Enforcer Brand Icon
Enforcer-CCA
Access ControlsAWSKubernetesSOC 2 (Roadmap)
ProofFeaturesSecurityPricingAbout
Talk to the founder
Enforcer Brand Icon
Enforcer-CCA

Enforcer checks how your cloud is really configured against ISO 27001 every day, and keeps a dated record. It runs alongside the compliance tool you already have.

Platform

  • Features
  • Proof
  • Security & data handling
  • Support Portal

Solutions

  • AWS
  • Kubernetes
  • SOC 2 (Roadmap)

Company

  • About Us
  • Roadmap
  • Pricing
  • Why live-state evidence

Connect

  • Talk to the founder

Ask AI about Enforcer

Start a custom consultation with your favorite AI strategist. Click any LLM platform below to automatically open a session pre-loaded with our detailed, fact-checked product brief.

Prompt Overview

“You are a GRC and compliance strategist advising a cloud-native company that sells to banks or other regulated enterprises. Analyze the business value of Enforcer CCA, a tool that turns the live state of cloud infrastructure into dated comp...”

© 2026 Enforcer-CCA · Runs in your own infrastructure
Terms and ConditionsPrivacy Policy
Access controls · AWS IAM & Kubernetes

Access is where trust quietly breaks.

Not firewalls. People holding permissions they should never have had — a contractor who kept access, a role with the keys to everything, a login nobody remembers. Enforcer reads who can do what across your AWS and Kubernetes every day, flags what is out of line, and writes it down. Read-only. Nothing changes without a person’s yes.

Talk to the founder — 20 minutesDownload a sample evidence pack

Your auditor asks once a year. Your cloud answers every day.

A bank customer’s vendor-risk team wants to know how you control access. Today, answering that takes two engineers a week: screenshots of permission screens, an access spreadsheet assembled by hand, a point-in-time picture that proves nothing about the eleven months in between.

And the picture is usually already out of date. Someone opened up a role during an incident and forgot to close it. A contractor rolled off and kept their keys. A quick “temporary” grant became permanent. These are the changes that pass an annual review and burn you in a real one.

Enforcer closes that gap. It checks the real access settings — for each individual user, role, and access rule — against the ISO 27001 requirements every day, and every result becomes a dated, hash-verified record you can hand over instead of assemble.

The surface

What Enforcer watches

Who holds power in AWS

Every IAM user, role, and permission — read directly from the account. Enforcer flags full-admin access, permissions attached to people instead of groups, and keys that were issued and never used.

Who holds power in Kubernetes

The same question, one layer down: the access rules and bindings inside your clusters. Enforcer flags anything that hands out cluster-admin or grants everything with a wildcard.

One record, kept over time

Cloud and cluster findings roll up together. Each one names the exact user or role, the requirement it failed, and the day it was seen — plain rules, the same answer every time, no AI in the record.

The kind of thing it catches

Each of these is one automated check. When it fails, the record names the resource, the ISO requirement, and the date — reproducible, and traceable back to the exact setting.

  • A user or role with full administrator accessPOL-IAM-NO-ADMIN-001
  • Permissions attached straight to a person instead of a groupPOL-IAM-NO-DIRECT-ATTACH-001
  • A Kubernetes binding that hands out cluster-adminPOL-K8S-CRB-NO-CLUSTER-ADMIN-001
  • An access rule that grants everything with a wildcardPOL-K8S-ROLE-NO-WILDCARD-001
  • Access keys that were issued and then never usedPOL-IAM-NO-STALE-KEYS-001
  • A login that has sat inactive long enough to be a liabilityPOL-IAM-PWD-INACTIVE-001

These are a handful of the 133 checks Enforcer runs. See a full control matrix.

Tied to the ISO 27001 requirements by name

Every access check maps to a specific ISO 27001:2022 control, so the evidence lines up with the question your auditor is actually asking.

A.5.15 Access control
A.5.16 Identity management
A.5.17 Authentication information
A.5.18 Access rights
A.8.2 Privileged access rights
A.8.3 Information access restriction

It can fix what it finds — after you say yes

Finding an over-broad role is only useful if it gets fixed. Enforcer can propose and apply the fix — but only behind two separate doors. First, that specific check has to be switched out of watch-only mode. Then a person has to approve that exact change.

The problem, the approval, and the fix are stored as one linked record. A machine handles the busywork. A person keeps the judgment. Nothing touches production unsupervised.

What this does not do

Enforcer reads access settings. It sees that a role has too much power; it does not know why the person was hired or whether their manager signed off. The joiner-mover-leaver process, the access reviews, the approvals — those live in the compliance tool you already have, and they should stay there.

It also does not decide, on its own, whether your team is properly separated. Whether one person can approve their own work is a question about how you organize people, not about a cloud setting. Enforcer gives you the raw material that question depends on — who really holds what — not a verdict on the organizational control itself.

We would rather tell you where the edge is than pretend there isn’t one.

Questions people ask

Isn’t this the same thing my compliance tool already checks?+

No. Tools like Vanta and Drata answer the access question with a questionnaire and a poll of connected integrations — a summary of what someone said, or what the last poll saw. Enforcer reads the actual permission settings on every AWS user and role and every Kubernetes access rule, and keeps that reading. Keep the tool you have; this is the half it cannot see.

Does this prove separation of duties for my ISO audit?+

It proves the access-rights controls that separation of duties depends on — that no one holds full administrator power, that permissions are not over-broad, that stale access has been cleaned up. It does not evaluate the organizational control itself (ISO 27001 A.5.3), because whether one person can approve their own work is a process question, not something a cloud setting can answer. We are precise about that line rather than papering over it.

Can Enforcer take someone’s access away on its own?+

No — not unless you deliberately turn it on. Every check ships in watch-only mode. A fix runs only after you switch that specific check into fix mode and a person approves that exact change. Out of the box, Enforcer cannot change anything in your account.

What access does Enforcer need to do this?+

A read-only role. It reads configuration only — it cannot read the data inside your systems, and the permission list is generated from the exact calls the software makes, so it cannot quietly grow. The full policy is published on our security page.

Will my auditor accept this record?+

We don’t know yet, and we won’t claim otherwise. As of today no auditor has reviewed our evidence format. Getting that verdict — in writing — is the thing we are working on now, and we will publish it either way. In the meantime you can download a sample record and check it yourself.

Find out what’s hiding in your access today

Twenty minutes with the founder, or download a sample record and check the hashes yourself. No sales funnel, no demo that doesn’t exist yet.

Talk to the founder — 20 minutesSee the evidence format
Related

Explore related solutions

AWS configuration drift

Catch unsafe AWS changes the day they happen — every change becomes a dated record, and nothing gets fixed until you approve it.

Learn more

Kubernetes security & governance

The same access question one layer down — RBAC, network policy, and namespace isolation, evidenced beside your AWS findings.

Learn more