Free Cloud Environment Scan — SocBridge
Free — No Credit Card

Free Cloud Environment Scan

See where your AWS or GCP environment stands against SOC 2 — before an auditor ever looks. Connect a read-only scanner role in minutes and get a clear report of misconfigurations and gaps emailed straight to you.

Read-only access
Revoke anytime
Powered by IronFort

What the scan checks

Identity & Access (IAM)

Over-permissive roles, missing MFA, stale keys, root usage.

Encryption & Storage

Unencrypted volumes, public buckets, exposed snapshots.

Network Exposure

Open security groups, public databases, unrestricted ingress.

Logging & Monitoring

CloudTrail / audit logs, config recording, alerting gaps.

Scan engine powered by IronFort Compliance
100% read-only
Mapped to SOC 2 criteria
Results in ~15 minutes
Powered by IronFort

The gaps auditors flag most

Your report maps every finding to the SOC 2 Trust Services Criteria, so you know exactly what to fix — and why it matters.

Identity & Access

Root account usage, missing MFA, over-permissive IAM policies, unused credentials, and stale access keys.

Encryption at Rest & Transit

Unencrypted disks, databases, and snapshots; missing TLS enforcement; and unmanaged encryption keys.

Public Exposure

Public storage buckets, internet-facing databases, wide-open security groups, and exposed admin ports.

Logging & Audit Trails

Disabled CloudTrail / audit logs, missing config recorders, and gaps in retention that auditors will catch.

Monitoring & Alerting

No alerting on privileged actions, absent guardrails, and blind spots in threat detection coverage.

SOC 2 Control Mapping

Every finding is tied to a Trust Services Criterion with a severity rating and a plain-English fix.

Three steps to your report

Verify it's you, connect a read-only scanner role, and we'll email your results. The whole thing takes about five minutes.

1
Verify email
2
Choose cloud
3
Connect scanner
Done
Step 1 of 3

Verify your work email

We send your report and scan status here, so we need to confirm it's really you. We'll email a 6-digit code.

Use a company email — personal domains (gmail, outlook) aren't eligible for the free scan.

We won't share your info with anyone. Ever.

Step 2 of 3

Which cloud do you want scanned?

Pick your provider. We'll walk you through creating a scoped, read-only role for it — you stay in full control.

Amazon Web Services

Connect via an IAM role (cross-account)

Google Cloud

Grant a role to our service account

Step 3 of 3

Connect your scanner role

Change

Create a read-only IAM role that IronFort's scanner account can assume. It takes about 5 minutes in the AWS Console — the full walkthrough (including the complete reader policy) is in the IronFort guide.

Download the full AWS setup guide (PDF)  • goironfort.com
  1. Create the read-only reader policy

    In the AWS Console, open IAM → Policies → Create policy, switch to the JSON tab, and paste IronFort's read-only reader policy. Name it IronFortScannerReadOnlyPolicy. The complete policy JSON is in the PDF guide above.

  2. Create the IAM role for IronFort

    Go to IAM → Roles → Create role. Choose AWS account → Another AWS account and enter IronFort's scanner account ID. Check Require external ID and paste the External ID from your IronFort contact. Attach IronFortScannerReadOnlyPolicy, then name the role IronFortScannerRole.

    IronFort scanner AWS account: 683342011539
    External ID (from your IronFort contact): sb-7f3a9c2e-4b1d-48aa
  3. Copy the Role ARN back here

    Open the IronFortScannerRole role and copy its ARN from the top of the details page.

For reference, this is the trust relationship on the role — it locks access to IronFort's scanner account and your External ID:

# Trust relationship on IronFortScannerRole
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": { "AWS": "arn:aws:iam::683342011539:root" },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": { "sts:ExternalId": "sb-7f3a9c2e-4b1d-48aa" }
    }
  }]
}
You stay in control. Access is strictly read-only, scoped to security metadata, and you can revoke it the moment your report arrives. We never see your customer data.

Your scan is running

We've connected to your AWS environment and kicked off the scan. Your report will land in the inbox above — usually within 15 minutes.

Connected

Read-only scanner role verified just now.

Scanning in progress

Checking IAM, encryption, network & logging controls.

Report emailed

A SOC 2-mapped findings report, ~15 min. No call needed.

Questions about your results? Book a call →
Scan powered by IronFort Compliance

Read-only. Scoped. Reversible.

A scan should never be a risk. Here's exactly how we keep your environment protected.

Read-Only

We use AWS/GCP's own audit-viewer roles. We can look at configuration — never change, delete, or move anything.

Locked To You

A unique External ID ties the role to your scan alone. No one else can assume it, not even us on another account.

No Customer Data

We read security metadata — settings and policies, not the contents of your buckets, databases, or files.

Revoke Anytime

Delete the role or IAM binding whenever you like — before or after your report. One command and it's gone.

Free Downloads

Free SOC 2 Resources

Practical guides to help you understand, prepare for, and accelerate your SOC 2 audit.

Questions about the free scan

Everything founders ask before they connect an environment.

Why do I have to verify my email first?

The scan report can surface sensitive details about your environment, so we confirm you actually control the inbox before anything runs. It also stops random bots from spinning up scans. It's a single 6-digit code — no password to create.

Is the access really read-only?

Yes. On AWS you attach a custom read-only reader policy (IronFortScannerReadOnlyPolicy) — no create, modify, or delete permissions, and no access to secret values or KMS decryption. On GCP you grant read-only roles like Viewer, Security Reviewer, and Cloud Asset Viewer. None of them allow changing your environment.

What is the External ID for?

It's a shared secret that ties the role to your specific scan. It prevents the "confused deputy" problem — even if someone knew our account ID, they couldn't trick us into assuming your role without it.

How long until I get my report?

Most scans finish in about 15 minutes. Larger, multi-account environments can take a bit longer. Either way, the report is emailed to you — no need to wait on the page.

Can I remove your access afterward?

Absolutely, and we encourage it once you have your report. Delete the IronFortScannerRole (AWS) or remove the service account's IAM binding (GCP) and our access is gone immediately.

Is the scan really free?

Yes — no cost, no credit card, no obligation. It's how we show you where you stand. If you want help fixing what we find, that's where our done-for-you SOC 2 service comes in. Book a call anytime.

Ready to see where you stand?

Run the free read-only scan, or talk to our CISSP-certified team about taking SOC 2 completely off your plate.