See where your AWS or GCP environment stands against SOC 2 — before an auditor ever looks. Connect a read-only scanner role in minutes and get a clear report of misconfigurations and gaps emailed straight to you.
Over-permissive roles, missing MFA, stale keys, root usage.
Unencrypted volumes, public buckets, exposed snapshots.
Open security groups, public databases, unrestricted ingress.
CloudTrail / audit logs, config recording, alerting gaps.
Your report maps every finding to the SOC 2 Trust Services Criteria, so you know exactly what to fix — and why it matters.
Root account usage, missing MFA, over-permissive IAM policies, unused credentials, and stale access keys.
Unencrypted disks, databases, and snapshots; missing TLS enforcement; and unmanaged encryption keys.
Public storage buckets, internet-facing databases, wide-open security groups, and exposed admin ports.
Disabled CloudTrail / audit logs, missing config recorders, and gaps in retention that auditors will catch.
No alerting on privileged actions, absent guardrails, and blind spots in threat detection coverage.
Every finding is tied to a Trust Services Criterion with a severity rating and a plain-English fix.
Verify it's you, connect a read-only scanner role, and we'll email your results. The whole thing takes about five minutes.
We send your report and scan status here, so we need to confirm it's really you. We'll email a 6-digit code.
Use a company email — personal domains (gmail, outlook) aren't eligible for the free scan.
We won't share your info with anyone. Ever.
Pick your provider. We'll walk you through creating a scoped, read-only role for it — you stay in full control.
Connect via an IAM role (cross-account)
Grant a role to our service account
Create a read-only IAM role that IronFort's scanner account can assume. It takes about 5 minutes in the AWS Console — the full walkthrough (including the complete reader policy) is in the IronFort guide.
Download the full AWS setup guide (PDF) • goironfort.comIn the AWS Console, open IAM → Policies → Create policy, switch to the JSON tab, and paste IronFort's read-only reader policy. Name it IronFortScannerReadOnlyPolicy. The complete policy JSON is in the PDF guide above.
Go to IAM → Roles → Create role. Choose AWS account → Another AWS account and enter IronFort's scanner account ID. Check Require external ID and paste the External ID from your IronFort contact. Attach IronFortScannerReadOnlyPolicy, then name the role IronFortScannerRole.
Open the IronFortScannerRole role and copy its ARN from the top of the details page.
For reference, this is the trust relationship on the role — it locks access to IronFort's scanner account and your External ID:
# Trust relationship on IronFortScannerRole
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::683342011539:root" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": { "sts:ExternalId": "sb-7f3a9c2e-4b1d-48aa" }
}
}]
}
We've connected to your AWS environment and kicked off the scan. Your report will land in the inbox above — usually within 15 minutes.
Read-only scanner role verified just now.
Checking IAM, encryption, network & logging controls.
A SOC 2-mapped findings report, ~15 min. No call needed.
A scan should never be a risk. Here's exactly how we keep your environment protected.
We use AWS/GCP's own audit-viewer roles. We can look at configuration — never change, delete, or move anything.
A unique External ID ties the role to your scan alone. No one else can assume it, not even us on another account.
We read security metadata — settings and policies, not the contents of your buckets, databases, or files.
Delete the role or IAM binding whenever you like — before or after your report. One command and it's gone.
Practical guides to help you understand, prepare for, and accelerate your SOC 2 audit.
Everything founders ask before they connect an environment.
The scan report can surface sensitive details about your environment, so we confirm you actually control the inbox before anything runs. It also stops random bots from spinning up scans. It's a single 6-digit code — no password to create.
Yes. On AWS you attach a custom read-only reader policy (IronFortScannerReadOnlyPolicy) — no create, modify, or delete permissions, and no access to secret values or KMS decryption. On GCP you grant read-only roles like Viewer, Security Reviewer, and Cloud Asset Viewer. None of them allow changing your environment.
It's a shared secret that ties the role to your specific scan. It prevents the "confused deputy" problem — even if someone knew our account ID, they couldn't trick us into assuming your role without it.
Most scans finish in about 15 minutes. Larger, multi-account environments can take a bit longer. Either way, the report is emailed to you — no need to wait on the page.
Absolutely, and we encourage it once you have your report. Delete the IronFortScannerRole (AWS) or remove the service account's IAM binding (GCP) and our access is gone immediately.
Yes — no cost, no credit card, no obligation. It's how we show you where you stand. If you want help fixing what we find, that's where our done-for-you SOC 2 service comes in. Book a call anytime.
Run the free read-only scan, or talk to our CISSP-certified team about taking SOC 2 completely off your plate.