· 5 min read · By Mehul Prajapati

SOC 2 and HIPAA Scanning on AWS with One Command: Compliance Pilot

We packaged eight years of AWS audit prep into a Claude Code plugin. It scans, fixes with your approval, and writes the report your auditor actually wants.

AWSSOC 2HIPAAClaude CodeCompliance

Compliance Pilot is an open source Claude Code plugin that scans an AWS account for SOC 2 and HIPAA gaps with one command. It runs Prowler 5.x under the hood, filters out findings that do not apply to your account, proposes fixes that wait for human approval, and produces an audit-ready report grouped by control. No SaaS, no application code: Claude Code is the engine.

Why did we build a compliance scanner?

I have spent 8+ years on AWS, and much of that building HIPAA and SOC 2 ready infrastructure for clients at eagerminds, our AI product studio. Every engagement hit the same wall. The scanner already exists: Prowler, the open source cloud security tool, will happily run its checks against your account. The problem is everything around the scan.

Raw scanner output is a wall of findings. Most describe regions you have never used or services you do not run. Someone has to filter that down to what matters, fix the real issues without breaking production, then arrange the evidence the way an auditor wants it: by control, not by AWS service. That someone is usually a senior engineer losing days every audit cycle.

Compliance Pilot (repo name: comp-agent) is that work, packaged. It wraps Prowler 5.x in the judgment layer we kept rebuilding by hand for every client.

How does one-command AWS compliance scanning work?

Run /compliance-pilot:scan and the plugin executes Prowler against your account, auto-detects which services and regions are actually active, filters out the noise, and writes structured finding files you can work from. You can target a single service, or pass a flag to sweep everything.

/compliance-pilot:scan          # auto-detects active services and regions
/compliance-pilot:scan s3       # target a single service
/compliance-pilot:scan --full   # every check, across all regions

The auto-detection matters more than it sounds. Under the AWS shared responsibility model, misconfigurations on your side of the line are yours to find, and a scanner that reports on regions you have never opened buries the three findings that will actually fail your audit. Filtering is the feature.

Is it safe to let an AI remediate AWS findings?

Only with a human approving every change, which is exactly how /compliance-pilot:remediate works. It proposes one fix at a time, explains what will change, and waits for your approval before touching anything. It also captures evidence around each change, so the fix and its proof land in the same place.

We set that rule early and it is not negotiable: there is no bulk auto-fix mode. The approval gate costs you a few minutes. An unreviewed change to a production S3 policy can cost far more. And the evidence capture doubles as your audit trail, which is half the reason you are doing this work at all.

What do the posture and audit-report commands produce?

/compliance-pilot:posture renders a compliance posture dashboard: where the account stands right now against SOC 2 and HIPAA, so you can check drift between audits instead of discovering it during one. /compliance-pilot:audit-report generates an audit-ready report grouped by controls.

That grouping is the detail I care about most. Auditors do not think in AWS services, they think in controls, and AWS's own HIPAA guidance makes clear that configuring services correctly is the customer's job. Handing over a report already organized by control is the difference between a smooth evidence request and a week of spreadsheet archaeology.

Why does the plugin contain no application code?

Compliance Pilot ships zero application code. The entire plugin is agents, skills, rules, and hooks: Claude Code is the engine that runs Prowler, applies the rules, and drives the workflow. There is no backend, no database, and no third-party service holding your AWS credentials.

That design falls out of a simple observation: compliance work is judgment plus glue, and Claude Code already provides both. It also means everything the plugin does is written in plain text you can read before you run it. The repo sits at 5+ stars on GitHub, it is early, and every line of its behavior is inspectable. We write up each tool we ship in these notes from the studio.

How do you install Compliance Pilot?

You need three things: Claude Code, Prowler 5.x, and AWS credentials for the account you want to scan.

# 1. Install Prowler 5.x
pip install prowler

# 2. Add the plugin inside Claude Code
/plugin marketplace add prajapatimehul/comp-agent

# 3. The four commands
/compliance-pilot:scan          # find what is broken
/compliance-pilot:remediate     # fix it, with approval
/compliance-pilot:posture       # see where you stand
/compliance-pilot:audit-report  # hand it to your auditor

Start with a targeted scan of your noisiest service, read the finding files it produces, then run remediate when you have time to approve changes properly.

FAQ

What do I need to run Compliance Pilot?

Three things: Claude Code, Prowler 5.x (pip install prowler), and AWS credentials with access to the account you want to scan. There is no server to deploy and no agent to install inside your infrastructure. Everything runs from your terminal.

Does Compliance Pilot change my AWS account without asking?

No. Scanning, posture, and audit reporting are read-only. Only /compliance-pilot:remediate makes changes, and it waits for human approval before each individual fix. It also captures evidence around every change, so you keep a record of what was modified and why.

Which compliance frameworks does Compliance Pilot cover?

SOC 2 and HIPAA. The underlying checks come from Prowler 5.x, an open source cloud security tool, and the audit-report command groups results by control so the output lines up with how auditors actually review evidence.

Is Compliance Pilot a replacement for a SOC 2 auditor?

No. An auditor still issues your SOC 2 report and a compliance officer still owns your HIPAA program. Compliance Pilot handles the technical layer: finding misconfigurations, fixing them with approval, and organizing evidence by control so the audit itself goes faster.

Built in the open at github.com/prajapatimehul/comp-agent.

One last thing

Have a product stuck in your head? Let's get it shipped.