aws-audit-checklist 0.1.0__tar.gz

aws_audit_checklist-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 David Gomez
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aws_audit_checklist-0.1.0/PKG-INFO

@@ -0,0 +1,90 @@
+Metadata-Version: 2.4
+Name: aws-audit-checklist
+Version: 0.1.0
+Summary: A free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts.
+Author-email: David Gomez <contactme@itsdavidg.co>
+License: MIT
+Project-URL: Homepage, https://services.itsdavidg.co
+Project-URL: Source, https://github.com/davidgomezbravo/aws-audit
+Keywords: aws,security,audit,cloud,devops,iam,s3,checklist,finops
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: boto3>=1.26
+Dynamic: license-file
+
+# aws-audit — the AWS security checklist I run on client accounts
+
+A free, **read-only** AWS security & cost audit CLI. Point it at an account and it runs the
+same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized
+findings report. **It only makes `Describe`/`List`/`Get` calls — nothing is ever created,
+modified, or deleted, and no data leaves your machine.**
+
+```
+$ aws-audit
+
+  AWS Security Audit  ·  aws-audit
+  Account 123456789012  ·  regions: us-east-1
+  ────────────────────────────────────────────────────────────────
+
+   CRITICAL  [IAM-1] Root account MFA  — FAIL
+      Root account does NOT have MFA enabled.
+      fix: Enable a hardware or virtual MFA device on the root user and stop using root.
+
+   HIGH  [IAM-2] Long-lived IAM access keys  — FAIL
+      2 active access key(s) older than 90 days.
+      affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)
+      fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).
+  ...
+  1 fail  ·  3 warn  ·  18 pass
+
+  Want this done for you — and the issues fixed? → https://services.itsdavidg.co
+```
+
+## Install
+
+```bash
+pipx install aws-audit-checklist     # recommended
+# or
+pip install aws-audit-checklist
+```
+
+## Usage
+
+```bash
+aws-audit                       # uses your default AWS credential chain + region
+aws-audit --profile myprofile   # a named profile
+aws-audit --all-regions         # run regional checks in every enabled region
+aws-audit --markdown report.md  # export a Markdown report
+aws-audit --json                # machine-readable output
+aws-audit --strict              # exit non-zero if anything FAILs (CI gate)
+```
+
+You only need **read-only** credentials. A built-in AWS managed policy like
+`SecurityAudit` or `ReadOnlyAccess` is more than enough. Checks you lack permission for are
+reported as "could-not-check" rather than failing the run.
+
+## What it checks (30-point checklist)
+
+| Area | Examples |
+|------|----------|
+| **Identity (IAM)** | root MFA, access keys > 90 days, console users without MFA, password policy |
+| **Network** | security groups exposing SSH/RDP to `0.0.0.0/0` |
+| **Data** | S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups |
+| **Logging** | multi-region CloudTrail, GuardDuty, AWS Config |
+| **Cost signals** | unattached EBS volumes, unused Elastic IPs |
+
+The full human-readable checklist (with the items not yet automated — incident runbooks,
+multi-AZ, IaC, off-account backups) is here:
+**[the 30-point AWS Security Checklist PDF](https://services.itsdavidg.co/#checklist)**.
+
+## Why this exists
+
+I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running
+this same checklist by hand on every account, so I open-sourced the automatable parts. If you
+want the whole thing done for you — including the manual items and actually *fixing* what it
+finds, with a guarantee — that's my [AWS Complete Security Audit](https://services.itsdavidg.co).
+
+## License
+
+MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.

aws_audit_checklist-0.1.0/README.md

@@ -0,0 +1,75 @@
+# aws-audit — the AWS security checklist I run on client accounts
+
+A free, **read-only** AWS security & cost audit CLI. Point it at an account and it runs the
+same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized
+findings report. **It only makes `Describe`/`List`/`Get` calls — nothing is ever created,
+modified, or deleted, and no data leaves your machine.**
+
+```
+$ aws-audit
+
+  AWS Security Audit  ·  aws-audit
+  Account 123456789012  ·  regions: us-east-1
+  ────────────────────────────────────────────────────────────────
+
+   CRITICAL  [IAM-1] Root account MFA  — FAIL
+      Root account does NOT have MFA enabled.
+      fix: Enable a hardware or virtual MFA device on the root user and stop using root.
+
+   HIGH  [IAM-2] Long-lived IAM access keys  — FAIL
+      2 active access key(s) older than 90 days.
+      affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)
+      fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).
+  ...
+  1 fail  ·  3 warn  ·  18 pass
+
+  Want this done for you — and the issues fixed? → https://services.itsdavidg.co
+```
+
+## Install
+
+```bash
+pipx install aws-audit-checklist     # recommended
+# or
+pip install aws-audit-checklist
+```
+
+## Usage
+
+```bash
+aws-audit                       # uses your default AWS credential chain + region
+aws-audit --profile myprofile   # a named profile
+aws-audit --all-regions         # run regional checks in every enabled region
+aws-audit --markdown report.md  # export a Markdown report
+aws-audit --json                # machine-readable output
+aws-audit --strict              # exit non-zero if anything FAILs (CI gate)
+```
+
+You only need **read-only** credentials. A built-in AWS managed policy like
+`SecurityAudit` or `ReadOnlyAccess` is more than enough. Checks you lack permission for are
+reported as "could-not-check" rather than failing the run.
+
+## What it checks (30-point checklist)
+
+| Area | Examples |
+|------|----------|
+| **Identity (IAM)** | root MFA, access keys > 90 days, console users without MFA, password policy |
+| **Network** | security groups exposing SSH/RDP to `0.0.0.0/0` |
+| **Data** | S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups |
+| **Logging** | multi-region CloudTrail, GuardDuty, AWS Config |
+| **Cost signals** | unattached EBS volumes, unused Elastic IPs |
+
+The full human-readable checklist (with the items not yet automated — incident runbooks,
+multi-AZ, IaC, off-account backups) is here:
+**[the 30-point AWS Security Checklist PDF](https://services.itsdavidg.co/#checklist)**.
+
+## Why this exists
+
+I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running
+this same checklist by hand on every account, so I open-sourced the automatable parts. If you
+want the whole thing done for you — including the manual items and actually *fixing* what it
+finds, with a guarantee — that's my [AWS Complete Security Audit](https://services.itsdavidg.co).
+
+## License
+
+MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.

aws_audit_checklist-0.1.0/aws_audit/__init__.py

@@ -0,0 +1,5 @@
+"""aws-audit — a free, read-only AWS security audit CLI.
+
+https://services.itsdavidg.co
+"""
+__version__ = "0.1.0"

aws_audit_checklist-0.1.0/aws_audit/checks.py

@@ -0,0 +1,334 @@
+"""Read-only AWS security checks mapped to the 30-point audit checklist.
+
+Every check makes only Describe/List/Get calls. Nothing is created, modified, or deleted.
+Each check returns a list of Finding objects; missing permissions degrade to an ERROR
+finding rather than crashing the run.
+"""
+from __future__ import annotations
+
+import datetime as dt
+from dataclasses import dataclass, field
+from typing import Callable
+
+import boto3
+from botocore.exceptions import BotoCoreError, ClientError
+
+CRITICAL, HIGH, MEDIUM, LOW, INFO = "CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"
+PASS, FAIL, WARN, ERROR = "PASS", "FAIL", "WARN", "ERROR"
+
+SEV_ORDER = {CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3, INFO: 4}
+
+
+@dataclass
+class Finding:
+    check_id: str
+    title: str
+    severity: str
+    status: str
+    detail: str = ""
+    resources: list[str] = field(default_factory=list)
+    remediation: str = ""
+
+
+def _now() -> dt.datetime:
+    return dt.datetime.now(dt.timezone.utc)
+
+
+def _days_old(d: dt.datetime) -> int:
+    if d.tzinfo is None:
+        d = d.replace(tzinfo=dt.timezone.utc)
+    return (_now() - d).days
+
+
+def _err(check_id: str, title: str, severity: str, exc: Exception) -> Finding:
+    msg = getattr(exc, "response", {}).get("Error", {}).get("Code", str(exc)) if isinstance(exc, ClientError) else str(exc)
+    return Finding(check_id, title, severity, ERROR,
+                   detail=f"Could not evaluate (likely missing read permission): {msg}")
+
+
+# ---------------------------------------------------------------- IAM (global)
+
+def check_root_mfa(session: boto3.Session) -> list[Finding]:
+    title = "Root account MFA"
+    try:
+        summary = session.client("iam").get_account_summary()["SummaryMap"]
+        if summary.get("AccountMFAEnabled", 0) == 1:
+            return [Finding("IAM-1", title, CRITICAL, PASS, "Root account has MFA enabled.")]
+        return [Finding("IAM-1", title, CRITICAL, FAIL,
+                        "Root account does NOT have MFA enabled.",
+                        remediation="Enable a hardware or virtual MFA device on the root user and stop using root for daily work.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("IAM-1", title, CRITICAL, e)]
+
+
+def check_old_access_keys(session: boto3.Session) -> list[Finding]:
+    title = "Long-lived IAM access keys"
+    out: list[Finding] = []
+    try:
+        iam = session.client("iam")
+        stale: list[str] = []
+        for page in iam.get_paginator("list_users").paginate():
+            for user in page["Users"]:
+                for key in iam.list_access_keys(UserName=user["UserName"]).get("AccessKeyMetadata", []):
+                    age = _days_old(key["CreateDate"])
+                    if key["Status"] == "Active" and age > 90:
+                        stale.append(f'{user["UserName"]}:{key["AccessKeyId"][-4:]} ({age}d)')
+        if stale:
+            out.append(Finding("IAM-2", title, HIGH, FAIL,
+                               f"{len(stale)} active access key(s) older than 90 days.",
+                               resources=stale,
+                               remediation="Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO) over long-lived keys."))
+        else:
+            out.append(Finding("IAM-2", title, HIGH, PASS, "No active access keys older than 90 days."))
+    except (ClientError, BotoCoreError) as e:
+        out.append(_err("IAM-2", title, HIGH, e))
+    return out
+
+
+def check_users_without_mfa(session: boto3.Session) -> list[Finding]:
+    title = "Console users without MFA"
+    try:
+        iam = session.client("iam")
+        no_mfa: list[str] = []
+        for page in iam.get_paginator("list_users").paginate():
+            for user in page["Users"]:
+                name = user["UserName"]
+                try:
+                    iam.get_login_profile(UserName=name)  # raises if no console password
+                except ClientError as e:
+                    if e.response["Error"]["Code"] == "NoSuchEntity":
+                        continue
+                    raise
+                if not iam.list_mfa_devices(UserName=name).get("MFADevices"):
+                    no_mfa.append(name)
+        if no_mfa:
+            return [Finding("IAM-3", title, HIGH, FAIL,
+                            f"{len(no_mfa)} user(s) with console access but no MFA.",
+                            resources=no_mfa,
+                            remediation="Require MFA for every human with console access (or move them to SSO).")]
+        return [Finding("IAM-3", title, HIGH, PASS, "All console users have MFA (or none have console access).")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("IAM-3", title, HIGH, e)]
+
+
+def check_password_policy(session: boto3.Session) -> list[Finding]:
+    title = "IAM password policy"
+    try:
+        pol = session.client("iam").get_account_password_policy()["PasswordPolicy"]
+        weak = []
+        if pol.get("MinimumPasswordLength", 0) < 14:
+            weak.append("min length < 14")
+        if not pol.get("RequireSymbols"): weak.append("no symbols required")
+        if not pol.get("RequireNumbers"): weak.append("no numbers required")
+        if weak:
+            return [Finding("IAM-4", title, MEDIUM, WARN, "Weak password policy: " + ", ".join(weak),
+                            remediation="Set minimum length >= 14 and require symbols/numbers, or use SSO.")]
+        return [Finding("IAM-4", title, MEDIUM, PASS, "Password policy meets baseline.")]
+    except ClientError as e:
+        if e.response["Error"]["Code"] == "NoSuchEntity":
+            return [Finding("IAM-4", title, MEDIUM, FAIL, "No account password policy is set.",
+                            remediation="Set an IAM account password policy, or standardize on SSO.")]
+        return [_err("IAM-4", title, MEDIUM, e)]
+    except BotoCoreError as e:
+        return [_err("IAM-4", title, MEDIUM, e)]
+
+
+# ---------------------------------------------------------------- S3 (global-ish)
+
+def check_s3_account_public_block(session: boto3.Session, account_id: str) -> list[Finding]:
+    title = "S3 account-level Block Public Access"
+    try:
+        cfg = session.client("s3control").get_public_access_block(AccountId=account_id)["PublicAccessBlockConfiguration"]
+        if all(cfg.get(k) for k in ("BlockPublicAcls", "IgnorePublicAcls", "BlockPublicPolicy", "RestrictPublicBuckets")):
+            return [Finding("S3-1", title, HIGH, PASS, "Account-level S3 Block Public Access is fully ON.")]
+        return [Finding("S3-1", title, HIGH, FAIL, f"Account-level Block Public Access is partial: {cfg}",
+                        remediation="Turn on all four S3 Block Public Access settings at the account level.")]
+    except ClientError as e:
+        if e.response["Error"]["Code"] in ("NoSuchPublicAccessBlockConfiguration", "NoSuchConfiguration"):
+            return [Finding("S3-1", title, HIGH, FAIL, "No account-level Block Public Access configuration.",
+                            remediation="Enable account-level S3 Block Public Access.")]
+        return [_err("S3-1", title, HIGH, e)]
+    except BotoCoreError as e:
+        return [_err("S3-1", title, HIGH, e)]
+
+
+def check_s3_buckets(session: boto3.Session) -> list[Finding]:
+    out: list[Finding] = []
+    try:
+        s3 = session.client("s3")
+        buckets = s3.list_buckets().get("Buckets", [])
+        public, unencrypted = [], []
+        for b in buckets:
+            name = b["Name"]
+            try:
+                status = s3.get_bucket_policy_status(Bucket=name)["PolicyStatus"]["IsPublic"]
+                if status:
+                    public.append(name)
+            except ClientError:
+                pass
+            try:
+                s3.get_bucket_encryption(Bucket=name)
+            except ClientError as e:
+                if e.response["Error"]["Code"] == "ServerSideEncryptionConfigurationNotFoundError":
+                    unencrypted.append(name)
+        if public:
+            out.append(Finding("S3-2", "Public S3 buckets", CRITICAL, FAIL,
+                               f"{len(public)} bucket policy(ies) evaluate as public.", resources=public,
+                               remediation="Review bucket policies/ACLs; make public only what is intentionally public."))
+        else:
+            out.append(Finding("S3-2", "Public S3 buckets", CRITICAL, PASS, "No buckets evaluate as public by policy."))
+        if unencrypted:
+            out.append(Finding("S3-3", "S3 default encryption", MEDIUM, WARN,
+                               f"{len(unencrypted)} bucket(s) without default encryption.", resources=unencrypted,
+                               remediation="Enable default encryption (SSE-S3 or SSE-KMS) on every bucket."))
+        else:
+            out.append(Finding("S3-3", "S3 default encryption", MEDIUM, PASS, "All buckets have default encryption."))
+    except (ClientError, BotoCoreError) as e:
+        out.append(_err("S3-2", "S3 buckets", CRITICAL, e))
+    return out
+
+
+# ---------------------------------------------------------------- EC2 / VPC (regional)
+
+def check_open_security_groups(session: boto3.Session, region: str) -> list[Finding]:
+    title = "Security groups open to the internet"
+    risky_ports = {22: "SSH", 3389: "RDP"}
+    try:
+        ec2 = session.client("ec2", region_name=region)
+        offenders: list[str] = []
+        for page in ec2.get_paginator("describe_security_groups").paginate():
+            for sg in page["SecurityGroups"]:
+                for perm in sg.get("IpPermissions", []):
+                    open_v4 = any(r.get("CidrIp") == "0.0.0.0/0" for r in perm.get("IpRanges", []))
+                    open_v6 = any(r.get("CidrIpv6") == "::/0" for r in perm.get("Ipv6Ranges", []))
+                    if not (open_v4 or open_v6):
+                        continue
+                    frm, to = perm.get("FromPort"), perm.get("ToPort")
+                    for port, label in risky_ports.items():
+                        if frm is None or (frm <= port <= to):
+                            offenders.append(f'{sg["GroupId"]} ({label} {port}) [{region}]')
+        if offenders:
+            return [Finding("NET-1", title, CRITICAL, FAIL,
+                            f"{len(offenders)} security group rule(s) expose SSH/RDP to the world in {region}.",
+                            resources=sorted(set(offenders)),
+                            remediation="Restrict 22/3389 to known IPs or a bastion/SSM; never 0.0.0.0/0.")]
+        return [Finding("NET-1", title, CRITICAL, PASS, f"No SSH/RDP exposed to 0.0.0.0/0 in {region}.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("NET-1", title, CRITICAL, e)]
+
+
+def check_ebs_encryption_default(session: boto3.Session, region: str) -> list[Finding]:
+    title = "EBS encryption by default"
+    try:
+        ec2 = session.client("ec2", region_name=region)
+        if ec2.get_ebs_encryption_by_default()["EbsEncryptionByDefault"]:
+            return [Finding("DATA-1", title, MEDIUM, PASS, f"EBS encryption-by-default is ON in {region}.")]
+        return [Finding("DATA-1", title, MEDIUM, FAIL, f"EBS encryption-by-default is OFF in {region}.",
+                        remediation="Enable EBS encryption by default per region.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("DATA-1", title, MEDIUM, e)]
+
+
+def check_unattached_resources(session: boto3.Session, region: str) -> list[Finding]:
+    out: list[Finding] = []
+    try:
+        ec2 = session.client("ec2", region_name=region)
+        vols = [v["VolumeId"] for p in ec2.get_paginator("describe_volumes").paginate(
+            Filters=[{"Name": "status", "Values": ["available"]}]) for v in p["Volumes"]]
+        eips = [a.get("PublicIp", a.get("AllocationId")) for a in ec2.describe_addresses().get("Addresses", [])
+                if "AssociationId" not in a]
+        if vols:
+            out.append(Finding("COST-1", "Unattached EBS volumes", LOW, WARN,
+                               f"{len(vols)} unattached EBS volume(s) in {region} (paying for nothing).",
+                               resources=vols, remediation="Snapshot if needed, then delete unattached volumes."))
+        else:
+            out.append(Finding("COST-1", "Unattached EBS volumes", LOW, PASS, f"No unattached EBS volumes in {region}."))
+        if eips:
+            out.append(Finding("COST-2", "Unused Elastic IPs", LOW, WARN,
+                               f"{len(eips)} unassociated Elastic IP(s) in {region} (billed hourly).",
+                               resources=[str(x) for x in eips], remediation="Release Elastic IPs you aren't using."))
+    except (ClientError, BotoCoreError) as e:
+        out.append(_err("COST-1", "Unattached resources", LOW, e))
+    return out
+
+
+# ---------------------------------------------------------------- RDS (regional)
+
+def check_rds(session: boto3.Session, region: str) -> list[Finding]:
+    out: list[Finding] = []
+    try:
+        rds = session.client("rds", region_name=region)
+        public, unenc, nobackup = [], [], []
+        for page in rds.get_paginator("describe_db_instances").paginate():
+            for db in page["DBInstances"]:
+                ident = db["DBInstanceIdentifier"]
+                if db.get("PubliclyAccessible"):
+                    public.append(ident)
+                if not db.get("StorageEncrypted"):
+                    unenc.append(ident)
+                if db.get("BackupRetentionPeriod", 0) == 0:
+                    nobackup.append(ident)
+        if public:
+            out.append(Finding("DATA-2", "Publicly accessible RDS", CRITICAL, FAIL,
+                               f"{len(public)} RDS instance(s) are publicly accessible in {region}.",
+                               resources=public, remediation="Set PubliclyAccessible=false; reach DBs via private networking."))
+        if unenc:
+            out.append(Finding("DATA-3", "Unencrypted RDS", HIGH, FAIL,
+                               f"{len(unenc)} RDS instance(s) without storage encryption in {region}.",
+                               resources=unenc, remediation="Encryption must be set at creation; restore from an encrypted snapshot."))
+        if nobackup:
+            out.append(Finding("DATA-4", "RDS backups disabled", HIGH, FAIL,
+                               f"{len(nobackup)} RDS instance(s) with backups disabled in {region}.",
+                               resources=nobackup, remediation="Set a backup retention period >= 7 days and test a restore."))
+        if not (public or unenc or nobackup):
+            out.append(Finding("DATA-2", "RDS posture", HIGH, PASS, f"No public/unencrypted/un-backed-up RDS in {region}."))
+    except (ClientError, BotoCoreError) as e:
+        out.append(_err("DATA-2", "RDS posture", HIGH, e))
+    return out
+
+
+# ---------------------------------------------------------------- Detection (regional)
+
+def check_cloudtrail(session: boto3.Session, region: str) -> list[Finding]:
+    title = "CloudTrail multi-region logging"
+    try:
+        trails = session.client("cloudtrail", region_name=region).describe_trails(includeShadowTrails=True)["trailList"]
+        if any(t.get("IsMultiRegionTrail") for t in trails):
+            return [Finding("LOG-1", title, HIGH, PASS, "A multi-region CloudTrail exists.")]
+        if trails:
+            return [Finding("LOG-1", title, HIGH, WARN, "CloudTrail exists but none are multi-region.",
+                            remediation="Enable a multi-region trail so activity in every region is logged.")]
+        return [Finding("LOG-1", title, HIGH, FAIL, "No CloudTrail found.",
+                        remediation="Enable a multi-region CloudTrail logging to a locked-down S3 bucket.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("LOG-1", title, HIGH, e)]
+
+
+def check_guardduty(session: boto3.Session, region: str) -> list[Finding]:
+    title = "GuardDuty threat detection"
+    try:
+        if session.client("guardduty", region_name=region).list_detectors().get("DetectorIds"):
+            return [Finding("LOG-2", title, MEDIUM, PASS, f"GuardDuty is enabled in {region}.")]
+        return [Finding("LOG-2", title, MEDIUM, FAIL, f"GuardDuty is not enabled in {region}.",
+                        remediation="Enable GuardDuty in every active region.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("LOG-2", title, MEDIUM, e)]
+
+
+def check_config(session: boto3.Session, region: str) -> list[Finding]:
+    title = "AWS Config recording"
+    try:
+        recs = session.client("config", region_name=region).describe_configuration_recorders().get("ConfigurationRecorders", [])
+        if recs:
+            return [Finding("LOG-3", title, LOW, PASS, f"AWS Config recorder present in {region}.")]
+        return [Finding("LOG-3", title, LOW, WARN, f"No AWS Config recorder in {region}.",
+                        remediation="Enable AWS Config to track resource configuration changes.")]
+    except (ClientError, BotoCoreError) as e:
+        return [_err("LOG-3", title, LOW, e)]
+
+
+GLOBAL_CHECKS: list[Callable] = [check_root_mfa, check_old_access_keys, check_users_without_mfa, check_password_policy]
+REGIONAL_CHECKS: list[Callable] = [
+    check_open_security_groups, check_ebs_encryption_default, check_unattached_resources,
+    check_rds, check_cloudtrail, check_guardduty, check_config,
+]

aws_audit_checklist-0.1.0/aws_audit/cli.py

@@ -0,0 +1,154 @@
+"""aws-audit — a free, read-only AWS security audit CLI.
+
+Runs a 30-point security & cost checklist against an AWS account using only
+read-only API calls, and prints a prioritized findings report.
+
+Built by David Gomez (Fractional CTO & AWS DevOps). Want it done for you and the
+issues fixed? https://services.itsdavidg.co
+"""
+from __future__ import annotations
+
+import argparse
+import json
+import sys
+
+import boto3
+
+from . import checks as C
+from .checks import SEV_ORDER, FAIL, WARN, PASS, ERROR
+
+CTA = "Want this done for you — and the issues fixed? → https://services.itsdavidg.co"
+
+_COLORS = {
+    "CRITICAL": "\033[97;41m", "HIGH": "\033[91m", "MEDIUM": "\033[93m",
+    "LOW": "\033[94m", "INFO": "\033[90m",
+    FAIL: "\033[91m", WARN: "\033[93m", PASS: "\033[92m", ERROR: "\033[90m",
+    "bold": "\033[1m", "dim": "\033[2m", "reset": "\033[0m",
+}
+
+
+def _c(text: str, key: str, use_color: bool) -> str:
+    if not use_color:
+        return text
+    return f"{_COLORS.get(key, '')}{text}{_COLORS['reset']}"
+
+
+def run_checks(session: boto3.Session, account_id: str, regions: list[str]):
+    findings = []
+    for fn in C.GLOBAL_CHECKS:
+        findings.extend(fn(session))
+    findings.extend(C.check_s3_account_public_block(session, account_id))
+    findings.extend(C.check_s3_buckets(session))
+    for region in regions:
+        for fn in C.REGIONAL_CHECKS:
+            findings.extend(fn(session, region))
+    return findings
+
+
+def print_report(findings, account_id, regions, use_color):
+    fails = [f for f in findings if f.status == FAIL]
+    warns = [f for f in findings if f.status == WARN]
+    passes = [f for f in findings if f.status == PASS]
+    errors = [f for f in findings if f.status == ERROR]
+
+    print()
+    print(_c("  AWS Security Audit", "bold", use_color) + _c("  ·  aws-audit", "dim", use_color))
+    print(_c(f"  Account {account_id}  ·  regions: {', '.join(regions)}", "dim", use_color))
+    print("  " + "─" * 64)
+
+    order = sorted(fails + warns, key=lambda f: (SEV_ORDER.get(f.severity, 9), f.check_id))
+    if not order:
+        print(_c("  ✓ No failed or warning checks. Nice.", PASS, use_color))
+    for f in order:
+        tag = _c(f" {f.severity} ", f.severity, use_color)
+        st = _c(f.status, f.status, use_color)
+        print(f"\n  {tag} [{f.check_id}] {_c(f.title, 'bold', use_color)}  — {st}")
+        print(f"      {f.detail}")
+        if f.resources:
+            shown = ", ".join(f.resources[:8]) + (f" … (+{len(f.resources) - 8} more)" if len(f.resources) > 8 else "")
+            print(_c(f"      affected: {shown}", "dim", use_color))
+        if f.remediation:
+            print(_c(f"      fix: {f.remediation}", "dim", use_color))
+
+    print("\n  " + "─" * 64)
+    summary = (f"  {_c(str(len(fails)) + ' fail', FAIL, use_color)}  ·  "
+               f"{_c(str(len(warns)) + ' warn', WARN, use_color)}  ·  "
+               f"{_c(str(len(passes)) + ' pass', PASS, use_color)}")
+    if errors:
+        summary += f"  ·  {_c(str(len(errors)) + ' could-not-check', ERROR, use_color)}"
+    print(summary)
+    if errors:
+        print(_c("  (could-not-check = the credentials used lack that read permission)", "dim", use_color))
+    print()
+    print(_c("  " + CTA, "bold", use_color))
+    print()
+
+
+def to_markdown(findings, account_id, regions) -> str:
+    lines = [f"# AWS Security Audit — account {account_id}",
+             f"_Regions: {', '.join(regions)}_  ·  generated by [aws-audit](https://services.itsdavidg.co)\n"]
+    by_status = {}
+    for f in findings:
+        by_status.setdefault(f.status, []).append(f)
+    for status in (FAIL, WARN, PASS, ERROR):
+        items = sorted(by_status.get(status, []), key=lambda f: (SEV_ORDER.get(f.severity, 9), f.check_id))
+        if not items:
+            continue
+        lines.append(f"\n## {status} ({len(items)})\n")
+        for f in items:
+            lines.append(f"- **[{f.severity}] {f.title}** (`{f.check_id}`) — {f.detail}")
+            if f.resources:
+                lines.append(f"  - affected: {', '.join(f.resources[:20])}")
+            if f.remediation:
+                lines.append(f"  - fix: {f.remediation}")
+    lines.append(f"\n---\n\n**{CTA}**\n")
+    return "\n".join(lines)
+
+
+def main(argv=None) -> int:
+    p = argparse.ArgumentParser(prog="aws-audit", description="Read-only AWS security audit (30-point checklist).")
+    p.add_argument("--profile", help="AWS profile name (default: default credential chain)")
+    p.add_argument("--region", help="Region for regional checks (default: session region or us-east-1)")
+    p.add_argument("--all-regions", action="store_true", help="Run regional checks in every enabled region (slower)")
+    p.add_argument("--json", dest="as_json", action="store_true", help="Output findings as JSON")
+    p.add_argument("--markdown", metavar="FILE", help="Write a Markdown report to FILE")
+    p.add_argument("--no-color", action="store_true", help="Disable ANSI colors")
+    p.add_argument("--strict", action="store_true", help="Exit non-zero if any check FAILs (for CI)")
+    args = p.parse_args(argv)
+
+    use_color = (not args.no_color) and sys.stdout.isatty()
+    try:
+        session = boto3.Session(profile_name=args.profile) if args.profile else boto3.Session()
+        account_id = session.client("sts").get_caller_identity()["Account"]
+    except Exception as e:  # noqa: BLE001
+        print(f"error: could not establish an AWS session: {e}", file=sys.stderr)
+        return 2
+
+    base_region = args.region or session.region_name or "us-east-1"
+    if args.all_regions:
+        try:
+            regions = [r["RegionName"] for r in session.client("ec2", region_name=base_region)
+                       .describe_regions(Filters=[{"Name": "opt-in-status", "Values": ["opt-in-not-required", "opted-in"]}])["Regions"]]
+        except Exception:  # noqa: BLE001
+            regions = [base_region]
+    else:
+        regions = [base_region]
+
+    findings = run_checks(session, account_id, regions)
+
+    if args.markdown:
+        with open(args.markdown, "w", encoding="utf-8") as fh:
+            fh.write(to_markdown(findings, account_id, regions))
+        print(f"wrote {args.markdown}")
+    if args.as_json:
+        print(json.dumps([f.__dict__ for f in findings], indent=2))
+    else:
+        print_report(findings, account_id, regions, use_color)
+
+    if args.strict and any(f.status == FAIL for f in findings):
+        return 1
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/PKG-INFO

@@ -0,0 +1,90 @@
+Metadata-Version: 2.4
+Name: aws-audit-checklist
+Version: 0.1.0
+Summary: A free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts.
+Author-email: David Gomez <contactme@itsdavidg.co>
+License: MIT
+Project-URL: Homepage, https://services.itsdavidg.co
+Project-URL: Source, https://github.com/davidgomezbravo/aws-audit
+Keywords: aws,security,audit,cloud,devops,iam,s3,checklist,finops
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: boto3>=1.26
+Dynamic: license-file
+
+# aws-audit — the AWS security checklist I run on client accounts
+
+A free, **read-only** AWS security & cost audit CLI. Point it at an account and it runs the
+same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized
+findings report. **It only makes `Describe`/`List`/`Get` calls — nothing is ever created,
+modified, or deleted, and no data leaves your machine.**
+
+```
+$ aws-audit
+
+  AWS Security Audit  ·  aws-audit
+  Account 123456789012  ·  regions: us-east-1
+  ────────────────────────────────────────────────────────────────
+
+   CRITICAL  [IAM-1] Root account MFA  — FAIL
+      Root account does NOT have MFA enabled.
+      fix: Enable a hardware or virtual MFA device on the root user and stop using root.
+
+   HIGH  [IAM-2] Long-lived IAM access keys  — FAIL
+      2 active access key(s) older than 90 days.
+      affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)
+      fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).
+  ...
+  1 fail  ·  3 warn  ·  18 pass
+
+  Want this done for you — and the issues fixed? → https://services.itsdavidg.co
+```
+
+## Install
+
+```bash
+pipx install aws-audit-checklist     # recommended
+# or
+pip install aws-audit-checklist
+```
+
+## Usage
+
+```bash
+aws-audit                       # uses your default AWS credential chain + region
+aws-audit --profile myprofile   # a named profile
+aws-audit --all-regions         # run regional checks in every enabled region
+aws-audit --markdown report.md  # export a Markdown report
+aws-audit --json                # machine-readable output
+aws-audit --strict              # exit non-zero if anything FAILs (CI gate)
+```
+
+You only need **read-only** credentials. A built-in AWS managed policy like
+`SecurityAudit` or `ReadOnlyAccess` is more than enough. Checks you lack permission for are
+reported as "could-not-check" rather than failing the run.
+
+## What it checks (30-point checklist)
+
+| Area | Examples |
+|------|----------|
+| **Identity (IAM)** | root MFA, access keys > 90 days, console users without MFA, password policy |
+| **Network** | security groups exposing SSH/RDP to `0.0.0.0/0` |
+| **Data** | S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups |
+| **Logging** | multi-region CloudTrail, GuardDuty, AWS Config |
+| **Cost signals** | unattached EBS volumes, unused Elastic IPs |
+
+The full human-readable checklist (with the items not yet automated — incident runbooks,
+multi-AZ, IaC, off-account backups) is here:
+**[the 30-point AWS Security Checklist PDF](https://services.itsdavidg.co/#checklist)**.
+
+## Why this exists
+
+I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running
+this same checklist by hand on every account, so I open-sourced the automatable parts. If you
+want the whole thing done for you — including the manual items and actually *fixing* what it
+finds, with a guarantee — that's my [AWS Complete Security Audit](https://services.itsdavidg.co).
+
+## License
+
+MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/SOURCES.txt

@@ -0,0 +1,12 @@
+LICENSE
+README.md
+pyproject.toml
+aws_audit/__init__.py
+aws_audit/checks.py
+aws_audit/cli.py
+aws_audit_checklist.egg-info/PKG-INFO
+aws_audit_checklist.egg-info/SOURCES.txt
+aws_audit_checklist.egg-info/dependency_links.txt
+aws_audit_checklist.egg-info/entry_points.txt
+aws_audit_checklist.egg-info/requires.txt
+aws_audit_checklist.egg-info/top_level.txt

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+aws-audit = aws_audit.cli:main

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/requires.txt

@@ -0,0 +1 @@
+boto3>=1.26

aws_audit_checklist-0.1.0/aws_audit_checklist.egg-info/top_level.txt

@@ -0,0 +1 @@
+aws_audit

aws_audit_checklist-0.1.0/pyproject.toml

@@ -0,0 +1,24 @@
+[build-system]
+requires = ["setuptools>=68"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "aws-audit-checklist"
+version = "0.1.0"
+description = "A free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts."
+readme = "README.md"
+license = { text = "MIT" }
+authors = [{ name = "David Gomez", email = "contactme@itsdavidg.co" }]
+keywords = ["aws", "security", "audit", "cloud", "devops", "iam", "s3", "checklist", "finops"]
+requires-python = ">=3.9"
+dependencies = ["boto3>=1.26"]
+
+[project.urls]
+Homepage = "https://services.itsdavidg.co"
+Source = "https://github.com/davidgomezbravo/aws-audit"
+
+[project.scripts]
+aws-audit = "aws_audit.cli:main"
+
+[tool.setuptools]
+packages = ["aws_audit"]

aws_audit_checklist-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+