PyPI - cloud-audit - Versions diffs - 1.2.2__tar.gz → 2.0.0__tar.gz - Mend

cloud-audit 1.2.2tar.gz → 2.0.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

{cloud_audit-1.2.2 → cloud_audit-2.0.0}/.github/workflows/release.yml RENAMED Viewed

@@ -32,7 +32,7 @@ jobs:
           fi
       - run: pip install build
       - run: python -m build
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7
         with:
           name: dist
           path: dist/
@@ -51,7 +51,7 @@ jobs:
         with:
           name: dist
           path: dist/
-      - uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # release/v1
+      - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b  # release/v1
   docker:
     name: Publish Docker image
@@ -62,12 +62,12 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
-      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -81,7 +81,7 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=raw,value=latest
-      - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294  # v7.0.0
+      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7.1.0
         with:
           context: .
           push: true

{cloud_audit-1.2.2 → cloud_audit-2.0.0}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,73 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [2.0.0] - 2026-04-14
+### Added
+- **IAM Privilege Escalation Detection** - 25 escalation methods across 6 categories (IAM self-mutation, credential access, PassRole+service, Lambda code modification, trust policy abuse, permission boundary bypass). Replaces dead PMapper as the only maintained open-source IAM escalation scanner
+- **What-If Remediation Simulator** - `cloud-audit simulate --fix aws-vpc-002` shows before/after impact on score, chains, and risk without changing anything in AWS
+- **Security Posture Trend** - `cloud-audit trend` tracks health score, attack chains, and risk over time with sparkline visualization. Scan history auto-saved to `~/.cloud-audit/history/`
+- **AI-SPM (Bedrock + SageMaker)** - 5 new checks: model invocation logging (aws-bedrock-001), guardrails (aws-bedrock-002), notebook root access (aws-sagemaker-001), notebook internet access (aws-sagemaker-002), endpoint encryption (aws-sagemaker-003)
+- **Root Cause Grouping** - "fix 4 things, break 22 chains" prioritization. Groups findings by root cause and ranks by chain-breaking impact
+- **Quick Wins** - CLI section showing LOW-effort fixes that break CRITICAL chains, with copy-paste commands
+- **6 new attack chain rules** - AC-34 (PassRole escalation), AC-35 (IAM self-escalation), AC-36 (OIDC + escalation), AC-37 (AI model theft), AC-38 (LLMjacking), AC-39 (AI data poisoning)
+- Compliance Beta labels for BSI C5, ISO 27001, HIPAA, NIS2 (CIS and SOC 2 remain Stable)
+- `list-frameworks` shows Status column (Stable/Beta)
+### Changed
+- Remediation CLI commands now inject real AWS account ID (via `provider.get_account_id()`) instead of `ACCOUNT_ID` placeholders
+- Terraform remediation snippets completed with missing dependent resources (IAM roles, S3 buckets, KMS keys, CloudWatch log groups)
+- VPC flow logs Terraform scoped IAM policy to specific log group ARN (was `Resource: *`)
+- `get_account_id()` cached in AWSProvider (1 STS call instead of 10+ per scan)
+- Root cause computation moved after cost estimation (fixes risk aggregation)
+- `get_account_id()` calls moved inside try/except in kms, iam, s3 checks
+### Fixed
+- Unicode characters (arrows, em-dashes, block characters) replaced with ASCII for Windows cp1250 compatibility
+## [1.3.0] - 2026-04-03
+### Added
+- **BSI C5:2020 compliance framework** - 134 Cloud Computing Compliance Criteria mapped (20 automated, 37 partial, 77 manual), covering all 17 BSI domains (OIS, SP, HR, AM, PS, OPS, IDM, CRY, COM, PI, DEV, SIM, BCM, COS, INQ, PSS, LOG)
+- **ISO/IEC 27001:2022 compliance framework** - 93 Annex A controls mapped (16 automated, 31 partial, 46 manual), covering Organizational (A.5), People (A.6), Physical (A.7), and Technological (A.8) controls
+- **HIPAA Security Rule compliance framework** - 47 implementation specifications mapped (15 automated, 14 partial, 18 manual) across Administrative (§164.308), Physical (§164.310), and Technical (§164.312) safeguards
+- **NIS2 Directive compliance framework** - 43 technical measures mapped (11 automated, 22 partial, 10 manual) covering Article 21(2)(a)-(j) minimum measures, Article 23 incident reporting, and Article 20 governance
+- `--compliance bsi_c5_2020` CLI flag - BSI C5:2020 readiness assessment
+- `--compliance iso27001_2022` CLI flag - ISO 27001:2022 Annex A readiness assessment
+- `--compliance hipaa_security` CLI flag - HIPAA Security Rule readiness assessment
+- `--compliance nis2_directive` CLI flag - NIS2 Directive readiness assessment
+- All 20 attack chain rules mapped to controls in each new framework
+- **8 new security checks** (80 -> 88 total):
+  - `aws-backup-001` - AWS Backup vault with backup plan (Backup)
+  - `aws-inspector-001` - Amazon Inspector v2 enabled (Inspector)
+  - `aws-waf-001` - WAFv2 WebACL exists (WAF)
+  - `aws-cw-016` - CloudWatch log group KMS encryption (CloudWatch)
+  - `aws-ssm-003` - EC2 patch compliance via SSM (SSM)
+  - `aws-vpc-006` - VPC subnet isolation (VPC)
+  - `aws-iam-017` - IAM role max session duration (IAM)
+  - `aws-ct-008` - CloudTrail delivers to CloudWatch Logs (CloudTrail)
+- **5 new attack chain rules** (20 -> 25 total):
+  - AC-29: Unpatched Instance Exposed to Internet (CRITICAL)
+  - AC-30: Unpatched Instances Without Vulnerability Scanning (HIGH)
+  - AC-31: Internet-Exposed Without WAF or Flow Logs (HIGH)
+  - AC-32: CloudTrail Blind Spot — Alarms Non-Functional (HIGH)
+  - AC-33: All-Public VPC Without Network Segmentation (HIGH)
+- 3 new service modules: AWS Backup, Amazon Inspector, AWS WAF
+- 67 new tests for framework validation (412 total)
+### Changed
+- Check count: 80 -> 88 across 21 AWS services (was 18)
+- Attack chain count: 20 -> 25 rules
+- `list-frameworks` now shows 6 frameworks (was 2)
+- CLI help text updated with all 6 framework IDs
+- pyproject.toml description updated to reflect 6 compliance frameworks
+- 21 CIS controls corrected from Manual to Partial (had automated checks but wrong assessment type)
 ## [1.2.2] - 2026-04-01
 ### Added
@@ -401,7 +468,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Docker image support
 - Rich terminal UI with progress bar and color-coded findings
-[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.2...HEAD
+[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v1.3.0...HEAD
+[1.3.0]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.2...v1.3.0
 [1.2.2]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.1...v1.2.2
 [1.2.1]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.0...v1.2.1
 [1.2.0]: https://github.com/gebalamariusz/cloud-audit/compare/v1.1.0...v1.2.0

{cloud_audit-1.2.2 → cloud_audit-2.0.0}/PKG-INFO RENAMED Viewed

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 1.2.2
-Summary: Open-source AWS security scanner with CIS AWS v3.0 and SOC 2 Type II compliance, attack chains, breach cost estimation, and MCP server. 80 checks, 20 attack chain rules. Every finding includes CLI + Terraform remediation.
+Version: 2.0.0
+Summary: Open-source AWS security scanner with IAM escalation detection, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. 94 checks across 23 services. Every finding includes CLI + Terraform remediation.
 Project-URL: Homepage, https://github.com/gebalamariusz/cloud-audit
 Project-URL: Documentation, https://haitmg.pl/cloud-audit/
 Project-URL: Repository, https://github.com/gebalamariusz/cloud-audit
@@ -56,8 +56,8 @@ Description-Content-Type: text/markdown
 </p>
 <p align="center">
-  Open-source CLI scanner that correlates findings into exploitable paths<br>
-  and generates copy-paste remediation (AWS CLI + Terraform).
+  Open-source CLI that correlates findings into exploitable paths,<br>
+  generates copy-paste remediation, and simulates fixes before you apply them.
 </p>
 <p align="center">
@@ -72,14 +72,20 @@ Description-Content-Type: text/markdown
   <a href="https://pypi.org/project/cloud-audit/"><img src="https://img.shields.io/pypi/dm/cloud-audit?style=flat" alt="PyPI downloads"></a>
   <a href="https://ghcr.io/gebalamariusz/cloud-audit"><img src="https://img.shields.io/badge/Docker-GHCR-blue?style=flat&logo=docker" alt="Docker"></a>
   <a href="https://www.helpnetsecurity.com/2026/03/11/cloud-audit-open-source-aws-security-scanner/"><img src="https://img.shields.io/badge/Featured_in-HelpNet_Security-blue?style=flat" alt="Featured in HelpNet Security"></a>
+  <a href="https://glama.ai/mcp/servers/gebalamariusz/cloud-audit"><img src="https://glama.ai/mcp/servers/gebalamariusz/cloud-audit/badges/score.svg" alt="MCP Server Score"></a>
   <a href="https://haitmg.pl/cloud-audit/"><img src="https://img.shields.io/badge/Docs-haitmg.pl-blue?style=flat" alt="Documentation"></a>
 </p>
 <p align="center">
   <a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
   <a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
-  <a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS AWS v3.0</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS</a> -
   <a href="https://haitmg.pl/cloud-audit/compliance/soc2-type2/">SOC 2</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/bsi-c5-2020/">BSI C5</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/iso27001-2022/">ISO 27001</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/hipaa-security/">HIPAA</a> -
+  <a href="https://haitmg.pl/cloud-audit/compliance/nis2-directive/">NIS2</a> -
   <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
   <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
 </p>
@@ -103,23 +109,32 @@ cloud-audit demo
 ```
 +------- Health Score -------+
-| 42 / 100                   |   Risk exposure: $725K - $7.3M
+| 34 / 100                   |   Risk exposure: $1.2M - $9.5M
 +----------------------------+
-+---- Attack Chains (3 detected) -----------------------------------+
++---- Attack Chains (5 detected) -----------------------------------+
 |  CRITICAL  Internet-Exposed Admin Instance                         |
 |            i-0abc123 - public SG + admin IAM role + IMDSv1         |
-|            Fix: Restrict security group (effort: LOW)              |
+|                                                                    |
+|  CRITICAL  IAM Privilege Escalation via iam:PassRole               |
+|            ci-deploy-role - 3-step path to admin                   |
 |                                                                    |
 |  CRITICAL  CI/CD to Admin Takeover                                 |
 |            github-deploy - OIDC no sub + admin policy              |
-|            Fix: Add sub condition (effort: LOW)                    |
 +--------------------------------------------------------------------+
-Findings by severity:  CRITICAL: 3  HIGH: 8  MEDIUM: 12  LOW: 5
++---- Remediation Plan -------------------------------------------+
+|  Fix 4 root causes, break 22 attack chains                       |
+|                                                                    |
+|  Quick Wins (effort: LOW, chains broken: 14):                      |
+|    1. Restrict SG ingress on sg-0abc123    -> breaks 8 chains      |
+|    2. Add OIDC sub condition               -> breaks 6 chains      |
++--------------------------------------------------------------------+
+Findings by severity:  CRITICAL: 5  HIGH: 9  MEDIUM: 14  LOW: 6
 ```
-80 checks across 18 AWS services. Every finding includes AWS CLI + Terraform remediation.
+94 checks across 23 AWS services. Every finding includes AWS CLI + Terraform remediation code. Root-cause grouping tells you which fixes break the most chains so you fix what matters first.
 <p align="center">
   <a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
@@ -144,17 +159,19 @@ Other scanners give you a flat list of findings. cloud-audit correlates them int
                aws-vpc-002   aws-ec2-004       Detected: AC-01, AC-02
 ```
-Examples from the 20 built-in rules:
+Examples from the 31 built-in rules:
 | Chain | What it catches |
 |---|---|
+| IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
 | Internet-Exposed Admin Instance | Public SG + admin IAM role + IMDSv1 = account takeover |
 | CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
 | SSRF to Credential Theft | Public instance + IMDSv1 + no VPC flow logs = invisible exfiltration |
+| AI Model Data Exfiltration | Bedrock model with public endpoint + no logging = silent data leak |
-Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [Datadog pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 20 rules in the docs](https://haitmg.pl/cloud-audit/features/attack-chains/).
+Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [Datadog pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules in the docs](https://haitmg.pl/cloud-audit/features/attack-chains/).
-### Copy-Paste Remediation
+### Copy-Paste Remediation + What-If Simulator
 Every finding includes AWS CLI commands, Terraform HCL, and documentation links. Export all fixes as a runnable script:
@@ -162,24 +179,34 @@ Every finding includes AWS CLI commands, Terraform HCL, and documentation links.
 cloud-audit scan --export-fixes fixes.sh
 ```
-### Scan Diff
+Simulate a fix before applying it to see which chains it breaks and how your score changes:
+```bash
+cloud-audit simulate --fix aws-vpc-002
+# Score: 34 -> 58 (+24)  |  Chains broken: 8 of 22  |  Findings resolved: 11
+```
+### Scan Diff and Trend Tracking
 Compare scans to track drift. Catches ClickOps changes, manual console edits, and regressions that IaC scanning misses.
 ```bash
 cloud-audit diff yesterday.json today.json
+cloud-audit trend                              # Time-series posture history
 ```
 Exit code 0 = no new findings, 1 = regression. See [daily-scan-with-diff.yml](examples/daily-scan-with-diff.yml) for a CI/CD workflow.
-### CIS AWS v3.0 Compliance
+### 6 Compliance Frameworks
 Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
 - **CIS AWS v3.0** - 62 controls, 55 automated (89%)
 - **SOC 2 Type II** - 43 criteria, 24 automated (56%)
-Planned: BSI C5, ISO 27001, HIPAA, NIS2.
+- **BSI C5:2020** `Beta` - 134 criteria, 57 automated/partial
+- **ISO 27001:2022** `Beta` - 93 Annex A controls, 47 automated/partial
+- **HIPAA Security Rule** `Beta` - 47 specs, 29 automated/partial
+- **NIS2 Directive** `Beta` - 43 measures, 33 automated/partial
 ### Breach Cost Estimation
@@ -201,17 +228,19 @@ claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
 | Feature | Prowler | Trivy | Checkov | cloud-audit |
 |---------|---------|-------|---------|-------------|
-| Checks | 576 | 517 | 2500+ | **80** |
-| Attack chain detection | No | No | No | **20 rules** |
+| Checks | 576 | 517 | 2500+ | **94** |
+| Attack chain detection | No | No | No | **31 rules + root-cause grouping** |
+| What-If remediation simulator | No | No | No | **Yes** |
+| IAM privilege escalation paths | No | No | No | **25 methods** |
 | Remediation per finding | CIS only | No | Links | **100% (CLI + Terraform)** |
 | Breach cost estimation | No | No | No | **Per finding + chain** |
-| CIS v3.0 compliance engine | Yes | No | No | **62 controls with evidence** |
-| SOC 2 Type II compliance | No | No | No | **43 criteria with evidence** |
+| AI-SPM (Bedrock/SageMaker) | No | No | No | **Yes** |
+| Compliance frameworks | CIS only | — | — | **6 (CIS, SOC 2 + 4 Beta)** |
 | MCP server (AI agents) | Paid ($99/mo) | No | No | **Free, standalone** |
-cloud-audit has fewer checks than Prowler but deeper output per finding: remediation code, attack chain context, cost estimates, and compliance evidence. If you need exhaustive compliance coverage across multiple clouds, Prowler is the better choice. If you need a focused scan that shows how findings combine into real attack paths and tells you exactly how to fix each one, cloud-audit is built for that.
+cloud-audit has fewer checks than Prowler but goes deeper per finding: remediation code, attack chain correlation, cost estimates, and a What-If simulator that shows the impact of each fix before you apply it. If you need exhaustive compliance coverage across multiple clouds, Prowler is the better choice. If you need a focused scan that shows how findings chain into real attack paths and prioritizes what to fix first, cloud-audit is built for that.
-<sub>Feature snapshot as of March 2026. Verify against upstream docs for the latest details.</sub>
+<sub>Feature snapshot as of v2.0.0 (April 2026). Verify against upstream docs for the latest details.</sub>
 ---
@@ -316,142 +345,19 @@ Ready-to-use workflows: [basic scan](examples/github-actions.yml), [daily diff](
 ## AWS Permissions
-cloud-audit requires **read-only** access. Attach `SecurityAudit`:
+cloud-audit requires **read-only** access. Attach `SecurityAudit` (covers all checks including IAM escalation analysis):
 ```bash
 aws iam attach-role-policy --role-name auditor --policy-arn arn:aws:iam::aws:policy/SecurityAudit
 ```
-cloud-audit never modifies your infrastructure.
+cloud-audit never modifies your infrastructure. The `simulate` command runs locally against scan data -- it does not call AWS APIs.
 ## What It Checks
-80 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, and Account.
+94 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, Account, AWS Backup, Amazon Inspector, AWS WAF, Amazon Bedrock, and Amazon SageMaker.
-<details>
-<summary>Full check list (80 checks)</summary>
-### IAM (16 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-iam-001` | Critical | Root account without MFA |
-| `aws-iam-002` | High | IAM user with console access but no MFA |
-| `aws-iam-003` | Medium | Access key older than 90 days |
-| `aws-iam-004` | Medium | Access key unused for 45+ days |
-| `aws-iam-005` | Critical | IAM policy with Action:\* and Resource:\* |
-| `aws-iam-006` | Medium | Password policy below CIS requirements |
-| `aws-iam-007` | Critical | OIDC trust policy without sub condition |
-| `aws-iam-008` | Critical | Root account has active access keys |
-| `aws-iam-009` | Medium | Multiple active access keys per user |
-| `aws-iam-010` | Medium | Direct policy attachment on user (not via group) |
-| `aws-iam-011` | Medium | No AWSSupportAccess role |
-| `aws-iam-012` | Medium | IAM Access Analyzer not enabled |
-| `aws-iam-013` | Medium | Expired SSL/TLS certificate in IAM |
-| `aws-iam-014` | Medium | AWSCloudShellFullAccess attached |
-| `aws-iam-015` | Medium | Root uses virtual MFA (not hardware) |
-| `aws-iam-016` | Medium | EC2 instance without IAM role |
-### S3 (7 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-s3-001` | High | S3 bucket without public access block |
-| `aws-s3-002` | Low | S3 bucket using SSE-S3 instead of SSE-KMS |
-| `aws-s3-003` | Low | S3 bucket without versioning |
-| `aws-s3-004` | Low | S3 bucket without lifecycle rules |
-| `aws-s3-005` | Medium | S3 bucket without access logging |
-| `aws-s3-006` | Medium | S3 bucket policy does not deny HTTP |
-| `aws-s3-007` | Low | S3 bucket without MFA Delete |
-### EC2 (6 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-ec2-001` | High | Publicly shared AMI |
-| `aws-ec2-002` | Medium | Unencrypted EBS volume |
-| `aws-ec2-003` | Low | Stopped EC2 instance (EBS charges continue) |
-| `aws-ec2-004` | High | EC2 instance with IMDSv1 (SSRF risk) |
-| `aws-ec2-005` | Low | EC2 instance without termination protection |
-| `aws-ec2-006` | Medium | EBS default encryption disabled |
-### VPC (5 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-vpc-001` | Medium | Default VPC in use |
-| `aws-vpc-002` | Critical | Security group open to 0.0.0.0/0 or ::/0 on sensitive ports |
-| `aws-vpc-003` | Medium | VPC without flow logs |
-| `aws-vpc-004` | Medium | NACL allows internet access to admin ports |
-| `aws-vpc-005` | Medium | Default security group has active rules |
-### RDS (4 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-rds-001` | Critical | Publicly accessible RDS instance |
-| `aws-rds-002` | High | Unencrypted RDS instance |
-| `aws-rds-003` | Medium | Single-AZ RDS instance |
-| `aws-rds-004` | Low | RDS auto minor version upgrade disabled |
-### CloudTrail (7 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-ct-001` | Critical | No multi-region CloudTrail trail |
-| `aws-ct-002` | High | CloudTrail log file validation disabled |
-| `aws-ct-003` | Critical | CloudTrail S3 bucket is publicly accessible |
-| `aws-ct-004` | High | CloudTrail S3 bucket has no access logging |
-| `aws-ct-005` | Medium | CloudTrail not encrypted with KMS |
-| `aws-ct-006` | Medium | S3 object-level write events not logged |
-| `aws-ct-007` | Medium | S3 object-level read events not logged |
-### CloudWatch (15 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-cw-001` | High | No alarm for root account usage |
-| `aws-cw-002` | Medium | No alarm for unauthorized API calls |
-| `aws-cw-003` | Medium | No alarm for console sign-in without MFA |
-| `aws-cw-004` | Medium | No alarm for IAM policy changes |
-| `aws-cw-005` | Medium | No alarm for CloudTrail config changes |
-| `aws-cw-006` | Medium | No alarm for console auth failures |
-| `aws-cw-007` | Medium | No alarm for CMK disable/deletion |
-| `aws-cw-008` | Medium | No alarm for S3 bucket policy changes |
-| `aws-cw-009` | Medium | No alarm for Config changes |
-| `aws-cw-010` | Medium | No alarm for security group changes |
-| `aws-cw-011` | Medium | No alarm for NACL changes |
-| `aws-cw-012` | Medium | No alarm for network gateway changes |
-| `aws-cw-013` | Medium | No alarm for route table changes |
-| `aws-cw-014` | Medium | No alarm for VPC changes |
-| `aws-cw-015` | Medium | No alarm for Organizations changes |
-### Other Services (20 checks)
-| ID | Severity | Description |
-|----|----------|-------------|
-| `aws-gd-001` | High | GuardDuty not enabled |
-| `aws-gd-002` | Medium | GuardDuty findings unresolved for 30+ days |
-| `aws-cfg-001` | Medium | AWS Config not enabled |
-| `aws-cfg-002` | High | AWS Config recorder stopped |
-| `aws-kms-001` | Medium | KMS key without automatic rotation |
-| `aws-kms-002` | High | KMS key policy with Principal:\* |
-| `aws-lambda-001` | High | Lambda function URL with no authentication |
-| `aws-lambda-002` | Medium | Lambda running on a deprecated runtime |
-| `aws-lambda-003` | High | Potential secrets in Lambda env vars |
-| `aws-ecs-001` | Critical | ECS task running in privileged mode |
-| `aws-ecs-002` | High | ECS task without log configuration |
-| `aws-ecs-003` | Medium | ECS service with Execute Command enabled |
-| `aws-ssm-001` | Medium | EC2 instance not managed by SSM |
-| `aws-ssm-002` | High | SSM parameter stored as plain String |
-| `aws-sm-001` | Medium | Secret without rotation |
-| `aws-sm-002` | Low | Secret unused for 90+ days |
-| `aws-eip-001` | Low | Unattached Elastic IP |
-| `aws-efs-001` | Medium | EFS file system not encrypted |
-| `aws-sh-001` | Medium | Security Hub not enabled |
-| `aws-account-001` | Medium | No security alternate contact |
-</details>
+[See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
 ## Alternatives
@@ -465,21 +371,21 @@ cloud-audit never modifies your infrastructure.
 cloud-audit has grown beyond what a single README can cover. The full documentation is at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)** and includes:
 - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
-- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - CIS AWS v3.0 with all 62 controls, planned SOC 2, BSI C5, HIPAA, NIS2
-- **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 20 rules with MITRE ATT&CK references
+- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
+- **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
 - **[MCP Server](https://haitmg.pl/cloud-audit/features/mcp-server/)** - full setup guide for Claude Code, Cursor, VS Code
 - **[Configuration](https://haitmg.pl/cloud-audit/configuration/config-file/)** - config file, env vars, suppressions
 - **[CI/CD](https://haitmg.pl/cloud-audit/ci-cd/github-actions/)** - GitHub Actions, SARIF, pre-commit hooks
 - **[Reports](https://haitmg.pl/cloud-audit/reports/html/)** - HTML, JSON, SARIF, Markdown output formats
-- **[All 80 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
+- **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
 This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
 ## What's Next
-- SOC 2, BSI C5, HIPAA, NIS2 compliance frameworks
+- Multi-account scanning (AWS Organizations)
 - Terraform drift detection
-- Root cause grouping
+- Data perimeter checks (S3, KMS, STS boundary policies)
 Past releases: [CHANGELOG.md](CHANGELOG.md)

cloud-audit 1.2.2__tar.gz → 2.0.0__tar.gz

cloud-audit 1.2.2tar.gz → 2.0.0tar.gz