With customers like Rapyd, Coralogix, and ReasonLabs already benefiting from compliance visibility, ControlMonkey is raising the bar for proactive cloud governance.

For teams managing their Terraform, OpenTofu, or Terragrunt environments, compliance is often a moving target. The new Cloud Compliance Dashboard in ControlMonkey delivers a unified, drill-down view into your compliance posture across AWS, Azure, and GCP helping you identify gaps before they turn into risks.

Introducing Cloud Compliance Dashboarding

The Compliance Dashboard gives DevOps and Cloud managers the ability to select relevant standards, track consolidated scores, and drill down into failed controls and resources.

Supported frameworks include:

• CIS Benchmarks (2.0, 2.1, 3.0)
• PCI DSS 4.0
• HIPAA Security Rule
• MITRE ATT&CK
• ENS_RD2022 (Spanish National Security Framework)
• DORA Regulation
• And more – Full List below

Teams can move from high-level compliance scores down to specific failed checks, pinpoint which resources triggered non-compliance (for example, an exposed EC2 instance), and shift compliance from reactive audits to proactive prevention.

Stay Ahead with Cloud Governance and Infrastructure Control

The dashboard provides decision-makers with measurable clarity. I Teams can continuously check compliance instead of just reacting to audit findings. They can enforce IaC policies on a large scale and strengthen infrastructure pipelines. This means:

• Improved visibility into your compliance score
• Reduced risk with drill-down checks at the resource level
• IaC alignment through proactive enforcement
• Scalable governance across multi-cloud environments

“When teams gain full visibility and proactive compliance controls, they stop reacting to problems and start preventing them. That’s how you consistently raise your compliance score.” said Ori Yemini, CTO, ControlMonkey

Customer Perspectives

2 of Control monkey customers already enjoying full IaC coverage visibility:

More IaC coverage means fewer security issues — period. What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can finally collaborate by design, that’s when security actually works

Nir Rothenberg

CISO

As a company that manages huge clusters of AWS resources, the ControlMonkey Platform and specifically its GitOps pipeline capabilities is an integral part of our infrastructure deployment process, enabling us to shift left our infrastructure policies, best practices, and guardrails to make sure our production environment is stable, compliant and secure

Yoni Farin

Coralogix

See it for yourself

Join our next Product Showdown to experience the Cloud Compliance Dashboard in action.

Supported Frameworks include:

Find below full list of framework support by cloud provider:

AWS

• CISA
• SOC 2
• CIS Benchmarks (1.4, 1.5, 2.0, 3.0, 4.0.1, 5.0)
• MITRE ATT&CK
• GDPR
• AWS Foundational Security Best Practices
• ISO/IEC 27001:2013 & 2022
• KISA ISMS-P 2023 (incl. Korean version)
• HIPAA Security Rule
• GxP 21 CFR Part 11
• GxP EU Annex 11
• NIST 800-171 Rev 2
• NIST 800-53 Rev 4 & Rev 5
• PCI DSS 4.0 & PCI DSS 3.2.1
• AWS Well-Architected Framework (Security & Reliability Pillars)
• AWS Account Security Onboarding
• AWS Foundational Technical Review
• AWS Audit Manager Control Tower Guardrails
• NIST Cybersecurity Framework (CSF) 1.1
• ENS_RD2022
• RBI Cyber Security Framework
• FFIEC Cybersecurity Assessment
• FedRAMP (Low & Moderate, Rev 4)
• NIS2 Directive

Azure

• PCI DSS 4.0
• SOC 2
• ISO/IEC 27001:2022
• CIS Benchmarks (2.0, 2.1, 3.0, 4.0)
• ENS_RD2022
• MITRE ATT&CK
• NIS2 Directive

GCP

• MITRE ATT&CK
• SOC 2
• CIS Benchmarks (2.0, 3.0, 4.0)
• ENS_RD2022
• PCI DSS 4.0
• ISO/IEC 27001:2022
• NIS2 Directive

Today, ControlMonkey is proud to announce the launch of the IaC Risk Index. The IaC Risk Index is a new part of the IaC Platform that transforms the dialogue surrounding cloud security between DevOps and Security teams by highlighting the security discrepancies between infrastructure deployment and cloud-related risks. It provides a comprehensive perspective that correlates Terraform coverage with security vulnerabilities, enabling teams to identify weaknesses, comprehend their origins, and implement measures for remediation.

Introducing the IaC Risk Index

The IaC Risk Index enhances cloud security by providing clarity and control in five key aspects:

IaC-Aware Risk Scoring

A color-coded benchmark that helps teams assess risk posture by environment. In production, green is the goal—anything less is exposure:

• 🔴 Red (<50% coverage): High risk. Most infrastructure is unmanaged.
• 🟠 Orange (50–80%): Medium risk. Some governance, but critical gaps remain.
• 🟡 Yellow (80–90%): Low risk. Strong coverage, not yet complete.
• 🟢 Green (90–100%): Full control. Infrastructure is governed by code, policy, and pipeline.

Vulnerability Mapping by Delivery Method

See whether a vulnerable resource was created manually, drifted from code, or fully governed:

• Unmanaged: ControlMonkey imports the resource into Terraform, remediates with a secure-by-default fix, and enforces governance policies.
• Managed but Drifted: Drift is resolved first, then an IaC-based security patch is applied with proactive policies.
• Managed and In-Sync: ControlMonkey patches directly in Terraform and ensures compliance is maintained.

Coverage Gap Detection

Instantly identify which resources fall outside Terraform governance—and why.

One-Click Remediation

Import unmanaged resources, generate compliant code, and resolve risk at the source.

Shared Dashboard for Cloud & Security

Align both teams around a single, real-time view of infrastructure coverage and risk exposure.

What’s behind IaC Risk Index

“We found that unmanaged infrastructure—resources not governed by Terraform or delivered through a secure pipeline – carry up to 2x the security risk of governed resources,” said Aharon Twizer, CEO and co-founder of ControlMonkey.

“And yet, most enterprises can’t answer a basic question: What percentage of our infrastructure is governed by code? Our research shows actual coverage is typically 30–40% lower than teams assume—highlighting significant hidden risk.”

IaC Risk Index from a CISO Perspective

“More IaC coverage means fewer security issues – period,” said ,Rapyd CISO, Nir Rothenberg”. What stood out with ControlMonkey was how easy it became to do things the right, modern way. When infrastructure and security teams can finally collaborate by design, that’s when security actually works.”

Nir Rothenberg

CISO at Rapyd about the new security release of ControlMonkey

What’s in It for Me? Why look into Cloud Risk Now?

The IaC Risk Index empowers cloud and security leaders to:

1. Improve visibility into unmanaged or drifted infrastructure
2. Reduce risk by exposing vulnerabilities at their origin – delivery
3. Strengthen IaC alignment with secure-by-default remediation
4. Scale confidently with a governance model that’s measurable and proactive

Explore the IaC Risk today

The IaC Risk Index is available now to all ControlMonkey customers at no additional cost.
New to ControlMonkey? Access a IaC Risk Assessment as part of our onboarding and discovery process.  Learn more and request a meeting

Today we are glad to announce that we have added NIST Compliance to our Proactive Compliance Packages enforcement, as part of the Terraform CI/CD solution.

ControlMonkey Terraform CI/CD solution enables DevOps teams to proactively enforce compliance and security policies during the infrastructure CI/CD and prevent issues and misconfigurations in production.

Starting today, our users can enforce NIST 800-53 compliance standards on any Terraform pull request, and ControlMonkey will validate the resources configuration, as part of the infrastructure CI/CD.

Organizations usually run compliance validations in a detective way, after the resources are deployed to production, using tools like AWS Security Hub.

This capability enables DevOps teams to easily enforce NIST Compliance standards proactively, rather than responding to non-compliant resources in production, and risk getting penalized for NIST compliance violations.

If regulation requires your infrastructure to be NIST compliant, you can validate every resource’s compliance proactively, out of the box, with zero effort.

On top of that, users have enhanced customization and granularity and can enforce compliance using various enforcement levels and apply them to specific stacks or namespaces.

Shift left your infrastructure compliance, keep your environment in ‘Always-Compliant’ mode, and allow your team to build faster without sacrificing control.

Today we are super excited to announce the latest capability we added to our Terraform CI/CD solution, which is an absolute game-changer for compliance enforcement, ‘Proactive Compliance Packages’.

Compliance Packages for Terraform & OpenTofu

ControlMonkey Terraform CI/CD solution enables DevOps teams to enforce compliance and security policies proactively during the infrastructure CI/CD, and therefore prevent issues and misconfigurations in production.

So starting today, we are offering our users to enforce compliance standards such as PCI-DSS and CIS-AWS V1.4 on any Terraform pull request, and ControlMonkey will validate the resources configuration, as part of the infrastructure CI/CD.

DevOps teams no longer need to manually configure policies that represent the compliance standard their organization is obligated to, they can enforce that standard on any configuration change, in a few clicks.

By doing that, you’re actually preventing any non-compliant resources from reaching your production environment!

Benefits of Compliance Packages for Terraform and OpenTofu

This capability enables DevOps teams to easily enforce the required Compliance standard proactively, rather than responding to non-compliant resources in production, and risk getting penalized for compliance violations.

Companies usually run compliance validations in a detective way, after the resources are deployed to production, using tools like AWS Security Hub.

‘Proactive Compliance Packages’ are comprised of ControlMonkey’s Managed Policies, built-in policies that are managed and constantly maintained by our engineering team.

1 Click Compliance Packages

If you are required to be PCI-DSS compliant, you can validate every resource’s compliance proactively, out of the box, with zero effort.

On top of that, users have enhanced customization and can enforce compliance using various enforcement levels and apply them to specific stacks or namespaces.

Shift left your infrastructure compliance, keep your environment in ‘Always-Compliant’ mode, and avoid paying unnecessary penalties.