON | Machine-readable format for integration with GRC tools | Business and Enterprise |
Schedule regular compliance reports on the Enterprise tier. Automated reports can be delivered via email or webhook, supporting your audit and reporting cadence. See Notifications for delivery configuration.
Control Exceptions
In some cases, a failing control may not be relevant to your environment, or you may have compensating controls in place that Guardian Pro cannot detect. You can create exceptions for specific controls:
- Navigate to the Compliance Dashboard.
- Find the failing control.
- Click Create Exception.
- Provide a justification explaining why this control is not applicable or is mitigated.
- Optionally, attach evidence (documents, screenshots, or links).
- Set an expiry date for the exception (or leave it open-ended).
Excepted controls are excluded from score calculations and clearly marked in reports.
Use exceptions sparingly. Over-reliance on exceptions can mask genuine compliance gaps. Regularly review active exceptions to ensure they are still valid.
Evidence Management
For controls that require documentation beyond automated checks, you can attach evidence directly to controls:
- Navigate to the control in the Compliance Dashboard.
- Click Add Evidence.
- Upload a document or provide a link.
- Add a description of the evidence.
Evidence is stored securely and included in compliance reports when generated.
Impact of Scan Preferences
Your Scan Preferences directly impact compliance scoring. If you exclude a service or region from scanning, any controls that depend on checks for that service or region will be marked as Not Applicable.
Guardian Pro displays a warning on the Frameworks settings page if your current scan preferences would cause controls in a subscribed framework to become unevaluable.
Next Steps
- Compliance Dashboard -- View your compliance posture and control-by-control status.
- Scan Preferences -- Ensure your scan coverage supports your compliance requirements.
- Action Centre -- Remediate failing controls.
- Subscription -- Check your framework limit and upgrade options.