Where do the 380+ checks come from?

A combination of AWS-best-practice checks (Well-Architected Framework, AWS Foundational Security Best Practices), CIS Benchmarks, and Refine-curated checks we've seen catch real issues across customer engagements.

Will "Fix Available" make changes I did not ask for?

No. The baseline IAM role we ask for is strictly read-only. Each "Fix Available" type requires you to grant a scoped, opt-in policy and confirm per-finding before any change happens. Every applied fix is recorded in your fix history.

Can I mute checks that do not apply to me?

Yes — per-check, per-account, or org-wide. Muted checks remain visible but stop counting against your Security Score and stop emailing alerts.

How is this different from AWS Security Hub?

Security Hub is excellent and free for findings. Refine bundles cost optimization in the same product, adds AI narrative reports, builds a customer hierarchy for MSPs, and surfaces "Fix Available" remediation hooks. We are complements more than substitutes — many customers run both.

Do you support multi-account orgs?

Yes — unlimited accounts and unlimited orgs, with a customer-hierarchy switcher in the header. See /product/multi-account for the full MSP and enterprise story.

Product · AWS Advanced Tier Services Partner

Find 380+ AWS security risks. Fix the obvious ones in one click.

IAM, storage, network, compute, and logging — checked across every region of every connected account. Severity-tiered. AI-narrated. Bundled with cost optimization at $0.

Connect AWS Account See The Findings Catalog

By HabileLabs

security scan · all regions380+ checks · severity-tiered

CRITICALS3 bucket public-read · prod-assetsFix Available
HIGHRoot account signed in without MFA
HIGHSecurity group open 0.0.0.0/0 → :22Fix Available
MEDIUMEBS volumes unencrypted · 14 foundFix Available
… scanning IAM, storage, network, compute, logging

Security score61/100 · every point a named finding

380+ Checks
Catalog below
15+ Regions
Auto-discovered
One-Click Fixes
Where safe
AI Commentary
On every finding

Refine dashboard showing Security Score and recent findings by severity — The Security Score sits beside the Optimization Score on the dashboard. Drill into findings by severity, region, or service.

The 380+ Checks Catalog

Five categories × four severities. A sample of representative checks per cell — the full catalog ships with the product.

CriticalHighMediumLow

Critical

High

Medium

Low

IAM

Root account has active access keys
Root account MFA disabled

Access key unused >90 days
Privileged role without MFA
Access keys older than 180 days

User attached inline policies
Password policy weaker than recommended
Unused IAM user (>90 days inactive)

IAM Access Analyzer disabled in region
User without MFA but inactive

Storage

S3 bucket public via ACL
S3 bucket public via policy
RDS instance publicly accessible

Unencrypted EBS volume
S3 versioning disabled
RDS backup retention < 7 days
KMS key rotation disabled

S3 lifecycle policy missing
S3 server access logging disabled
RDS deletion protection off

S3 bucket without Object Lock
EBS snapshot older than 365 days

Network

Security group allows 0.0.0.0/0 on SSH (22)
Security group allows 0.0.0.0/0 on RDP (3389)

Public ALB without WAF attached
NACL allows all inbound traffic
Security group allows DB port from internet
VPC peering with permissive rules

VPC flow logs disabled
Default security group used in production
Unused Elastic IP

ALB without HTTP → HTTPS redirect
Idle ELB (no targets attached)

Compute

EC2 with public IP + open SSH
Lambda execution role with admin policy

EC2 IMDSv2 not enforced
ECS task definition with privileged mode
Lambda in VPC with misconfigured subnets

EC2 detailed monitoring disabled
Lambda function using a deprecated runtime
Launch template using deprecated AMI

EC2 instance tagging incomplete
Lambda concurrency limit unset

Logging

CloudTrail disabled in region
CloudTrail log file validation off
GuardDuty disabled in region

AWS Config not recording
CloudTrail not multi-region
GuardDuty findings without routing

CloudWatch alarm without action
CloudWatch Logs without KMS encryption
Config rule failure rate high

VPC flow logs only in CloudWatch (no S3)
CloudTrail S3 bucket without MFA delete

"Fix Available" — one click instead of a ticket

For findings where the remediation is safe and well-known — enabling encryption defaults, attaching a missing log destination, tightening a security group — Refine shows a Fix Available badge. One click applies the change.

Opt-in per fix type — you grant a scoped policy, never the baseline IAM role
Preview the exact AWS API calls before applying
Every applied fix recorded in your fix history (who, when, which finding)
Roll-back hook where the change is reversible

Example finding

Unencrypted EBS volume

vol-0b2a91e84e7f3c1d2 · us-east-1 · attached to i-0ab2c3d4e5f6a7b8c

High

Enable EBS encryption-by-default in this region.

Fix Available

Multi-Region Coverage

Refine auto-discovers active regions in each connected account and scans them. Findings are tagged with the region so multi-region orgs can route by ownership.

us-east-1

N. Virginia

us-east-2

Ohio

us-west-1

N. California

us-west-2

Oregon

ca-central-1

Central Canada

eu-central-1

Frankfurt

eu-west-1

Ireland

eu-west-2

London

eu-north-1

Stockholm

ap-south-1

Mumbai

ap-south-2

Hyderabad

ap-southeast-1

Singapore

ap-southeast-2

Sydney

ap-northeast-1

Tokyo

ap-northeast-2

Seoul

sa-east-1

São Paulo

global

Global services

Security Score

A single 0–100 number that tracks posture trend. Same calibration as the Optimization Score next to it.

Inputs:: All active findings, weighted by severity.
Weighting:: Critical 8× · High 4× · Medium 2× · Low 1×.
Trend:: 30-day rolling window with daily snapshots so you see whether posture is improving or eroding.
Filter:: Mute checks you have explicitly accepted (e.g. legacy systems); score recomputes without them.

Example

82/ 100

+4 in 30 days. Driven by closing 3 Critical IAM findings and enabling EBS encryption defaults org-wide.

How we compare

Refine vs. The Alternatives

Honest assessment — Wiz and Prisma are deep CNAPP products. Refine is a free, AWS-native pairing of security and cost. Different jobs, different prices. Pick the one that fits.

Capability	RefineYou are here Cost + security, free	AWS Security Hub AWS-native	Wiz CNAPP, multi-cloud	Prisma Cloud CNAPP, multi-cloud
Pricing
Free tier	$0 forever	Free for findings, paid integrations	No free tier	No free tier
AWS-native (no agents)	Included	Included	Hybrid	Hybrid
Coverage
Multi-cloud (Azure, GCP)	Not included	Not included	Included	Included
Cost optimization in same product	Included	Not included	Not included	Not included
AI narrative reports	Included	Not included	Partial	Partial
Findings
Severity-tiered findings	Included	Included	Included	Included
One-click remediation hooks	Included	Via SSM	Workflow-based	Workflow-based
Org model
MSP / multi-customer hierarchy	Included	Org accounts	Enterprise tier	Enterprise tier
Operations
Setup time	60 seconds	Minutes	Hours-days	Hours-days

Frequently Asked Questions

A combination of AWS-best-practice checks (Well-Architected Framework, AWS Foundational Security Best Practices), CIS Benchmarks, and Refine-curated checks we've seen catch real issues across customer engagements.

Find the security risks already in your AWS account

60-second setup. Free forever. Read-only access.

Connect AWS Account Upload My AWS Bill

Refine is built and supported by HabileLabs, an AWS Advanced Tier Services Partner.