Overview
AWS database-service inventory
By Service
By Status
Compliance by Framework
Pass rate per enabled framework, derived from the latest
evaluator run. not_applicable findings are
excluded from the denominator; unvalidated
findings count against pass%.
Inventory
Controls
Reporting
Settings
Global
Inventory collector schedule
How often the collector Lambda runs a full-fleet inventory pass. Accepts
EventBridge expressions: rate(N hours|minutes|days) or
cron(...). Minimum rate(1 hour); maximum rate(30 days).
Data sensitivity (DSPM) scans
Enable scheduled DSPM-Lite classification across every database with a saved connection profile. Connect populates schemas + db_users only — DSPM samples cell values to classify PII / PCI / PHI / secrets and is the heavy workload. Manual point-in-time scans via the per-database Run DSPM scan button are always allowed regardless of this toggle.
Unvalidated SLA thresholds
How long a data-class-gated finding can sit unvalidated
(DSPM not yet run) before it auto-promotes to a real
fail with kind=unvalidated_sla_breach.
The evaluator picks the strictest applicable framework's
threshold per finding. _default covers any framework
not listed here.
Audit log
Append-only history of state-changing calls against
/settings/*, /admin/*,
/users/*, and /auth/login
(success and failure). Entries are retained for the
configured window (default 365 days) and read-only —
Admin + SecurityReader can read; nobody can write or
delete via the API.
Collector regions
AWS regions the inventory collector sweeps on each execution. The orchestrator state machine fans out one Lambda per region; per-region failures don't abort other regions.
DSPM scan regions
Regions where DSPM connectors may run. Requests to /connect
targeting resources outside this list return 400. Running scans are
unaffected when a region is removed.
Account discovery
Which sources the planner consults to enumerate member accounts.
manual = only the enrolled list below. organizations = only AWS Organizations.
hybrid = union (manual entries win on account-id collision).
Deploying customer-templates/org-bootstrap.json provisions the role for organizations/hybrid mode.
Connector secrets
Where /connect/manual credentials are stored and which key encrypts them.
central = stored in this account's Secrets Manager (default).
member-local = stored in each enrolled member account. Switching modes
or changing the CMK runs a migration that copies/re-encrypts every existing secret;
the button below becomes enabled once a migration is pending.
Run secret migration
This operation copies every existing manual-credential secret to its new location (or re-encrypts with the new CMK). It processes secrets one-by-one; failures for individual secrets are logged and skipped so the migration completes for everything it can, and returns a list of failures at the end. The underlying operation is not atomic — secrets may briefly exist in both locations during a mode switch.
Enrolled accounts
Member accounts the collector inventories via cross-account assume-role.
The central account is always included implicitly. Deploy
customer-templates/member-account-bootstrap.json in the member
first; the role it creates is what gets assumed here.
Add account
Recorded at member-account-bootstrap deploy time. Stored encrypted; never returned by the API once saved. To rotate, provide a new value and redeploy the member template.
From the member-account-connector.json stack's
MemberStateMachineArn output. Must match the enrolled
account id, and the account must have deployed the template
against this exact external id.
Users
New User
New Report
Pick at least one framework.
Use the Frameworks filter above to narrow this list.
Leave empty to include all values for this dimension.