Compliance Matrix
Overview
This page is a single cross-provider view of every control authored in the Cloud Hardening Guide, mapped to the seven compliance frameworks the guide tracks. Each row is one control on one provider domain page; each of the seven framework columns shows the control identifier (or sub-control reference) that the guide's authors consider equivalent to, or covered by, that control.
The frameworks are pinned to specific versions so that mappings remain reproducible across audits: CIS AWS Foundations v7.0.0, CIS Microsoft Azure Foundations v6.0.0, CIS GCP Foundation v5.0.0, CIS OCI Foundation v3.1.0, NIST SP 800-53 rev5, ISO/IEC 27001:2022, and ISO/IEC 27017:2015. See general/compliance-frameworks.html for what each framework is, why it is pinned at that version, and how to consume the official source.
Cells render as either a hyperlink to the originating control article (when the control is mapped), a literal — (em-dash, when no mapping is recorded), or n/a (post-vX.Y.Z) when the control is best-practice but post-dates the pinned benchmark snapshot. Hovering an unmapped cell reveals a tooltip that distinguishes the post-benchmark case from the true blank — see the Methodology section.
Filters
Filters are AND-combined. The matrix re-renders client-side; there is no server round-trip.
Matrix
Click any column header to sort. — controls shown.
| Control | Provider | Domain | Severity | Type | CIS AWS Foundations v7.0.0 | CIS Microsoft Azure Foundations v6.0.0 | CIS GCP Foundation v5.0.0 | CIS OCI Foundation v3.1.0 | NIST SP 800-53 rev5 | ISO/IEC 27001:2022 | ISO/IEC 27017:2015 |
|---|
Coverage summary
Per-framework mapping counts computed client-side from the same dataset that drives the table above. Mapped = cell value is a real identifier (not blank, not —, not n/a). Gap = total controls minus mapped.
- CIS AWS Foundations v7.0.0
- — / — mapped
- CIS Microsoft Azure Foundations v6.0.0
- — / — mapped
- CIS GCP Foundation v5.0.0
- — / — mapped
- CIS OCI Foundation v3.1.0
- — / — mapped
- NIST SP 800-53 rev5
- — / — mapped
- ISO/IEC 27001:2022
- — / — mapped
- ISO/IEC 27017:2015
- — / — mapped
Gaps include controls post-dating the pinned benchmark snapshot (rendered as n/a (post-vX.X.X) in their cell) — the matrix surfaces these deliberately so authors and auditors can see where best-practice controls outpace the benchmark.
GenAI Controls
The second table covers the 35 GenAI controls across all five GenAI hardening pages (general/genai.html, aws/genai.html, azure/genai.html, gcp/genai.html, oci/genai.html). These controls use a 10-column schema: the seven frameworks from the v1.0 matrix plus three AI-specific frameworks — OWASP LLM Top 10:2025, NIST AI 600-1 (Jul 2024), and EU AI Act (2024/1689). CIS Benchmark cells read n/a (no dedicated CIS GenAI benchmark) for all GenAI controls — no CIS benchmark covering Amazon Bedrock, Azure OpenAI Service, GCP Vertex AI, or OCI Generative AI exists at the v1.1 authoring date (2026-05).
Click any column header to sort. — controls shown. (Table is 14 columns wide — scroll horizontally if needed.)
| Control | Provider | Severity | Type | CIS AWS Foundations v7.0.0 | CIS Microsoft Azure Foundations v6.0.0 | CIS GCP Foundation v5.0.0 | CIS OCI Foundation v3.1.0 | NIST SP 800-53 rev5 | ISO/IEC 27001:2022 | ISO/IEC 27017:2015 | OWASP LLM Top 10:2025 | NIST AI 600-1 (Jul 2024) | EU AI Act (2024/1689) |
|---|
GenAI Coverage Summary
Coverage across AI-specific framework columns only. CIS columns are intentionally n/a for all GenAI controls.
- OWASP LLM Top 10:2025
- — / — mapped
- NIST AI 600-1 (Jul 2024)
- — / — mapped
- EU AI Act (2024/1689)
- — / — mapped
Kubernetes Controls
The third table covers the 40 Kubernetes controls across four provider hardening pages (aws/kubernetes.html, azure/kubernetes.html, gcp/kubernetes.html, oci/kubernetes.html). The schema uses ~13 columns: 4 metadata columns plus CIS Kubernetes Benchmark v2.0.0, four provider-specific CIS managed-service columns (CIS EKS v1.8.0, CIS AKS v2.0.0, CIS GKE v1.9.0, CIS OKE v1.8.0), NIST SP 800-53 rev5, ISO/IEC 27001:2022, ISO/IEC 27017:2015, NIST SP 800-190 (Sep 2017), and NSA/CISA K8s Hardening Guide v1.2. Each row populates only its own provider's CIS column; the other three render as —. general/kubernetes.html contributes zero rows (cross-cutting principles page).
Click any column header to sort. — controls shown. (Table is ~13 columns wide — scroll horizontally if needed.)
| Control | Provider | Severity | Type | CIS Kubernetes Benchmark v2.0.0 | CIS EKS v1.8.0 | CIS AKS v2.0.0 | CIS GKE v1.9.0 | CIS OKE v1.8.0 | NIST SP 800-53 rev5 | ISO/IEC 27001:2022 | ISO/IEC 27017:2015 | NIST SP 800-190 (Sep 2017) | NSA/CISA K8s Hardening Guide v1.2 |
|---|
Kubernetes Coverage Summary
Coverage across K8s-specific framework columns. CIS managed-service columns are per-provider; coverage counts the rows mapped to each.
- CIS Kubernetes Benchmark v2.0.0
- — / — mapped
- NIST SP 800-190 (Sep 2017)
- — / — mapped
- NSA/CISA K8s Hardening Guide v1.2
- — / — mapped
Methodology
The matrix is not hand-maintained. It is generated by build/make-compliance-matrix.js, a Node script that walks all 24 sealed domain pages under aws/, azure/, gcp/, and oci/, parses each <article class="control-box"> using node-html-parser, extracts the per-control compliance-table, and emits js/compliance-matrix.json as a single source of truth. The domain pages are therefore the canonical authoring surface; this page is a projection.
For the broader control-selection methodology — how controls earn their place on a domain page, the severity rubric, and the preventive/detective/responsive taxonomy — see general/methodology.html.
Three distinct unmapped cell renderings carry different meanings:
—(em-dash): no mapping recorded by the authors; the framework simply does not address this control.n/a: the framework is provider-scoped (e.g. CIS AWS Foundations) and the control belongs to a different provider, so the framework intrinsically cannot map.n/a (post-vX.Y.Z): the control is recognised best-practice but post-dates the pinned benchmark snapshot — a visible gap that the matrix surfaces rather than hides.
To rebuild the dataset after editing any domain page: node build/make-compliance-matrix.js (re-emits js/compliance-matrix.json; gates G10.7-G10.12 validate the result).
Sources
- Center for Internet Security — CIS AWS Foundations Benchmark v7.0.0 (accessed 2026-05).
- Center for Internet Security — CIS Microsoft Azure Foundations Benchmark v6.0.0 (accessed 2026-05).
- Center for Internet Security — CIS Google Cloud Platform Foundation Benchmark v5.0.0 (accessed 2026-05).
- Center for Internet Security — CIS Oracle Cloud Infrastructure Foundation Benchmark v3.1.0 (accessed 2026-05).
- National Institute of Standards and Technology — NIST SP 800-53 rev5: Security and Privacy Controls for Information Systems and Organizations (NIST CSRC, accessed 2026-05).
- International Organization for Standardization — ISO/IEC 27001:2022 Information security management systems — Requirements (ISO catalogue, accessed 2026-05).
- International Organization for Standardization — ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO catalogue, accessed 2026-05).