cloud-audit 2.0.0__tar.gz → 2.0.1__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CHANGELOG.md +6 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/PKG-INFO +69 -85
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/README.md +66 -83
- cloud_audit-2.0.1/ROADMAP.md +95 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/mkdocs.yml +7 -3
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/pyproject.toml +3 -2
- cloud_audit-2.0.0/ROADMAP.md +0 -149
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.cloud-audit.example.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/FUNDING.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/bug_report.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/config.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/ISSUE_TEMPLATE/feature_request.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/dependabot.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/ci.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/docs.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/example-scan.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.github/workflows/release.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.gitignore +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.mcp.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/.pre-commit-hooks.yaml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CODEOWNERS +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CODE_OF_CONDUCT.md +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/CONTRIBUTING.md +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/Dockerfile +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/LICENSE +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/Makefile +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/SECURITY.md +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/action.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/demo.gif +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/logo-nobg.png +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/logo.png +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/report-preview.png +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/assets/social-preview.png +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/daily-scan-with-diff.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/github-actions.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/examples/post-deploy-scan.yml +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/scripts/generate_demo_gif.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/scripts/generate_report_screenshot.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/__main__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/cli.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/engine.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/bsi_c5_2020.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/cis_aws_v3.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/hipaa_security.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/iso27001_2022.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/nis2_directive.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/compliance/frameworks/soc2_type2.json +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/config.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/correlate.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/cost_model.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/diff.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/history.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/mcp_server.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/models.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/account.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/backup.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/bedrock.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/cloudtrail.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/cloudwatch.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/config_.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ec2.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ecs.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/efs.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/eip.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/guardduty.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/iam.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/inspector.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/kms.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/lambda_.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/rds.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/s3.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/sagemaker.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/secrets.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/securityhub.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/ssm.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/vpc.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/checks/waf.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/iam_analyzer.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/aws/provider.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/providers/base.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/py.typed +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/compliance_html.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/compliance_markdown.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/diff_markdown.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/html.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/markdown.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/sarif.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/reports/templates/report.html.j2 +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/root_cause.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/scanner.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/src/cloud_audit/simulate.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/__init__.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_bedrock.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cis_checks.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cloudtrail.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_cloudwatch.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_config.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ec2.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ecs.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_eip.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_guardduty.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_iam.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_iam_analyzer.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_kms.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_lambda.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_rds.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_s3.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_sagemaker.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_secrets.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_ssm.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/aws/test_vpc.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/conftest.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cli.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cli_scan.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_compliance_frameworks.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_config.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_correlate.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_cost_model.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_diff.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_history.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_html.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_markdown.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_mcp_server.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_models.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_provider.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_root_cause.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_sarif.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_scanner.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_simulate.py +0 -0
- {cloud_audit-2.0.0 → cloud_audit-2.0.1}/tests/test_soc2_framework.py +0 -0
|
@@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.0.1] - 2026-04-17
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
|
|
14
|
+
- Canonical project Homepage in PyPI metadata now points to https://haitmg.pl/cloud-audit/ (was the GitHub repo URL). GitHub remains linked via the `Source` and `Repository` fields. No code changes.
|
|
15
|
+
|
|
10
16
|
## [2.0.0] - 2026-04-14
|
|
11
17
|
|
|
12
18
|
### Added
|
|
@@ -1,9 +1,10 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: cloud-audit
|
|
3
|
-
Version: 2.0.
|
|
3
|
+
Version: 2.0.1
|
|
4
4
|
Summary: Open-source AWS security scanner with IAM escalation detection, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. 94 checks across 23 services. Every finding includes CLI + Terraform remediation.
|
|
5
|
-
Project-URL: Homepage, https://
|
|
5
|
+
Project-URL: Homepage, https://haitmg.pl/cloud-audit/
|
|
6
6
|
Project-URL: Documentation, https://haitmg.pl/cloud-audit/
|
|
7
|
+
Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
|
|
7
8
|
Project-URL: Repository, https://github.com/gebalamariusz/cloud-audit
|
|
8
9
|
Project-URL: Issues, https://github.com/gebalamariusz/cloud-audit/issues
|
|
9
10
|
Project-URL: Changelog, https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md
|
|
@@ -52,16 +53,16 @@ Description-Content-Type: text/markdown
|
|
|
52
53
|
<h1 align="center">cloud-audit</h1>
|
|
53
54
|
|
|
54
55
|
<p align="center">
|
|
55
|
-
<strong>Find AWS attack
|
|
56
|
+
<strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
|
|
56
57
|
</p>
|
|
57
58
|
|
|
58
59
|
<p align="center">
|
|
59
|
-
Open-source CLI that
|
|
60
|
-
|
|
60
|
+
Open-source CLI scanner that helps you decide what to fix first —<br>
|
|
61
|
+
not just what's wrong.
|
|
61
62
|
</p>
|
|
62
63
|
|
|
63
64
|
<p align="center">
|
|
64
|
-
|
|
65
|
+
Find attack chains and IAM escalation paths - Simulate fixes before you apply them - Fix root causes, not individual findings
|
|
65
66
|
</p>
|
|
66
67
|
|
|
67
68
|
<p align="center">
|
|
@@ -80,13 +81,9 @@ Description-Content-Type: text/markdown
|
|
|
80
81
|
<a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
|
|
81
82
|
<a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
|
|
82
83
|
<a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
|
|
83
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS</a> -
|
|
84
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/soc2-type2/">SOC 2</a> -
|
|
85
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/bsi-c5-2020/">BSI C5</a> -
|
|
86
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/iso27001-2022/">ISO 27001</a> -
|
|
87
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/hipaa-security/">HIPAA</a> -
|
|
88
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/nis2-directive/">NIS2</a> -
|
|
89
84
|
<a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
|
|
85
|
+
<a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
|
|
86
|
+
<a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
|
|
90
87
|
<a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
|
|
91
88
|
</p>
|
|
92
89
|
|
|
@@ -105,13 +102,11 @@ cloud-audit demo
|
|
|
105
102
|
|
|
106
103
|
---
|
|
107
104
|
|
|
108
|
-
##
|
|
105
|
+
## Why It's Different
|
|
109
106
|
|
|
110
|
-
|
|
111
|
-
+------- Health Score -------+
|
|
112
|
-
| 34 / 100 | Risk exposure: $1.2M - $9.5M
|
|
113
|
-
+----------------------------+
|
|
107
|
+
Most scanners give you findings. cloud-audit helps you **decide what to fix first**.
|
|
114
108
|
|
|
109
|
+
```
|
|
115
110
|
+---- Attack Chains (5 detected) -----------------------------------+
|
|
116
111
|
| CRITICAL Internet-Exposed Admin Instance |
|
|
117
112
|
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
|
|
@@ -130,11 +125,16 @@ cloud-audit demo
|
|
|
130
125
|
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
|
|
131
126
|
| 2. Add OIDC sub condition -> breaks 6 chains |
|
|
132
127
|
+--------------------------------------------------------------------+
|
|
128
|
+
```
|
|
133
129
|
|
|
134
|
-
|
|
130
|
+
Other tools give you 200 findings sorted by severity. cloud-audit groups them by root cause, shows which single fixes collapse the most attack paths, and lets you simulate the impact before you touch anything:
|
|
131
|
+
|
|
132
|
+
```bash
|
|
133
|
+
cloud-audit simulate --fix aws-vpc-002
|
|
134
|
+
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
|
|
135
135
|
```
|
|
136
136
|
|
|
137
|
-
94 checks across 23 AWS services. Every finding includes AWS CLI + Terraform remediation
|
|
137
|
+
94 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
|
|
138
138
|
|
|
139
139
|
<p align="center">
|
|
140
140
|
<a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
|
|
@@ -144,7 +144,17 @@ Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
|
|
|
144
144
|
<sub>Watch the 1-minute demo</sub>
|
|
145
145
|
</p>
|
|
146
146
|
|
|
147
|
-
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
## What's New in 2.0
|
|
150
|
+
|
|
151
|
+
| Feature | What it does |
|
|
152
|
+
|---|---|
|
|
153
|
+
| **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
|
|
154
|
+
| **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
|
|
155
|
+
| **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
|
|
156
|
+
| **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
|
|
157
|
+
| **AI-SPM** | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
|
|
148
158
|
|
|
149
159
|
---
|
|
150
160
|
|
|
@@ -152,113 +162,97 @@ If cloud-audit helped you find something you missed, consider giving it a star.
|
|
|
152
162
|
|
|
153
163
|
### Attack Chain Detection
|
|
154
164
|
|
|
155
|
-
|
|
165
|
+
31 rules correlate individual findings into exploitable attack paths.
|
|
156
166
|
|
|
157
167
|
```
|
|
158
168
|
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
|
|
159
169
|
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
|
|
160
170
|
```
|
|
161
171
|
|
|
162
|
-
Examples from the 31 built-in rules:
|
|
163
|
-
|
|
164
172
|
| Chain | What it catches |
|
|
165
173
|
|---|---|
|
|
166
174
|
| IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
|
|
167
|
-
| Internet-Exposed Admin
|
|
175
|
+
| Internet-Exposed Admin | Public SG + admin IAM role + IMDSv1 = account takeover |
|
|
168
176
|
| CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
|
|
169
|
-
|
|
|
170
|
-
| AI Model Data Exfiltration | Bedrock model with public endpoint + no logging = silent data leak |
|
|
177
|
+
| LLMjacking | Bedrock no logging + no guardrails = undetected model abuse |
|
|
171
178
|
|
|
172
|
-
Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [
|
|
179
|
+
Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules](https://haitmg.pl/cloud-audit/features/attack-chains/).
|
|
173
180
|
|
|
174
|
-
###
|
|
181
|
+
### Remediation + Simulator
|
|
175
182
|
|
|
176
|
-
Every finding includes AWS CLI
|
|
183
|
+
Every finding includes AWS CLI, Terraform HCL, and docs links. Export all fixes:
|
|
177
184
|
|
|
178
185
|
```bash
|
|
179
186
|
cloud-audit scan --export-fixes fixes.sh
|
|
180
187
|
```
|
|
181
188
|
|
|
182
|
-
Simulate
|
|
189
|
+
Simulate before applying:
|
|
183
190
|
|
|
184
191
|
```bash
|
|
185
192
|
cloud-audit simulate --fix aws-vpc-002
|
|
186
193
|
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
|
|
187
|
-
```
|
|
188
194
|
|
|
189
|
-
|
|
195
|
+
cloud-audit simulate --fix aws-vpc-002,aws-ct-001,aws-iam-007
|
|
196
|
+
# Score: 34 -> 82 (+48) | Chains broken: 19 of 22
|
|
197
|
+
```
|
|
190
198
|
|
|
191
|
-
|
|
199
|
+
### Trend Tracking
|
|
192
200
|
|
|
193
201
|
```bash
|
|
194
|
-
cloud-audit diff yesterday.json today.json
|
|
195
|
-
cloud-audit trend #
|
|
202
|
+
cloud-audit diff yesterday.json today.json # Catches ClickOps drift
|
|
203
|
+
cloud-audit trend # Posture over time
|
|
196
204
|
```
|
|
197
205
|
|
|
198
|
-
Exit code 0 = no new findings, 1 = regression. See [daily-scan-with-diff.yml](examples/daily-scan-with-diff.yml) for a CI/CD workflow.
|
|
199
|
-
|
|
200
206
|
### 6 Compliance Frameworks
|
|
201
207
|
|
|
202
|
-
Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
|
|
203
|
-
|
|
204
208
|
- **CIS AWS v3.0** - 62 controls, 55 automated (89%)
|
|
205
209
|
- **SOC 2 Type II** - 43 criteria, 24 automated (56%)
|
|
206
210
|
- **BSI C5:2020** `Beta` - 134 criteria, 57 automated/partial
|
|
207
|
-
- **ISO 27001:2022** `Beta` - 93
|
|
211
|
+
- **ISO 27001:2022** `Beta` - 93 controls, 47 automated/partial
|
|
208
212
|
- **HIPAA Security Rule** `Beta` - 47 specs, 29 automated/partial
|
|
209
213
|
- **NIS2 Directive** `Beta` - 43 measures, 33 automated/partial
|
|
210
214
|
|
|
211
215
|
### Breach Cost Estimation
|
|
212
216
|
|
|
213
|
-
Every finding includes a dollar-range risk estimate based on
|
|
217
|
+
Every finding and chain includes a dollar-range risk estimate based on IBM/Verizon breach data, with source links.
|
|
214
218
|
|
|
215
219
|
### MCP Server for AI Agents
|
|
216
220
|
|
|
217
|
-
Ask Claude Code, Cursor, or VS Code Copilot to scan your AWS account:
|
|
218
|
-
|
|
219
221
|
```bash
|
|
220
222
|
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
|
|
221
223
|
```
|
|
222
224
|
|
|
223
|
-
6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone
|
|
225
|
+
6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone.
|
|
224
226
|
|
|
225
227
|
---
|
|
226
228
|
|
|
227
229
|
## How It Compares
|
|
228
230
|
|
|
229
|
-
| Feature | Prowler | Trivy |
|
|
230
|
-
|
|
231
|
-
| Checks | 576 | 517 |
|
|
232
|
-
| Attack
|
|
233
|
-
| What-If remediation simulator | No | No |
|
|
234
|
-
| IAM privilege escalation
|
|
235
|
-
| Remediation per finding | CIS only | No |
|
|
236
|
-
|
|
|
237
|
-
|
|
|
238
|
-
| Compliance frameworks | CIS only | — | — | **6 (CIS, SOC 2 + 4 Beta)** |
|
|
239
|
-
| MCP server (AI agents) | Paid ($99/mo) | No | No | **Free, standalone** |
|
|
231
|
+
| Feature | Prowler | Trivy | cloud-audit |
|
|
232
|
+
|---------|---------|-------|-------------|
|
|
233
|
+
| Checks | 576 | 517 | **94** |
|
|
234
|
+
| Attack chains + root-cause grouping | No | No | **31 rules** |
|
|
235
|
+
| What-If remediation simulator | No | No | **Yes** |
|
|
236
|
+
| IAM privilege escalation | No | No | **25 methods** |
|
|
237
|
+
| Remediation per finding | CIS only | No | **100% (CLI + TF)** |
|
|
238
|
+
| AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
|
|
239
|
+
| Compliance frameworks | CIS | -- | **6** |
|
|
240
240
|
|
|
241
|
-
cloud-audit has fewer checks
|
|
241
|
+
cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
|
|
242
242
|
|
|
243
|
-
<sub>Feature snapshot as of v2.0.0 (April 2026)
|
|
243
|
+
<sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
|
|
244
244
|
|
|
245
245
|
---
|
|
246
246
|
|
|
247
247
|
## Reports
|
|
248
248
|
|
|
249
249
|
```bash
|
|
250
|
-
cloud-audit scan --format html
|
|
251
|
-
cloud-audit scan --format json
|
|
252
|
-
cloud-audit scan --format sarif
|
|
253
|
-
cloud-audit scan --format markdown
|
|
250
|
+
cloud-audit scan --format html -o report.html # Client-ready HTML
|
|
251
|
+
cloud-audit scan --format json -o report.json # Machine-readable
|
|
252
|
+
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
|
|
253
|
+
cloud-audit scan --format markdown -o report.md # PR comments
|
|
254
254
|
```
|
|
255
255
|
|
|
256
|
-
Format is auto-detected from file extension.
|
|
257
|
-
|
|
258
|
-
<p align="center">
|
|
259
|
-
<img src="assets/report-preview.png" alt="cloud-audit HTML report" width="700">
|
|
260
|
-
</p>
|
|
261
|
-
|
|
262
256
|
## Installation
|
|
263
257
|
|
|
264
258
|
```bash
|
|
@@ -282,6 +276,8 @@ cloud-audit scan --regions all # All enabled regions
|
|
|
282
276
|
cloud-audit scan --min-severity high # Filter by severity
|
|
283
277
|
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
|
|
284
278
|
cloud-audit scan --quiet # Exit code only (CI/CD)
|
|
279
|
+
cloud-audit simulate --fix aws-vpc-002 # What-If simulator
|
|
280
|
+
cloud-audit trend # Posture over time
|
|
285
281
|
cloud-audit list-checks # List all checks
|
|
286
282
|
```
|
|
287
283
|
|
|
@@ -359,33 +355,22 @@ cloud-audit never modifies your infrastructure. The `simulate` command runs loca
|
|
|
359
355
|
|
|
360
356
|
[See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
|
|
361
357
|
|
|
362
|
-
## Alternatives
|
|
363
|
-
|
|
364
|
-
- **[Prowler](https://github.com/prowler-cloud/prowler)** - 576+ checks, multi-cloud, full CIS coverage, auto-remediation. The most comprehensive open-source scanner.
|
|
365
|
-
- **[Trivy](https://github.com/aquasecurity/trivy)** - Container, IaC, and cloud scanner. Strong on containers, growing cloud coverage.
|
|
366
|
-
- **[Steampipe](https://github.com/turbot/steampipe)** - SQL-based cloud querying. Very flexible.
|
|
367
|
-
- **[AWS Security Hub](https://aws.amazon.com/security-hub/)** - Native AWS service with continuous monitoring. Free 30-day trial.
|
|
368
|
-
|
|
369
358
|
## Documentation
|
|
370
359
|
|
|
371
|
-
|
|
360
|
+
Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
|
|
372
361
|
|
|
373
362
|
- **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
|
|
374
|
-
- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
|
|
375
363
|
- **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
|
|
376
|
-
- **[
|
|
377
|
-
- **[
|
|
378
|
-
- **[
|
|
379
|
-
- **[Reports](https://haitmg.pl/cloud-audit/reports/html/)** - HTML, JSON, SARIF, Markdown output formats
|
|
364
|
+
- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
|
|
365
|
+
- **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
|
|
366
|
+
- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
|
|
380
367
|
- **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
|
|
381
368
|
|
|
382
|
-
This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
|
|
383
|
-
|
|
384
369
|
## What's Next
|
|
385
370
|
|
|
386
371
|
- Multi-account scanning (AWS Organizations)
|
|
372
|
+
- SCP + permission boundary evaluation in IAM escalation
|
|
387
373
|
- Terraform drift detection
|
|
388
|
-
- Data perimeter checks (S3, KMS, STS boundary policies)
|
|
389
374
|
|
|
390
375
|
Past releases: [CHANGELOG.md](CHANGELOG.md)
|
|
391
376
|
|
|
@@ -396,9 +381,8 @@ git clone https://github.com/gebalamariusz/cloud-audit.git
|
|
|
396
381
|
cd cloud-audit
|
|
397
382
|
pip install -e ".[dev]"
|
|
398
383
|
|
|
399
|
-
pytest -v # tests
|
|
384
|
+
pytest -v # 496 tests
|
|
400
385
|
ruff check src/ tests/ # lint
|
|
401
|
-
ruff format --check src/ tests/ # format
|
|
402
386
|
mypy src/ # type check
|
|
403
387
|
```
|
|
404
388
|
|
|
@@ -6,16 +6,16 @@
|
|
|
6
6
|
<h1 align="center">cloud-audit</h1>
|
|
7
7
|
|
|
8
8
|
<p align="center">
|
|
9
|
-
<strong>Find AWS attack
|
|
9
|
+
<strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
|
|
10
10
|
</p>
|
|
11
11
|
|
|
12
12
|
<p align="center">
|
|
13
|
-
Open-source CLI that
|
|
14
|
-
|
|
13
|
+
Open-source CLI scanner that helps you decide what to fix first —<br>
|
|
14
|
+
not just what's wrong.
|
|
15
15
|
</p>
|
|
16
16
|
|
|
17
17
|
<p align="center">
|
|
18
|
-
|
|
18
|
+
Find attack chains and IAM escalation paths - Simulate fixes before you apply them - Fix root causes, not individual findings
|
|
19
19
|
</p>
|
|
20
20
|
|
|
21
21
|
<p align="center">
|
|
@@ -34,13 +34,9 @@
|
|
|
34
34
|
<a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
|
|
35
35
|
<a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
|
|
36
36
|
<a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
|
|
37
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/cis-aws-v3/">CIS</a> -
|
|
38
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/soc2-type2/">SOC 2</a> -
|
|
39
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/bsi-c5-2020/">BSI C5</a> -
|
|
40
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/iso27001-2022/">ISO 27001</a> -
|
|
41
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/hipaa-security/">HIPAA</a> -
|
|
42
|
-
<a href="https://haitmg.pl/cloud-audit/compliance/nis2-directive/">NIS2</a> -
|
|
43
37
|
<a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
|
|
38
|
+
<a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
|
|
39
|
+
<a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
|
|
44
40
|
<a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
|
|
45
41
|
</p>
|
|
46
42
|
|
|
@@ -59,13 +55,11 @@ cloud-audit demo
|
|
|
59
55
|
|
|
60
56
|
---
|
|
61
57
|
|
|
62
|
-
##
|
|
58
|
+
## Why It's Different
|
|
63
59
|
|
|
64
|
-
|
|
65
|
-
+------- Health Score -------+
|
|
66
|
-
| 34 / 100 | Risk exposure: $1.2M - $9.5M
|
|
67
|
-
+----------------------------+
|
|
60
|
+
Most scanners give you findings. cloud-audit helps you **decide what to fix first**.
|
|
68
61
|
|
|
62
|
+
```
|
|
69
63
|
+---- Attack Chains (5 detected) -----------------------------------+
|
|
70
64
|
| CRITICAL Internet-Exposed Admin Instance |
|
|
71
65
|
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
|
|
@@ -84,11 +78,16 @@ cloud-audit demo
|
|
|
84
78
|
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
|
|
85
79
|
| 2. Add OIDC sub condition -> breaks 6 chains |
|
|
86
80
|
+--------------------------------------------------------------------+
|
|
81
|
+
```
|
|
87
82
|
|
|
88
|
-
|
|
83
|
+
Other tools give you 200 findings sorted by severity. cloud-audit groups them by root cause, shows which single fixes collapse the most attack paths, and lets you simulate the impact before you touch anything:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
cloud-audit simulate --fix aws-vpc-002
|
|
87
|
+
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
|
|
89
88
|
```
|
|
90
89
|
|
|
91
|
-
94 checks across 23 AWS services. Every finding includes AWS CLI + Terraform remediation
|
|
90
|
+
94 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
|
|
92
91
|
|
|
93
92
|
<p align="center">
|
|
94
93
|
<a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
|
|
@@ -98,7 +97,17 @@ Findings by severity: CRITICAL: 5 HIGH: 9 MEDIUM: 14 LOW: 6
|
|
|
98
97
|
<sub>Watch the 1-minute demo</sub>
|
|
99
98
|
</p>
|
|
100
99
|
|
|
101
|
-
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## What's New in 2.0
|
|
103
|
+
|
|
104
|
+
| Feature | What it does |
|
|
105
|
+
|---|---|
|
|
106
|
+
| **IAM Privilege Escalation** | 25 escalation methods across 6 categories. PMapper has been dead since 2022 -- this is its open-source replacement. |
|
|
107
|
+
| **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
|
|
108
|
+
| **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
|
|
109
|
+
| **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
|
|
110
|
+
| **AI-SPM** | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
|
|
102
111
|
|
|
103
112
|
---
|
|
104
113
|
|
|
@@ -106,113 +115,97 @@ If cloud-audit helped you find something you missed, consider giving it a star.
|
|
|
106
115
|
|
|
107
116
|
### Attack Chain Detection
|
|
108
117
|
|
|
109
|
-
|
|
118
|
+
31 rules correlate individual findings into exploitable attack paths.
|
|
110
119
|
|
|
111
120
|
```
|
|
112
121
|
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
|
|
113
122
|
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
|
|
114
123
|
```
|
|
115
124
|
|
|
116
|
-
Examples from the 31 built-in rules:
|
|
117
|
-
|
|
118
125
|
| Chain | What it catches |
|
|
119
126
|
|---|---|
|
|
120
127
|
| IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
|
|
121
|
-
| Internet-Exposed Admin
|
|
128
|
+
| Internet-Exposed Admin | Public SG + admin IAM role + IMDSv1 = account takeover |
|
|
122
129
|
| CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
|
|
123
|
-
|
|
|
124
|
-
| AI Model Data Exfiltration | Bedrock model with public endpoint + no logging = silent data leak |
|
|
130
|
+
| LLMjacking | Bedrock no logging + no guardrails = undetected model abuse |
|
|
125
131
|
|
|
126
|
-
Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [
|
|
132
|
+
Based on [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/) and [pathfinding.cloud](https://github.com/DataDog/pathfinding.cloud). [See all 31 rules](https://haitmg.pl/cloud-audit/features/attack-chains/).
|
|
127
133
|
|
|
128
|
-
###
|
|
134
|
+
### Remediation + Simulator
|
|
129
135
|
|
|
130
|
-
Every finding includes AWS CLI
|
|
136
|
+
Every finding includes AWS CLI, Terraform HCL, and docs links. Export all fixes:
|
|
131
137
|
|
|
132
138
|
```bash
|
|
133
139
|
cloud-audit scan --export-fixes fixes.sh
|
|
134
140
|
```
|
|
135
141
|
|
|
136
|
-
Simulate
|
|
142
|
+
Simulate before applying:
|
|
137
143
|
|
|
138
144
|
```bash
|
|
139
145
|
cloud-audit simulate --fix aws-vpc-002
|
|
140
146
|
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
|
|
141
|
-
```
|
|
142
147
|
|
|
143
|
-
|
|
148
|
+
cloud-audit simulate --fix aws-vpc-002,aws-ct-001,aws-iam-007
|
|
149
|
+
# Score: 34 -> 82 (+48) | Chains broken: 19 of 22
|
|
150
|
+
```
|
|
144
151
|
|
|
145
|
-
|
|
152
|
+
### Trend Tracking
|
|
146
153
|
|
|
147
154
|
```bash
|
|
148
|
-
cloud-audit diff yesterday.json today.json
|
|
149
|
-
cloud-audit trend #
|
|
155
|
+
cloud-audit diff yesterday.json today.json # Catches ClickOps drift
|
|
156
|
+
cloud-audit trend # Posture over time
|
|
150
157
|
```
|
|
151
158
|
|
|
152
|
-
Exit code 0 = no new findings, 1 = regression. See [daily-scan-with-diff.yml](examples/daily-scan-with-diff.yml) for a CI/CD workflow.
|
|
153
|
-
|
|
154
159
|
### 6 Compliance Frameworks
|
|
155
160
|
|
|
156
|
-
Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
|
|
157
|
-
|
|
158
161
|
- **CIS AWS v3.0** - 62 controls, 55 automated (89%)
|
|
159
162
|
- **SOC 2 Type II** - 43 criteria, 24 automated (56%)
|
|
160
163
|
- **BSI C5:2020** `Beta` - 134 criteria, 57 automated/partial
|
|
161
|
-
- **ISO 27001:2022** `Beta` - 93
|
|
164
|
+
- **ISO 27001:2022** `Beta` - 93 controls, 47 automated/partial
|
|
162
165
|
- **HIPAA Security Rule** `Beta` - 47 specs, 29 automated/partial
|
|
163
166
|
- **NIS2 Directive** `Beta` - 43 measures, 33 automated/partial
|
|
164
167
|
|
|
165
168
|
### Breach Cost Estimation
|
|
166
169
|
|
|
167
|
-
Every finding includes a dollar-range risk estimate based on
|
|
170
|
+
Every finding and chain includes a dollar-range risk estimate based on IBM/Verizon breach data, with source links.
|
|
168
171
|
|
|
169
172
|
### MCP Server for AI Agents
|
|
170
173
|
|
|
171
|
-
Ask Claude Code, Cursor, or VS Code Copilot to scan your AWS account:
|
|
172
|
-
|
|
173
174
|
```bash
|
|
174
175
|
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
|
|
175
176
|
```
|
|
176
177
|
|
|
177
|
-
6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone
|
|
178
|
+
6 tools: `scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`. Free and standalone.
|
|
178
179
|
|
|
179
180
|
---
|
|
180
181
|
|
|
181
182
|
## How It Compares
|
|
182
183
|
|
|
183
|
-
| Feature | Prowler | Trivy |
|
|
184
|
-
|
|
185
|
-
| Checks | 576 | 517 |
|
|
186
|
-
| Attack
|
|
187
|
-
| What-If remediation simulator | No | No |
|
|
188
|
-
| IAM privilege escalation
|
|
189
|
-
| Remediation per finding | CIS only | No |
|
|
190
|
-
|
|
|
191
|
-
|
|
|
192
|
-
| Compliance frameworks | CIS only | — | — | **6 (CIS, SOC 2 + 4 Beta)** |
|
|
193
|
-
| MCP server (AI agents) | Paid ($99/mo) | No | No | **Free, standalone** |
|
|
184
|
+
| Feature | Prowler | Trivy | cloud-audit |
|
|
185
|
+
|---------|---------|-------|-------------|
|
|
186
|
+
| Checks | 576 | 517 | **94** |
|
|
187
|
+
| Attack chains + root-cause grouping | No | No | **31 rules** |
|
|
188
|
+
| What-If remediation simulator | No | No | **Yes** |
|
|
189
|
+
| IAM privilege escalation | No | No | **25 methods** |
|
|
190
|
+
| Remediation per finding | CIS only | No | **100% (CLI + TF)** |
|
|
191
|
+
| AI-SPM (Bedrock/SageMaker) | No | No | **Yes** |
|
|
192
|
+
| Compliance frameworks | CIS | -- | **6** |
|
|
194
193
|
|
|
195
|
-
cloud-audit has fewer checks
|
|
194
|
+
cloud-audit has fewer checks but goes deeper per finding: attack chain correlation, root-cause grouping, cost estimates, and a simulator that shows the impact of each fix before you apply it. If you need exhaustive multi-cloud compliance coverage, use Prowler. If you need to know what to fix first and why, cloud-audit is built for that.
|
|
196
195
|
|
|
197
|
-
<sub>Feature snapshot as of v2.0.0 (April 2026)
|
|
196
|
+
<sub>Feature snapshot as of v2.0.0 (April 2026).</sub>
|
|
198
197
|
|
|
199
198
|
---
|
|
200
199
|
|
|
201
200
|
## Reports
|
|
202
201
|
|
|
203
202
|
```bash
|
|
204
|
-
cloud-audit scan --format html
|
|
205
|
-
cloud-audit scan --format json
|
|
206
|
-
cloud-audit scan --format sarif
|
|
207
|
-
cloud-audit scan --format markdown
|
|
203
|
+
cloud-audit scan --format html -o report.html # Client-ready HTML
|
|
204
|
+
cloud-audit scan --format json -o report.json # Machine-readable
|
|
205
|
+
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
|
|
206
|
+
cloud-audit scan --format markdown -o report.md # PR comments
|
|
208
207
|
```
|
|
209
208
|
|
|
210
|
-
Format is auto-detected from file extension.
|
|
211
|
-
|
|
212
|
-
<p align="center">
|
|
213
|
-
<img src="assets/report-preview.png" alt="cloud-audit HTML report" width="700">
|
|
214
|
-
</p>
|
|
215
|
-
|
|
216
209
|
## Installation
|
|
217
210
|
|
|
218
211
|
```bash
|
|
@@ -236,6 +229,8 @@ cloud-audit scan --regions all # All enabled regions
|
|
|
236
229
|
cloud-audit scan --min-severity high # Filter by severity
|
|
237
230
|
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
|
|
238
231
|
cloud-audit scan --quiet # Exit code only (CI/CD)
|
|
232
|
+
cloud-audit simulate --fix aws-vpc-002 # What-If simulator
|
|
233
|
+
cloud-audit trend # Posture over time
|
|
239
234
|
cloud-audit list-checks # List all checks
|
|
240
235
|
```
|
|
241
236
|
|
|
@@ -313,33 +308,22 @@ cloud-audit never modifies your infrastructure. The `simulate` command runs loca
|
|
|
313
308
|
|
|
314
309
|
[See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
|
|
315
310
|
|
|
316
|
-
## Alternatives
|
|
317
|
-
|
|
318
|
-
- **[Prowler](https://github.com/prowler-cloud/prowler)** - 576+ checks, multi-cloud, full CIS coverage, auto-remediation. The most comprehensive open-source scanner.
|
|
319
|
-
- **[Trivy](https://github.com/aquasecurity/trivy)** - Container, IaC, and cloud scanner. Strong on containers, growing cloud coverage.
|
|
320
|
-
- **[Steampipe](https://github.com/turbot/steampipe)** - SQL-based cloud querying. Very flexible.
|
|
321
|
-
- **[AWS Security Hub](https://aws.amazon.com/security-hub/)** - Native AWS service with continuous monitoring. Free 30-day trial.
|
|
322
|
-
|
|
323
311
|
## Documentation
|
|
324
312
|
|
|
325
|
-
|
|
313
|
+
Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
|
|
326
314
|
|
|
327
315
|
- **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
|
|
328
|
-
- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
|
|
329
316
|
- **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
|
|
330
|
-
- **[
|
|
331
|
-
- **[
|
|
332
|
-
- **[
|
|
333
|
-
- **[Reports](https://haitmg.pl/cloud-audit/reports/html/)** - HTML, JSON, SARIF, Markdown output formats
|
|
317
|
+
- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 25 methods, 6 categories
|
|
318
|
+
- **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
|
|
319
|
+
- **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
|
|
334
320
|
- **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
|
|
335
321
|
|
|
336
|
-
This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
|
|
337
|
-
|
|
338
322
|
## What's Next
|
|
339
323
|
|
|
340
324
|
- Multi-account scanning (AWS Organizations)
|
|
325
|
+
- SCP + permission boundary evaluation in IAM escalation
|
|
341
326
|
- Terraform drift detection
|
|
342
|
-
- Data perimeter checks (S3, KMS, STS boundary policies)
|
|
343
327
|
|
|
344
328
|
Past releases: [CHANGELOG.md](CHANGELOG.md)
|
|
345
329
|
|
|
@@ -350,9 +334,8 @@ git clone https://github.com/gebalamariusz/cloud-audit.git
|
|
|
350
334
|
cd cloud-audit
|
|
351
335
|
pip install -e ".[dev]"
|
|
352
336
|
|
|
353
|
-
pytest -v # tests
|
|
337
|
+
pytest -v # 496 tests
|
|
354
338
|
ruff check src/ tests/ # lint
|
|
355
|
-
ruff format --check src/ tests/ # format
|
|
356
339
|
mypy src/ # type check
|
|
357
340
|
```
|
|
358
341
|
|