1

Subscribe

Choose a plan and complete checkout. Once payment is confirmed we send you a short onboarding form to collect your AWS account details.

2

Grant Access

Create a read-only IAM role in your AWS account using the trust policy we provide. Share the role name with us. You stay in control — we never store credentials.

3

Automated Scanning

On your plan's scan schedule, Verifis assumes your IAM role and runs 31 security checks against your AWS account across all specified regions. Startup plans scan monthly; Growth and Compliance plans scan weekly.

4

PDF Report

A detailed security posture report is emailed to you. Each finding includes a pass/fail status and a clear description of the issue.

What access do we need?

Verifis requires a read-only IAM role in your AWS account. You create it, you control it, and you can revoke it at any time.

We never request or store AWS credentials. We use AWS's built-in cross-account role assumption — the same mechanism used by AWS's own services.

Create the role, attach the ReadOnlyAccess AWS managed policy, and apply the trust policy shown here. Then share the role name with us during onboarding. That's it.

IAM role trust policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::VERIFIS_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Category	Check	What we verify
IAM	Root access keys disabled	Root account has no active access keys
IAM	Root MFA enabled	Root account has an MFA device active
IAM	Password policy length	IAM password policy requires at least 14 characters
IAM	Password policy reuse	IAM password policy prevents reuse of last 24 passwords
IAM	MFA for all console users	Every IAM user with console access has MFA enabled
IAM	Stale credentials	No IAM users with credentials unused for 90+ days
IAM	Single active access key	No IAM users have more than one active access key
IAM	Access key rotation	All active access keys rotated within 90 days
IAM	No direct policy attachments	Policies attached to groups or roles, not individual users
IAM	Support role exists	A role with AWSSupportAccess is available for AWS Support cases
IAM	Access Analyzer enabled	IAM Access Analyzer is active in each region
S3	HTTPS enforced	All S3 buckets require encrypted transit
S3	Public access blocked	All S3 buckets have public access block enabled
S3	MFA Delete enabled	All S3 buckets have MFA Delete enabled on versioned buckets
Storage	EBS encryption by default	EBS volume encryption is enabled by default
Storage	RDS encryption at rest	All RDS instances have storage encryption enabled
Storage	RDS not publicly accessible	No RDS instances are publicly accessible
Storage	EFS encryption at rest	All EFS file systems have encryption at rest enabled
Networking	SSH unrestricted	No security groups allow 0.0.0.0/0 on port 22
Networking	RDP unrestricted	No security groups allow 0.0.0.0/0 on port 3389
Networking	Default SG restricted	Default security groups deny all traffic
Networking	IMDSv2 enforced	All EC2 instances require IMDSv2 (token-based metadata access)
Networking	VPC flow logs enabled	Flow logging enabled on all VPCs
Logging	CloudTrail enabled	CloudTrail active in all regions
Logging	CloudTrail log validation	Log file integrity validation enabled
Logging	CloudTrail S3 not public	CloudTrail S3 bucket blocks all public access
Logging	CloudTrail → CloudWatch	CloudTrail logs delivered to CloudWatch
Logging	AWS Config enabled	Config recorder active and recording in this region
Logging	S3 access logging	Access logging enabled on the CloudTrail S3 bucket
Logging	CloudTrail KMS encryption	CloudTrail logs encrypted at rest with a KMS CMK
Logging	KMS key rotation	Automatic rotation enabled on all customer-managed KMS keys

Ready to get started?

Know your AWS security posture. Every month. Automatically.

See Pricing

How Verifis AWS Security Scanning Works

The workflow

What access do we need?

31 CIS AWS Foundations Benchmark Checks

Ready to get started?