Free SOC 2 Gap Analysis

Your First SOC 2 Scan —
Actually Free.

No trials. No demos. No sales calls. Connect your AWS, Azure, or GCP environment and get your full compliance posture mapped to SOC 2 and CIS Benchmarks in minutes.

How to set up AWS access

Create a read-only cross-account IAM role — no long-lived keys needed.

1
Copy your External ID

You'll need this when creating the IAM trust policy.

cloudscanner-4a8f2c1d9e3b7a6f0c5d8e2b1a4f7c3d9e6b2a8f5c1d4e7b3a9f6c2d8e5b1a4f
2
Create the IAM Role

In the AWS Console go to IAM → Roles → Create role. Choose Another AWS account, enter Account ID 058264240851, check Require external ID, and paste the External ID above.

3
Attach Policies

Attach the following AWS-managed policies to the role:

  • ReadOnlyAccess
  • SecurityAudit
4
Copy the Role ARN

After the role is created, copy the Role ARN from the role summary page (e.g. arn:aws:iam::123456789012:role/CloudScannerRole) and paste it below.

Prefer the AWS CLI? 
aws iam create-role \
  --role-name CloudScannerRole \
  --assume-role-policy-document '{
    "Version":"2012-10-17",
    "Statement":[{"Effect":"Allow",
      "Principal":{"AWS":"arn:aws:iam::058264240851:root"},
      "Action":"sts:AssumeRole",
      "Condition":{"StringEquals":{
        "sts:ExternalId":"cloudscanner-4a8f2c1d9e3b7a6f0c5d8e2b1a4f7c3d9e6b2a8f5c1d4e7b3a9f6c2d8e5b1a4f"
      }}}]}'
aws iam attach-role-policy --role-name CloudScannerRole \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
aws iam attach-role-policy --role-name CloudScannerRole \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit
How to set up Azure access

Create an App Registration (service principal) with read-only subscription access.

1
Register an application

In the Azure Portal go to Azure Active Directory → App registrations → New registration. Give it any name (e.g. CloudScanner) and click Register.

2
Create a Client Secret

Inside the app go to Certificates & secrets → New client secret. Set an expiry and copy the Value — you won't see it again.

3
Assign subscription roles

Go to Subscriptions → Access control (IAM) → Add role assignment and assign these two roles to the app principal:

  • Reader
  • Security Reader
4
Collect the three values

From the app Overview page copy: Directory (tenant) ID, Application (client) ID, and the client secret from step 2.

How to set up GCP access

Create a service account with read-only permissions and download its JSON key.

1
Create a Service Account

In the Google Cloud Console go to IAM & Admin → Service Accounts → Create service account. Name it (e.g. cloud-scanner) and click Create.

2
Grant roles

Assign the following roles to the service account:

  • Viewer (roles/viewer)
  • Security Center Admin Viewer (roles/securitycenter.adminViewer)
  • Cloud Asset Viewer (roles/cloudasset.viewer)
3
Download the JSON key

Open the service account → Keys → Add key → Create new key → JSON. A .json file will download — open it in a text editor and paste the entire contents below.

Prefer gcloud CLI? 
gcloud iam service-accounts create cloud-scanner \
  --display-name="Cloud Scanner"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:cloud-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/viewer"
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
  --member="serviceAccount:cloud-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/cloudasset.viewer"
gcloud iam service-accounts keys create key.json \
  --iam-account=cloud-scanner@YOUR_PROJECT_ID.iam.gserviceaccount.com

Credentials are never stored. We use read-only, time-limited access only for the duration of your scan.

First scan free
Read-only access only
No credit card
my-aws-account · 123456789012
Sample
71
Grade B

Moderate compliance.
8 gaps found.

SOC 2 CC Common Criteria
68
SOC 2 Additional Criteria
82
CIS Benchmarks
72

Top findings

Root account MFA not enabled Critical
S3 buckets lack default encryption High
CloudTrail not enabled in all regions High