Seeking a repeatable, audit-defensible workflow to capture control evidence from AWS, Azure, and GCP without screenshots — CloudTrail/Config, Azure Policy + Activity Logs, and SCC findings — mapped to SOC 2, ISO 27001, and CIS v8… What tools or runbooks have given you reliable, timestamped artifacts with reviewer traceability (JSON exports to immutable storage, 90+ day retention) that cleared your last external audit?
Prowler across AWS/Azure/GCP; JSON → S3 Object Lock, GCS 90d retention; Azure needs container immutability; maps CIS/SOC2. GitHub - prowler-cloud/prowler: Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment..
We’ve had good results with Steampipe mods (https://steampipe.io) to query AWS/Azure/GCP for CIS/SOC2, then push the JSON plus a run_id and sha256 manifest signed with cosign to WORM buckets (S3 Object Lock/Azure immutable/GCS retention) so reviewers can verify via a PR on the manifest. @l_harris91 +1 on Prowler; small caveat: export Azure Activity Logs to that immutable container before scans or auditors get cranky.
Building on @rjensen71, we use CloudQuery (https://cloudquery.io) on a nightly schedule to snapshot configs from the big three into NDJSON with a run_id and sha256 manifest, store it in WORM buckets with time-based retention, and require a signed PR for review — belt-and-suspenders but auditors smile. Caveat: CloudQuery’s mappings aren’t perfect for ISO 27001, so we add native exports from Config Aggregators, Resource Graph, and Cloud Asset Inventory as raw evidence.
Piggybacking on @r_woods23: we push Config evals, Azure Policy results, and SCC to a single S3 bucket with Object Lock (compliance mode), then a tiny Lambda uses KMS Sign to attach a detached signature and x-amz-meta reviewer/control IDs to each JSON — auditors treated it like a time capsule, not a scrapbook. Small caveat: in Azure you’ve gotta lock the immutability policy or they’ll call it reversible; KMS Sign ref: AWS Key Management Service.