AWS ACCOUNT SCANNER · READ-ONLY

See everything your AWS account forgot to tell you.

Cloud Scope connects via read-only IAM role and returns a prioritized report on cost waste, security posture, and compliance drift. No agents. No code changes. 90 seconds.

Start scan See sample report
SOC 2 Type II· Read-only IAM· No data leaves AWS
scope@prod ~ scan 
$ scope scan --all-regions
# click "Start scan" to run →
$2.4M
AWS waste found / month across all users
179
checks across 47 AWS services
6
compliance frameworks mapped control-by-control
0
write permissions ever requested
WHAT SCOPE SCANS

47 AWS services. 179 checks. One report.

Every resource in every region. Cost, security, and compliance checks run side by side — not three separate tools bolted together.

S3
Public ACLs, encryption, lifecycle
EC2
Idle instances, right-sizing
IAM
Unused keys, over-privileged roles
RDS
Over-provisioned, snapshot cost
Lambda
Memory tuning, dead functions
VPC
Idle NAT gateways, open SGs
CloudWatch
CIS 4.x metric filters + retention
KMS
Rotation, public policies, deletions
+ 39 more · CloudTrail, GuardDuty, Security Hub, Inspector, Macie, Access Analyzer, SageMaker, EMR, EFS, MSK, Neptune, DocumentDB, Transfer Family, Bedrock, OpenSearch, Redshift, WAF, CloudFront, API Gateway, ElastiCache, ECS, EKS, ECR, SNS, SQS, KMS, Secrets Manager, NACL, SG, Route 53, ACM, Backup, SSM, Config, CloudWatch, DynamoDB, EIP, NAT, snapshots
SAMPLE REPORT

Findings, ranked by what they cost you.

Every finding has a dollar impact, a remediation, and a copy-paste CLI fix.

report · 8a2f4e · 2m 14s · 3 regions · 179 checks run
All · 18 Cost · 12 Security · 4 Compliance · 2
Public S3 bucket with sensitive prefix
bucket: prod-user-uploads · us-east-1
SecurityCRIT
Idle NAT gateways in 3 AZs
vpc-0a9b…4c2 · no traffic 28d
Cost$328/mo
Over-provisioned RDS (db.m5.4xlarge, 6% CPU)
analytics-replica · 14d p95
Cost$812/mo
EBS snapshots older than 365 days
47 snapshots · 2.1 TiB
Cost$214/mo
IAM user with access keys > 180 days old
user: ci-deploy · last rotated 2024-08-11
SecurityMED
Missing CIS 4.2 metric filter · console login without MFA
mapped to SOC 2 CC7.2 · PCI 10.6.1 · HIPAA §164.312(b)
ComplianceMED
+ 12 more findings Open full report
COMPLIANCE COVERAGE

Six frameworks. One dashboard. Audit-ready export.

Every security check carries explicit control refs — no "fits in the spirit of SOC 2" hand-waving. Click a framework → see the failing controls with the resource that broke each. Print to PDF, download CSV, attach to your evidence binder.

CIS
CIS AWS Foundations 3.0
54 controls mapped
NIST
NIST 800-53 Rev 5
33 controls mapped
PCI
PCI-DSS v4.0
27 controls mapped
ISO
ISO 27001:2022
20 controls mapped
SOC 2
SOC 2 Type II (2017)
10 controls mapped
HIPAA
HIPAA Security Rule (2013)
21 controls mapped
97% of security checks carry at least one framework ref
PDF + CSV export pre-signed for every scan
Drill-down from control → check → resource in two clicks
HOW IT WORKS

Three steps. Ninety seconds.

STEP 01

Connect a read-only role

Paste a CloudFormation URL or run one terraform apply. We only get ReadOnlyAccess + a handful of explicit list/describe actions. No write permissions. Ever.

aws cloudformation create-stack \
  --stack-name scope-reader \
  --template-url https://scope.sh/t.yaml \
  --capabilities CAPABILITY_IAM
STEP 02

Scope scans in parallel

Every region, every service, concurrently. A typical account finishes in 90 seconds. A 2,000-resource account in under 5 minutes.

› scanning us-east-1 · us-west-2 · eu-west-1
✓ 47 services · 179 checks · 2m 14s
! 18 findings
STEP 03

Get a ranked report

Dollar impact, severity, affected resources, and a remediation. Export to CSV, open a Jira ticket, or page on-call directly from a finding.

scope export --format csv > findings.csv
scope jira create --severity crit
PRICING

Priced per account. No surprises.

Scope pays for itself in the first scan. If it doesn't, we'll refund.

Solo
$0forever
Side projects, personal accounts.
  • 1 AWS account
  • Monthly scans
  • Cost + security checks
  • Email report
Start free
Most teams pick this
Team
$99/account/mo
Startups & growing teams.
  • Up to 10 accounts
  • Daily scans
  • All 6 frameworks (CIS, PCI, SOC 2, NIST, ISO, HIPAA)
  • PDF + CSV audit export
  • Slack / PagerDuty / webhook alerts
Start 14-day trial
Enterprise
Talk to us
Large orgs, regulated industries.
  • Unlimited accounts + orgs
  • SSO / SAML / OIDC + SCIM
  • Self-hosted option (single-binary)
  • Custom frameworks + controls
  • Named support + SLA
Contact sales
READY?

Scan your AWS account in 90 seconds.

Read-only. No agents. No code changes. First scan is free — you'll know within minutes whether Scope is worth paying for.

Start scan Book a 15-min demo