Automated Evidence Collection: Connect Your Infrastructure and Watch Compliance Happen

Here's what compliance preparation actually looks like for most companies. You're three weeks from your SOC 2 audit. Your consultant sends over a spreadsheet with 87 line items. Each one needs "evidence."

So you start collecting.

Screenshot of your AWS IAM password policy. Export of CloudTrail configuration. Screenshot of GitHub branch protection settings. Another screenshot of your Cloudflare SSL settings. Screenshot of MFA being enabled. Screenshot of encryption at rest. Screenshot, screenshot, screenshot.

By the end of the first day, you have 47 browser tabs open and a folder with 200 screenshots named things like "aws-iam-policy-final-v3-ACTUAL.png."

Then your auditor asks: "When was this evidence collected? Is it current?"

Good question. You have no idea. The timestamp on the file says when you downloaded it, not when the configuration was set. And even if you could prove it, you'll need to do this whole dance again in six months when the auditor wants fresh evidence.

This is the dirty secret of compliance: the frameworks are well-designed, the controls make sense, but the evidence collection process is stuck in 2005. Manual, repetitive, and completely disconnected from the systems you're actually trying to prove are compliant.

What If Your Infrastructure Could Speak for Itself?

We built integrations because we were tired of the screenshot game.

Humadroid now connects directly to your infrastructure—AWS, GCP, GitHub, and Cloudflare—and automatically collects the evidence your auditors need. Not screenshots. Actual configuration data, pulled from APIs, timestamped, and verified against compliance requirements.

The system knows what evidence maps to which controls. It knows what "good" looks like for each configuration. And it checks automatically, on a schedule you control.

When your auditor asks about IAM password policies, you don't dig through folders. You show them a verified evidence record that says: "Collected January 29, 2025. Minimum password length: 14 characters. Uppercase required: Yes. Symbols required: Yes. Status: Passing."

That's not a screenshot someone could have doctored. That's a direct API response from AWS, automatically verified against SOC 2 CC6.1 requirements.

Four Platforms, 50+ Evidence Sources

Let me be specific about what's available.

AWS covers the broadest ground with 17 distinct evidence types. IAM password policies, MFA status across all users including root, access key rotation and lifecycle tracking. CloudTrail configuration and actual audit events. GuardDuty threat detection status and findings. S3 bucket encryption and public access blocking. RDS and EBS encryption. KMS key rotation. Security groups and network ACLs. VPC flow logs. CloudWatch alarms. Backup job status. The works.

GCP launched this week with 14 evidence sources. IAM policies and service account configurations. Cloud Audit Logs status. Cloud Storage encryption and public access settings. Cloud SQL encryption and backup verification. KMS key rotation. VPC firewall rules and flow logs. Security Command Center findings. Compute Engine disk encryption. Everything you need for a GCP-based infrastructure.

GitHub brings 12 evidence types focused on source control security. Organization-wide 2FA enforcement. Member and team permission inventories. Outside collaborator tracking. Branch protection rules across all repositories. Repository visibility auditing. Secret scanning status and alerts. Dependabot vulnerability monitoring. CodeQL code scanning. Deploy key auditing. For Enterprise plans, full audit log access.

Cloudflare adds 11 evidence sources for your edge security. SSL/TLS mode and minimum TLS version verification. HSTS configuration. Certificate status and expiration monitoring. WAF configuration and access rules. DDoS protection status. Rate limiting rules. Bot protection settings. DNSSEC status. Security header configuration.

Each evidence source maps to specific SOC 2 and ISO 27001 controls. When you enable an integration, Humadroid shows you exactly which controls each evidence source satisfies. No guessing about whether you've covered CC6.1 or A.8.24.

Auto-Verification: Evidence That Checks Itself

Collecting evidence is only half the battle. You also need to know if it's actually compliant.

Most evidence sources in Humadroid include auto-verification. We've codified the compliance requirements into specific, measurable thresholds. When evidence is collected, it's automatically checked against these rules.

For AWS IAM password policies, that means verifying minimum length of 14 characters, requiring uppercase, lowercase, numbers, and symbols, enforcing 90-day maximum age, and preventing reuse of the last 24 passwords. If your policy meets all requirements, the evidence shows as passing. If something's off, you know immediately—not when your auditor finds it.

For GitHub, auto-verification checks that 2FA is required organization-wide and enabled for 100% of members. It verifies branch protection is configured on default branches with required reviews. It confirms secret scanning is enabled with no open alerts. Each rule has sensible defaults based on what auditors actually expect.

The verification rules are configurable. If your organization has specific requirements—maybe you need 16-character passwords instead of 14—you can adjust the thresholds. The system adapts to your security policies, not the other way around.

Read-Only by Design

Security teams get nervous when you mention "connecting external services to production infrastructure." Fair enough. Let's talk about how these integrations actually work.

Every integration uses read-only access. Humadroid cannot modify your AWS resources, cannot push to your GitHub repositories, cannot change your Cloudflare configuration. The permissions are scoped to the absolute minimum required for compliance evidence collection.

For AWS, we use cross-account role assumption with external ID protection. You create an IAM role in your account with the SecurityAudit managed policy plus a handful of additional read permissions. Every API call is logged in your CloudTrail. You maintain full visibility into what we access and when.

For GCP, we use a service account with Security Reviewer and Viewer roles. Least-privilege by default. All access logged in your Cloud Audit Logs.

For GitHub, we use a GitHub App with read-only repository and organization permissions. Installation tokens are short-lived—one hour maximum. No persistent OAuth tokens sitting around.

For Cloudflare, we use scoped API tokens with zone-level read permissions. No global API keys, no account-wide access.

If you ever want to revoke access, delete the role or service account or uninstall the app. Immediate disconnection, no lingering permissions.

What This Means for Your Audit Prep

Let's talk about the practical impact.

Before integrations, preparing evidence for a SOC 2 audit meant dedicating someone—often a founder or senior engineer—to evidence collection for two to four weeks. That's two to four weeks of their most expensive employee taking screenshots and filling spreadsheets instead of building product.

With integrations, evidence collection happens automatically on schedule. Weekly for security-sensitive sources like GuardDuty findings and backup job status. Monthly for slower-changing configurations like IAM policies and branch protection rules. You configure it once and forget about it.

When audit time comes, your evidence is already there. Fresh, timestamped, verified. Your auditor gets exactly what they need in a format that's actually useful—structured data, not screenshots they have to squint at.

The time savings compound. You're not just saving the initial collection effort. You're saving the re-collection effort for every subsequent audit. You're saving the "wait, is this evidence still current?" conversations. You're saving the back-and-forth when auditors request clarification on blurry screenshots.

For continuous compliance—which is where the industry is heading—this becomes essential. You can't maintain continuous compliance with manual evidence collection. The math doesn't work. But with automated collection and verification running in the background, continuous compliance becomes practical.

Getting Started

Setup takes about ten minutes per integration.

For AWS, navigate to Settings → Integrations → AWS. We provide a CloudFormation template that creates the IAM role with correct permissions. Launch the stack, copy the Role ARN back to Humadroid, and you're connected. Test the connection to verify everything's working, then enable the evidence sources relevant to your controls.

For GCP, create a service account with Security Reviewer, Viewer, and Cloud Asset Viewer roles. Download the JSON key file and upload it to Humadroid. We'll validate the connection and show you which GCP services are accessible.

For GitHub, click Install GitHub App, select your organization, and approve the permissions. Choose repository access—we recommend all repositories for complete coverage—and you're done. The GitHub App handles authentication automatically.

For Cloudflare, create a custom API token with the specific zone permissions listed in our setup guide. Paste the token into Humadroid, select which zones to monitor, and enable your evidence sources.

Once connected, go to any control in your compliance project. The Evidence Sources tab shows which automated sources are available for that control. Enable what you need, configure collection frequency if the defaults don't suit you, and let the system work.

What's Next

We're not stopping at four integrations.

The architecture we've built is provider-agnostic. The same framework that powers AWS evidence collection can power any cloud provider, any source control system, any identity provider. Adding new integrations is a matter of implementing adapters, not rebuilding core infrastructure.

On the roadmap: Azure and DigitalOcean for additional cloud coverage. GitLab and Bitbucket for teams not on GitHub. Okta and Azure AD for identity and access management. Google Workspace for collaboration security. HR systems for employee lifecycle evidence. Endpoint management for device compliance.

Each integration follows the same pattern: read-only access, automated collection, auto-verification, multi-framework support. The goal is simple—if a system holds compliance-relevant information, Humadroid should be able to collect it automatically.