Overview
Compliance posture and database-engine state
By Service
Engine State
Live status reported by each database engine — distinct from compliance posture.
Compliance Posture by Framework
Pass rate per enabled framework, derived from the latest
evaluator run. not_applicable findings are
excluded from the denominator; unvalidated
findings count against pass%.
Inventory
Controls
Reporting
Settings
Inventory collector schedule
How often the collector Lambda runs a full-fleet inventory pass. Accepts
EventBridge expressions: rate(N hours|minutes|days) or
cron(...). Minimum rate(1 hour); maximum rate(30 days).
Collector regions
AWS regions the inventory collector sweeps on each execution. The orchestrator state machine fans out one Lambda per region; per-region failures don't abort other regions.
DSPM scan regions
Regions where DSPM connectors may run. Requests to /connect
targeting resources outside this list return 400. Running scans are
unaffected when a region is removed.
Data sensitivity (DSPM) scans
Enable scheduled DSPM-Lite classification across every database with a saved connection profile. Connect populates schemas + db_users only — DSPM samples cell values to classify PII / PCI / PHI / secrets and is the heavy workload. Manual point-in-time scans via the per-database Run DSPM scan button are always allowed regardless of this toggle.
Unvalidated SLA thresholds
How long a data-class-gated finding can sit unvalidated
(DSPM not yet run) before it auto-promotes to a real
fail with kind=unvalidated_sla_breach.
The evaluator picks the strictest applicable framework's
threshold per finding. _default covers any framework
not listed here.
Account discovery
Which sources the planner consults to enumerate member accounts.
manual = only the enrolled list below. organizations = only AWS Organizations.
hybrid = union (manual entries win on account-id collision).
Deploying customer-templates/org-bootstrap.json provisions the role for organizations/hybrid mode.
Enrolled accounts
Accounts this tenant inventories. Member accounts are reached via cross-account
assume-role; deploy customer-templates/member-account-bootstrap.json
in the member first — the role it creates is what gets assumed here. Enroll the
central host account explicitly if this tenant should scan it (assume-role is
skipped automatically). An empty list means no inventory.
Connector secrets
Where /connect/manual credentials are stored and which key encrypts them.
central = stored in this account's Secrets Manager (default).
member-local = stored in each enrolled member account. Switching modes
or changing the CMK runs a migration that copies/re-encrypts every existing secret;
the button below becomes enabled once a migration is pending.
Tenant users
Local accounts and group membership for this tenant. Group rules are advisory in the UI; the API enforces them server-side.
Audit log
Append-only history of state-changing calls against
/settings/*, /admin/*,
/users/*, and /auth/login
(success and failure). Entries are retained for the
configured window (default 365 days) and read-only —
Admin + SecurityReader can read; nobody can write or
delete via the API.
Run secret migration
This operation copies every existing manual-credential secret to its new location (or re-encrypts with the new CMK). It processes secrets one-by-one; failures for individual secrets are logged and skipped so the migration completes for everything it can, and returns a list of failures at the end. The underlying operation is not atomic — secrets may briefly exist in both locations during a mode switch.
Add account
Recorded at member-account-bootstrap deploy time. Stored encrypted; never returned by the API once saved. To rotate, provide a new value and redeploy the member template.
From the member-account-connector.json stack's
MemberConnectorStateMachineArn output. Must match
the enrolled account id, and the account must have deployed the
template against this exact external id.
From the member-account-dspm.json stack's
MemberDspmStateMachineArn output. Deploy the DSPM
stack only after the connector stack — DSPM imports the VPC
plumbing from member-account-connector.
New User
New Report
Pick at least one framework.
Use the Frameworks filter above to narrow this list.
Leave empty to include all values for this dimension.