The managed service

How It Works

A managed security scanning service — no agents, no credentials, no manual effort. We handle the scanning. You get the report.

The workflow

From sign-up to your first report in four steps.

1
Subscribe

Choose a plan and complete checkout. Once payment is confirmed we send you a short onboarding form to collect your AWS account details.

2
Grant Access

Create a read-only IAM role in your AWS account using the trust policy we provide. Share the role name with us. You stay in control — we never store credentials.

3
Automated Scanning

Every month, Cloud:TbV assumes your IAM role and runs 13 security checks against your AWS account across all specified regions.

4
PDF Report

A detailed security posture report is emailed to you. Each finding includes a pass/fail status and a clear description of the issue.

What access do we need?

Cloud:TbV requires a read-only IAM role in your AWS account. You create it, you control it, and you can revoke it at any time.

We never request or store AWS credentials. We use AWS's built-in cross-account role assumption — the same mechanism used by AWS's own services.

Create the role, attach the ReadOnlyAccess AWS managed policy, and apply the trust policy shown here. Then share the role name with us during onboarding. That's it.

IAM role trust policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::CLOUDTBV_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

13 CIS AWS Foundations Benchmark Checks

Every scan verifies the following controls across your account and specified regions.

Category Check What we verify
IAM Root access keys disabled Root account has no active access keys
IAM Root MFA enabled Root account has an MFA device active
IAM Stale credentials No IAM users with credentials unused for 90+ days
IAM No direct policy attachments Policies attached to groups or roles, not individual users
S3 HTTPS enforced All S3 buckets require encrypted transit
S3 Public access blocked All S3 buckets have public access block enabled
Networking SSH unrestricted No security groups allow 0.0.0.0/0 on port 22
Networking RDP unrestricted No security groups allow 0.0.0.0/0 on port 3389
Networking Default SG restricted Default security groups deny all traffic
Logging CloudTrail enabled CloudTrail active in all regions
Logging CloudTrail log validation Log file integrity validation enabled
Logging CloudTrail → CloudWatch CloudTrail logs delivered to CloudWatch
Logging S3 access logging Access logging enabled on the CloudTrail S3 bucket

Ready to get started?

Know your AWS security posture. Every month. Automatically.

See Pricing