Posturio
AWS CSPM Coverage Matrix

Current live AWS posture coverage, without the guesswork.

This page is the source of truth for the current Posturio scan engine. The public AWS guide library is intentionally broader than the live scanner today, so use this matrix when you need exact shipped coverage, read-only setup scope, and proof pages before you compare products.

Run free AWS scan Read-only AWS role Open sample report

Current live scan engine

Implemented checks 19
Coverage domains IAM, Logging, Data Protection, Network
Read-only permissions 23 AWS actions including STS
Product scope AWS-only posture and proof workflow
Current checks

Shipped scan coverage in the live engine today

IAM

  • Root account MFA enabled
  • Root access keys absent
  • IAM account password policy
  • IAM users have MFA
  • Access keys rotated within 90 days

Logging

  • CloudTrail enabled
  • CloudTrail multi-region trail enabled
  • AWS Config recorder enabled
  • GuardDuty enabled
  • Security Hub enabled

Data protection

  • KMS key rotation enabled
  • S3 public access block enabled
  • S3 buckets not publicly accessible
  • S3 default encryption enabled
  • RDS instances are not publicly accessible
  • RDS storage encrypted
  • RDS automated backups enabled
  • RDS deletion protection enabled

Network

  • Security groups restrict risky ports

Evidence collection

  • IAM account summary, password policy, users, MFA devices, access keys
  • CloudTrail trail definitions and logging state
  • AWS Config recorder state, GuardDuty detector state, and Security Hub enablement
  • KMS key rotation state, S3 bucket public access/default encryption, and RDS posture baselines
  • Security group ingress rules by region

Output model

  • Free preview with score and top findings
  • Sample report and PDF/evidence export path
  • Readiness snapshot add-on
  • Recurring coverage on continuous plans
Shipped service pages

Coverage drilldowns now map to live product scope.

AWS Config monitoring

Buyer-facing proof page for Config recorder coverage and setup validation.

GuardDuty monitoring

Connect managed threat detection coverage to the live scan engine and proof workflow.

Security Hub monitoring

Use Security Hub baseline coverage to explain incident-readiness fit before rollout.

AWS KMS key rotation

Review current key-rotation coverage alongside encryption and evidence expectations.

AWS RDS public access

Connect public database exposure to the shipped RDS baseline checks now in the scanner.

AWS security review

Move from proof pages into a practical scan-to-report review workflow for buyers and operators.

Important distinction

The guide library is broader than the current live scanner.

Posturio publishes a wide AWS guide library because teams researching AWS posture and remediation need issue-specific guidance before every check is fully implemented in the live scan engine. Use this page for current product scope, and treat the broader guide library as research and roadmap context rather than proof of implemented scanner parity.

Planned expansion areas

Next AWS posture categories being prioritized

IAM depth

Admin users and roles, wildcard permissions, IAM Access Analyzer, alternate contacts, and credential report follow-up.

Logging and native services

CloudTrail log validation, deeper AWS Config coverage, Security Hub control detail, and GuardDuty detector detail.

Operator workflows

Ownership, explicit exceptions, more granular security-group findings, and broader service-level coverage depth.

Best fit

Where Posturio fits best today

  • AWS-only teams that want a lighter scan-to-report motion
  • Engineering leaders preparing for customer trust or security review pressure
  • Teams that want read-only setup and clear proof pages before buying
  • Buyers who want a shipped coverage changelog instead of vague platform promises

Last updated: March 23, 2026