SubImage: Open-Core Alternative to Wiz

Cloud Security Posture Frameworks

SubImage runs cloud security posture checks and then tells you which failures actually sit on a dangerous path.

subimage / cspm

FrameworksCIS AWS Foundations Benchmark

Rules

Assets

1042 / 1471 passing ( 71% )

History

Apr 20Today

Search rules...

Categories

Status

Last Finding

Owners

1.12: Unused Credentials

Credentials unused for 45 days or greater should be disabled to reduce the attack surface and prevent unauthorized access.

iam

credentials

4 findings

10 Mar 202616 days ago

1.13: Users With Multiple Active Access Keys

Each IAM user should have only one active access key. Multiple active keys increase the attack surface and complicate key rotation.

iam

credentials

pass

2.1.1: S3 Bucket Versioning

S3 buckets should have versioning enabled to protect against accidental deletion and enable recovery of objects.

storage

20 findings

24 Mar 20262 days ago

2.1.2: S3 Bucket MFA Delete

S3 buckets should have MFA Delete enabled to require MFA authentication for deleting object versions or changing versioning state.

storage

22 findings

25 Mar 20261 day ago

5.4: Default Security Group Restricts Traffic

The default security group of every VPC should restrict all traffic to prevent accidental exposure of resources.

networking

security-groups

41 findings

12 Mar 202614 days ago

Framework coverage you expect

CIS Benchmarks, SOC2, NIST, PCI-DSS — the checkbox compliance your auditors need.

Graph context you don't get elsewhere

A misconfigured - but empty - security group on an isolated dev instance is not the same as one protecting your production API gateway. We know the difference because we map the relationships.

Custom rules in Cypher

Your org has policies that don't fit CIS. Write them as graph queries: "Flag any IAM role that can assume into production AND was created in the last 7 days."