SOC 2 Readiness · AWS · Monthly Reports

Monthly SOC 2 readiness
reports for AWS —
including your AI stack.

We find the gaps before your auditor does.

One read-only IAM role. Monthly scans mapped to Trust Service Criteria — including Bedrock, SageMaker, and agentic Lambda risks standard tools miss. Human-reviewed. Auditor-ready.

Request free pilot report See how it works →
SOC 2 Readiness Report
April 2026 · AWS us-east-1
Improving ↑
Readiness Score
74
↑ +6 pts since March
Critical
bedrock-agent-prod has bedrock:InvokeModel on * with S3 write access and no MFA condition.
High
Bedrock invocation logging disabled in production. No audit trail for model calls.
Medium
3 Lambda functions with AI permissions not tagged as AI workloads.
14 findings · 3 new this month Human-reviewed ✓
Monthly
Continuous readinessNot a one-time snapshot that ages out before your audit
5 days
First report, freeDelivered within 5 business days, no commitment required
Read-only
Zero footprintSingle IAM role assumed monthly — nothing runs in your account
AI-native
Built for your stackBedrock, SageMaker & agentic Lambda risk — mapped to TSC
How it works

Three steps.
No agents. No ongoing access.

01
Deploy a read-only IAM role
One read-only IAM role via CloudFormation or Terraform. Five minutes. We assume the role, scan, then disconnect — nothing runs in your account.
CloudFormation · Terraform · 5 min
02
We scan and map to SOC 2 TSC
Monthly scans mapped to Trust Service Criteria — CC6, CC7, CC8 — with a dedicated layer for your AI and agentic workloads.
TSC-mapped · AI risk layer · Month-over-month drift
03
Receive a human-reviewed report
A human reviews every report before it reaches you. Context, severity, prioritized remediation — not raw scanner noise. Ready to hand to your auditor.
Auditor-ready · Prioritized · No noise
Pricing

Start free. Stay only if it's useful.

No contracts. Cancel anytime. The free pilot is a real report — not a demo.

Pilot
Free
One-time scan, no card required
  • 1 AWS account
  • One full readiness report
  • AI risk section included
  • Human-reviewed findings
  • Full PDF — auditor-ready
Request free pilot →
Most popular
Starter
$299/mo
1–2 AWS accounts, billed monthly
  • Up to 2 AWS accounts
  • Monthly scans, every account
  • AI risk layer included
  • Human-reviewed findings
  • Month-over-month drift tracking
  • Auditor-ready PDF report
Get started →
Growth
$599/mo
Up to 5 AWS accounts, billed monthly
  • Up to 5 AWS accounts
  • Monthly scans, every account
  • AI risk layer included
  • Human-reviewed findings
  • Month-over-month drift tracking
  • Auditor-ready PDF report
Get started →
Enterprise
Unlimited accounts · Multi-region
  • Custom account scope
  • Multi-region support
  • Dedicated analyst
  • SLA & custom delivery
Talk to us →
Flintwood exclusive

The AI risk layer your auditor doesn't have a checklist for yet.

Your AI stack is growing. Your audit surface too. Bedrock roles, Lambda chains, unlogged invocations — none of it is in the standard SOC 2 playbook yet. We track it before your auditor asks.

  • Bedrock and SageMaker access control gaps
  • Agentic IAM role over-permission detection
  • Shadow AI usage via CloudTrail analysis
  • Missing human-in-the-loop controls
  • AI training data access logging gaps
  • Autonomous Lambda chain risk mapping
Critical CC6.1 · Logical Access
Over-permissioned Bedrock agent role
bedrock-agent-prod has bedrock:InvokeModel on * with S3 write access and no MFA condition. Direct path to production data exfiltration.
High CC7.2 · System Monitoring
Bedrock invocation logging disabled
Model invocation logging is off in production. There is no audit trail for model calls — a gap that will surface in your SOC 2 review under CC7.2.
High CC8.1 · Change Management
Autonomous Lambda chain without approval gate
2 Lambda functions form an autonomous chain that can invoke Bedrock and write to S3 with no human-in-the-loop control or change approval record.
Medium CC6.7 · Data Classification
Shadow AI workloads detected
CloudTrail shows 3 untagged resources making Bedrock API calls outside your inventoried AI workload scope and current access control policy.
Why Flintwood

Built for mid-market AWS teams that move fast and audit annually.

Independent
No cloud vendor agenda
AWS-only by design — not a feature of a larger platform with a roadmap you can't influence. Your readiness report is all we do.
Narrow scope
SOC 2 + AWS + AI. That's it.
No 400-page CNAPP platform you'll use 10% of. One thing: monthly SOC 2 readiness for AWS, with an AI risk layer no other tool has mapped yet.
Human reviewed
Not a raw scanner dump
Every report is reviewed before it reaches your inbox. Context, severity, and prioritized remediation — not a wall of alerts. Your engineering team will actually read it.
Free pilot

First report free.
No commitment.

Full SOC 2 readiness report — AI risk findings included — delivered within 5 business days. No strings, no card required.

AWS only · Read-only IAM role · SOC 2 TSC mapping included
"We already checked." "Your AI stack is showing." "Strike first."
things we printed on shirts while waiting for our auditor