Infrastructure Compliance Auditor

Cross-cutting infrastructure security audit across ALL compliance frameworks. Replaces manual Vanta-style checks with deterministic, repeatable, evidence-generating infrastructure audits covering cloud, DNS, TLS, endpoints, access control, network, containers, CI/CD, secrets, logging, and physical security.

Table of Contents

• Trigger Phrases
• Quick Start
• Tools
• Audit Domains
  • 1. Cloud Infrastructure Security
  • 2. DNS Security
  • 3. TLS/SSL Security
  • 4. Endpoint Security
  • 5. Access Control and Authentication
  • 6. Network Security
  • 7. Container and Kubernetes Security
  • 8. CI/CD Pipeline Security
  • 9. Secrets Management
  • 10. Logging and Monitoring
  • 11. Physical Security
  • 12. Compliance Framework Mapping
• Workflows
• Reference Guides
• Validation Checkpoints
• Scoring Methodology

Trigger Phrases

Use this skill when you hear:

• "infrastructure audit"
• "cloud security audit"
• "infrastructure compliance"
• "DNS security audit"
• "TLS audit"
• "endpoint security"
• "access control audit"
• "network security assessment"
• "infrastructure security"
• "cloud compliance"
• "Vanta alternative"
• "compliance automation"
• "security posture assessment"
• "hardware security keys"
• "YubiKey compliance"

Quick Start

Run Full Infrastructure Audit

python scripts/infra_audit_runner.py --config infrastructure.json --output audit_report.json

Audit DNS Security for a Domain

python scripts/dns_security_checker.py --domain example.com --output dns_report.json

Audit Access Controls

python scripts/access_control_auditor.py --config access_controls.json --output access_report.json

Generate Compliance-Mapped Report

python scripts/infra_audit_runner.py --config infrastructure.json --frameworks soc2,iso27001,hipaa --format markdown --output compliance_report.md

Tools

Audit Domains

1. Cloud Infrastructure Security

AWS Security Audit Checklist

IAM Policies and Roles

S3 Bucket Security

VPC Configuration

RDS Security

CloudTrail and Monitoring

KMS and Encryption

Lambda and Serverless Security

EKS/ECS Container Security

Azure Security Audit Checklist

Azure AD / Entra ID

Azure Network Security

Azure Key Vault

Azure Monitoring

Azure Storage Security

AKS Security

GCP Security Audit Checklist

GCP IAM and Service Accounts

GCP VPC and Network

GCP Security Services

GKE Security

2. DNS Security

Email Authentication Chain

SPF, DKIM, and DMARC form a layered email authentication system. ALL three must be configured correctly for effective protection against spoofing and phishing.

SPF (Sender Policy Framework)

SPF syntax reference:

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.0/24 -all

Key rules:

• Maximum 10 DNS lookups (include, a, mx, ptr, exists, redirect each count as 1)
• ip4 and ip6 mechanisms do NOT count toward the 10-lookup limit
• Nested includes count toward the limit
• Record must be a single TXT record (no multiple SPF records)
• Maximum 255 characters per DNS string (use string concatenation for longer records)

DKIM (DomainKeys Identified Mail)

DKIM record format:

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC record format:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; pct=100"

DMARC rollout strategy (avoid disrupting legitimate email):

1. p=none; rua=mailto:... — Monitor for 2-4 weeks
2. p=quarantine; pct=10 — Quarantine 10% of failing messages
3. p=quarantine; pct=50 — Increase gradually
4. p=quarantine; pct=100 — Full quarantine
5. p=reject; pct=100 — Full enforcement

DNSSEC

CAA (Certificate Authority Authorization)

CAA record format:

example.com IN CAA 0 issue "letsencrypt.org"
example.com IN CAA 0 issue "digicert.com"
example.com IN CAA 0 issuewild "letsencrypt.org"
example.com IN CAA 0 iodef "mailto:security@example.com"

MTA-STS and TLS-RPT

MTA-STS policy (at https://mta-sts.example.com/.well-known/mta-sts.txt):

version: STSv1
mode: enforce
mx: mail.example.com
mx: *.example.com
max_age: 604800

Domain Security

3. TLS/SSL Security

Certificate Management

Protocol and Cipher Configuration

Recommended TLS 1.2 cipher suites (in order):

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS 1.3 cipher suites (always use all three):

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

HTTP Security Headers

Internal TLS

4. Endpoint Security

Mobile Device Management (MDM)

Disk Encryption

Antivirus and EDR

OS Patch Management

Additional Endpoint Controls

5. Access Control and Authentication

Identity Provider (IdP) Configuration

Single Sign-On (SSO)

Multi-Factor Authentication (MFA)

Hardware Security Key (YubiKey) Implementation:

Enrollment process:

1. User registers primary YubiKey to IdP (Okta, Azure AD, Google Workspace)
2. User registers backup YubiKey (stored in secure location)
3. IdP policy updated to require FIDO2/WebAuthn for user
4. TOTP/push fallback disabled for privileged accounts

YubiKey policy requirements:

• Each user has minimum 2 registered keys (primary + backup)
• Backup key stored in secure, documented location
• PIN configured on YubiKey (FIDO2 user verification)
• Touch required for every authentication
• Bio Series (fingerprint) preferred for shared workstations
• Inventory of all issued keys maintained
• Lost key process: immediate revocation, identity reverification, new key issuance

IdP-specific configuration:

• Okta: Enroll YubiKey via FIDO2 (WebAuthn) factor, set Authentication Policy to require phishing-resistant MFA
• Azure AD/Entra ID: Configure FIDO2 security key in Authentication Methods, create Conditional Access policy requiring authentication strength "Phishing-resistant MFA"
• Google Workspace: Enroll security key in 2-Step Verification, enable Advanced Protection Program for admins

Privileged Access Management (PAM)

Role-Based Access Control (RBAC)

Service Account and API Key Governance

SSH Key Management

Zero Trust Architecture

6. Network Security

Firewall Configuration

Network Segmentation

Web Application Firewall (WAF)

DDoS Protection

VPN Configuration

Intrusion Detection/Prevention

7. Container and Kubernetes Security

Base Image Security

Container Runtime Security

Kubernetes Cluster Security

8. CI/CD Pipeline Security

Source Code Management

Security Scanning

Supply Chain Security

Deployment Security

9. Secrets Management

Secrets Management Solutions

Secret Rotation

Code and Repository Security

Hardware Security Modules (HSM)

10. Logging and Monitoring

Centralized Logging

SIEM

Retention and Integrity

Alerting and Detection

11. Physical Security

Data Center Security

Office Security

Media Disposal

12. Compliance Framework Mapping

Each control in this audit maps to one or more compliance frameworks. The mapping enables organizations pursuing multiple certifications to satisfy overlapping requirements with single implementations.

Supported Frameworks:

Framework Coverage Summary:

Multi-Framework Evidence Strategy:

For each control, collect evidence once and map to all applicable frameworks:

1. Policy Document — Covers SOC 2, ISO 27001, HIPAA, GDPR (one policy, multiple mappings)
2. Technical Configuration — Screenshot/export showing control is active (maps to all technical frameworks)
3. Audit Log — Proves ongoing compliance (SOC 2, PCI-DSS, HIPAA all require audit trails)
4. Review Record — Quarterly review minutes satisfy multiple framework requirements simultaneously

Workflows

Workflow 1: Full Infrastructure Audit

1. Prepare inventory → Document all cloud accounts, domains, endpoints, services
2. Run infra_audit_runner.py → Generate findings across all 11 domains
3. Triage findings → Prioritize Critical > High > Medium > Low
4. Map to frameworks → Identify which framework requirements are met/unmet
5. Create remediation plan → Assign owners, set deadlines by severity SLA
6. Execute remediation → Fix Critical within 24h, High within 72h
7. Re-audit → Verify fixes, update compliance evidence
8. Generate report → Executive summary + detailed findings + evidence

Severity SLAs:

Workflow 2: DNS Security Assessment

1. Enumerate domains → Primary + all subdomains
2. Run dns_security_checker.py → Check SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS
3. Validate email chain → SPF → DKIM → DMARC alignment
4. Check domain security → Registrar lock, 2FA, WHOIS, expiration
5. Subdomain audit → Check for dangling CNAME records (takeover risk)
6. Generate DNS report → Findings + remediation DNS records

Workflow 3: Access Control Review

1. Export IdP configuration → Users, groups, roles, policies
2. Run access_control_auditor.py → Check MFA, SSO, RBAC, PAM, service accounts
3. Verify MFA coverage → Must be 100%, flag any exceptions
4. Review privileged access → Who has admin? Is JIT in place?
5. Check service accounts → Rotation, ownership, permissions
6. Access recertification → Verify all access is current and justified
7. Generate access report → Gaps + remediation steps

Workflow 4: Continuous Compliance Monitoring

1. Schedule automated scans → Weekly infra audit, daily DNS check
2. Track compliance score trends → Score per domain over time
3. Alert on regressions → Score drop or new Critical finding triggers alert
4. Quarterly full audit → Manual review + automated scan
5. Annual certification preparation → Compile evidence for auditors

Reference Guides

Validation Checkpoints

Pre-Audit Validation

• Infrastructure inventory is complete and current
• All cloud accounts identified and accessible
• Domain list verified (primary + all active subdomains)
• Endpoint MDM reports available
• IdP configuration export available
• Previous audit findings reviewed

Post-Audit Validation

• All 11 domains audited with no skipped checks
• Every finding has severity, framework mapping, and remediation
• Critical and High findings have assigned owners
• Compliance score calculated per domain and overall
• Executive summary prepared
• Evidence package compiled for applicable frameworks
• Remediation deadlines set per severity SLA

Scoring Methodology

Each audit domain is scored 0-100 based on the controls assessed:

Score Calculation:

Domain Score = (Passed Controls * Weight) / (Total Controls * Weight) * 100

Weights by severity:
  Critical = 10
  High = 5
  Medium = 2
  Low = 1
  Info = 0 (informational, not scored)

Overall Score:

Overall Score = Weighted Average of Domain Scores

Domain Weights:
  Cloud Infrastructure: 15%
  Access Control: 15%
  Network Security: 12%
  Secrets Management: 10%
  Logging/Monitoring: 10%
  CI/CD Pipeline: 8%
  Container/K8s: 8%
  Endpoint Security: 7%
  TLS/SSL: 5%
  DNS Security: 5%
  Physical Security: 5%

Score Interpretation:

Troubleshooting

Success Criteria

• Overall infrastructure score of 80+ (Good or Excellent) -- indicating audit-readiness with only minor gaps across all 11 domains
• Zero Critical findings across all domains -- all Critical-severity controls (root MFA, no wildcard IAM policies, encryption at rest, hardware key admin MFA) passing
• Framework-specific compliance above 85% -- for each targeted compliance framework (SOC 2, ISO 27001, PCI-DSS, etc.), the mapped controls show 85%+ pass rate
• DNS security fully configured -- SPF, DKIM, and DMARC (policy=reject) records validated, DNSSEC enabled, CAA records set, and MTA-STS deployed
• Access control audit passes all Critical and High controls -- centralized IdP deployed, SSO integrated for all applications, hardware security keys enforced for admin accounts, PAM implemented, and RBAC documented
• Secrets management score above 90% -- dedicated secrets vault deployed, automated rotation configured, no secrets in source code (git scanning enabled), and HSM for cryptographic operations
• Evidence artifacts generated for audit -- JSON or markdown reports suitable for auditor review, with per-control pass/fail status and framework mapping

Scope & Limitations

In Scope:

• Infrastructure security audit across 11 domains: Cloud, DNS, TLS/SSL, Endpoints, Access Control, Network, Containers/K8s, CI/CD, Secrets, Logging/Monitoring, Physical Security
• Framework mapping to 10 compliance standards: SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, NIS2, DORA, NIST CSF, FedRAMP, CCPA
• 250+ individual control checks with severity-weighted scoring
• DNS security validation including SPF, DKIM, DMARC, DNSSEC, CAA, MTA-STS, and subdomain takeover risk
• Access control audit covering IdP, SSO, MFA, FIDO2/hardware keys, PAM, RBAC, service accounts, SSH keys, API keys, and Zero Trust
• Evidence-generating reports in JSON and markdown formats for auditor consumption

Out of Scope:

• Actual penetration testing, vulnerability scanning, or active exploitation -- this skill performs configuration-based assessment, not active testing
• Cloud provider API calls or live infrastructure scanning -- the tool works with JSON configuration input describing your infrastructure state
• Compliance certification or attestation -- this skill identifies gaps but does not replace formal SOC 2, ISO 27001, or PCI-DSS audits
• Application security testing (SAST/DAST) beyond CI/CD pipeline configuration checks
• Compliance program management, policy writing, or governance documentation

Important Notes:

• SOC 2 2026 best practices demand real-time monitoring dashboards flagging control deficiencies within 48 hours; periodic spot-checks are no longer sufficient
• Zero Trust architecture is increasingly expected across all frameworks; perimeter-based security alone is insufficient for SOC 2, ISO 27001, and NIS2
• Compliance automation platforms (Drata, Vanta, Sprinto) complement but do not replace the deterministic checks this tool provides

Integration Points

Tool Reference

infra_audit_runner.py

Comprehensive infrastructure audit across 11 domains with compliance framework mapping.

Output: Per-domain scores (0-100), overall weighted score, per-control pass/fail/unknown status, framework-mapped findings with severity, and remediation recommendations.

dns_security_checker.py

DNS-specific security audit validating email authentication, DNSSEC, certificate authority authorization, and subdomain takeover risk.

Checks: SPF record syntax and lookup count, DKIM record presence and key strength, DMARC policy and reporting configuration, DNSSEC validation, CAA record authorization, MTA-STS policy, and subdomain takeover risk assessment.

access_control_auditor.py

Access control audit covering identity, authentication, authorization, and privileged access management.

Audit Categories: Identity Provider (IdP) configuration, SSO/SCIM provisioning, MFA enforcement, hardware security key (FIDO2/YubiKey) deployment, Privileged Access Management (PAM), RBAC, service account governance, SSH key management, API key management, and Zero Trust architecture.

Last Updated: March 2026 Version: 1.0.0 Total Controls: 250+ across 11 audit domains Frameworks Covered: SOC 2, ISO 27001, HIPAA, GDPR, PCI-DSS, NIS2, DORA, NIST CSF, FedRAMP, CCPA