cloud-audit 2.2.0__tar.gz → 2.3.0__tar.gz

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/CHANGELOG.md

@@ -7,11 +7,177 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.3.0] - 2026-05-15
+
+### Added
+
+- **Blast Radius CLI** - new `cloud-audit blast-radius --resource <id>` command
+  that walks outward from a single AWS resource and shows what an attacker
+  could reach if THAT resource were compromised. Pure in-memory analysis
+  against a saved scan - zero AWS API calls at blast-radius time.
+
+  Seed resource types supported:
+  - EC2 instance (short id `i-XXX`)
+  - IAM Role / IAM User (full ARN)
+  - Lambda function (full ARN)
+  - S3 bucket (full ARN)
+  - Secrets Manager secret (full ARN)
+
+  Expansion rules:
+  - Compute -> attached IAM role (via attack chain `viz_steps` from AC-01,
+    AC-02, AC-05 etc.) -> reachable identities and data
+  - Identity -> admin impact node when `escalation_paths` indicate admin
+  - Identity -> AssumeRole chain targets from `iam_trust_graph`
+  - Identity (admin) -> S3 buckets / Secrets Manager secrets present in
+    findings as candidate exfiltration targets
+
+  Output formats (`--format`):
+  - `tree` (default) - Rich tree in CLI with color-coded node types
+  - `json` - BlastRadiusGraph v1.0 schema, the wire-format contract with
+    cloud-audit-demo's 3D visualization (camelCase fields preserved on purpose)
+  - `mermaid` - Mermaid `graph TD` diagram with per-type styling
+  - `markdown` - compact summary for PRs or reports
+
+  Bounds:
+  - `--max-depth N` (default 5) caps BFS hops
+  - `--max-nodes N` (default 50) caps total nodes in the graph
+
+  Pure CLI, no Neo4j, no Docker, no SaaS account. Built on top of the
+  existing `iam_trust_graph` (524 lines, AssumeRole BFS), `iam_analyzer`
+  (706 lines, 60 escalation methods catalog), `correlate` (1574 lines,
+  31 attack-chain rules with `VizStep`s), and `cost_model` so the
+  same fixes you see in `scan` show up under the same finding ids in the
+  blast-radius output. Documented in `docs/features/blast-radius.md`.
+
+- **`exposure` command** - new `cloud-audit exposure` rolls up findings by
+  blast-impact heuristic (which identities/data would compound on the next
+  hop). Complements `blast-radius` (single-seed) with an account-wide view.
+
+### Changed
+
+- **`ScanReport.security_graph`** - new optional field (`dict[str, object] | None`).
+  Populated by the scanner for blast-radius / exposure consumers. Backwards-
+  compatible: existing parsers that don't know the field will keep working
+  thanks to `default=None`.
+
+### Fixed
+
+Nine issues addressed by the pre-release security audit (`SECURITY-AUDIT-2026-05-15.md`):
+
+- **SEC-001** - Mermaid output now HTML-entity escapes user-controlled node
+  labels (`<`, `>`, `&`, `"`, `\`, plus brackets, braces, pipes). Without this,
+  a crafted scan label `</text>` would break out of the Mermaid SVG context
+  when the diagram is rendered in a GitHub README.
+- **SEC-002** - `_make_id` collision protection: when a sanitised candidate id
+  exceeds 120 chars, a SHA-256(prefix + value) suffix is appended so two
+  long-but-different inputs cannot collide post-truncation (CWE-345 / CWE-1023).
+- **SEC-003** - AssumeRole cycle (A->B->A) no longer re-emits the seed role
+  as a lateral target node. ARN-level dedup (`visited_arns`) catches the
+  cross-prefix duplicate that graph-id dedup alone misses.
+- **SEC-004** - `_find_execution_role_for_lambda` now refuses to return a
+  role belonging to a different function (CWE-697 narrow-match): scan with
+  chain for `fnA` and query for `fnB` returns `None`, not `fnA`'s role.
+- **SEC-005** - `--max-depth` and `--max-nodes` are clamped to safe bounds
+  (1..25 and 1..10_000) instead of accepting unbounded user input (DoS).
+- **SEC-006** - `--format tree` + `--output FILE` returns an error instead of
+  silently writing ANSI escape sequences to disk (CWE-684).
+- **SEC-007** - Exception handler in the CLI wraps `OSError` with a friendly
+  message instead of leaking a full Python traceback to stderr.
+- **SEC-008** - Rich console rendering of node lines escapes Rich markup
+  (`[red]...[/]`) found inside scan labels so a crafted scan can't recolor
+  the terminal output.
+- **SEC-009** - Scanner persists `escalation_paths` to the saved scan so
+  blast-radius can read them without re-running the IAM analyzer.
+
+Plus pre-release follow-ups from the second security pass:
+
+- **F-S2-01** - HTML report templates (`report.html.j2`, `compliance_html.py`)
+  now strip non-`http(s)` URL schemes from `finding.cost_estimate.source_url`
+  and `finding.remediation.doc_url`. Without this, a `javascript:` URL in a
+  crafted scan JSON would execute when the user clicks the link in the
+  rendered HTML report.
+- **F-S2-02** - All `--output` writers refuse to follow pre-existing symlinks
+  (TOCTOU symlink attack protection on shared CI runners). The CLI raises a
+  clear error instead of silently clobbering the symlink target.
+- **F-S2-03** - Markdown output (`--format markdown`) now escapes markdown
+  control characters in user-controlled labels so a crafted resource name
+  cannot inject `[link](javascript:...)` into the rendered report.
+- **F-S2-04** - `_resolve_role_arn` falls back to `report.all_findings` when
+  the role isn't present in `escalation_paths` (an EC2 with an attached
+  admin role but no separate escalation path previously returned a
+  seed-only blast graph - now resolves and reports Account Takeover).
+- **F-S2-05** - BFS `--max-depth=1` now surfaces Account Takeover for an
+  EC2 seed with an attached admin role (was off-by-one: compute->role
+  linkage previously consumed the depth budget).
+- **F-S2-06** - Fix/detection matching no longer uses bare `endswith(label)`
+  for short labels - now requires a `/` or `:` boundary, eliminating false
+  positives where label `"admin"` matched `super-admin`.
+
+### Tests
+
+- 786 -> 812 (+26 net). New regression tests in `tests/test_blast_radius.py`
+  and `tests/test_graph.py` cover: resource-type detection (8 regex patterns),
+  empty-scan seed-only behaviour, IAM role -> impact node, EC2 with attached
+  role linkage, Lambda with execution role, max-depth and max-nodes
+  enforcement, Rich tree render, Mermaid `graph TD` shape, JSON schema
+  spot-checks (top-level fields, camelCase preservation, node + edge type
+  enums), fixes and detections pulled from findings, and a full
+  `TestSecurityRegression` class for SEC-001 through SEC-009.
+
+### Schema contract
+
+The JSON output is the schema documented in
+`cloud-audit-demo/src/types/blast-radius.ts` (`BlastRadiusGraph` v1.0).
+Field names are camelCase by intent because the demo's TypeScript types
+are the consumer. A per-file ruff exemption in `pyproject.toml` documents
+this trade-off.
+
+## [2.2.1] - 2026-05-12
+
+### Changed
+
+- **TF-001 (SES phishing setup)** - severity escalation logic rewritten.
+  HIGH now requires BOTH out-of-sandbox AND a burst of >=2 recent
+  identity verifications in the same account scan. The previous
+  "email identity without matching domain" escalation has been removed:
+  it modeled the wrong attacker behaviour. Wiz's September 2025 research
+  documented attackers *"adding multiple domains as verified identities
+  using the CreateEmailIdentity API"* in quick succession - a burst
+  pattern, not a single typosquat email. The new logic matches what
+  the source incident actually documented.
+
+- **TF-004 (leaked-creds scanner UA)** - removed `cloudgrappler` and
+  `detention-dodger` from the user-agent signature list. Both are
+  Permiso DEFENSIVE tools - their UA appearing in CloudTrail means a
+  defender is running them against the account, not that the account
+  is under attack. The detector now only matches OFFENSIVE scanner
+  signatures (`trufflehog`, `gitleaks`, `noseyparker`, `secretscanner`).
+  Module docstring updated with an explicit detection caveat: scanners
+  using stock AWS SDK / boto3 / aws-cli default user-agents look
+  identical to legitimate traffic and will not trigger this pattern.
+
+- **TF-004 references** - replaced a fabricated TruffleHog blog URL in
+  the references list with the verified BleepingComputer / Kaspersky
+  May 2026 SES abuse coverage and the official TruffleHog GitHub repo.
+
+### Tests
+
+- 742 -> 747 (+5 net). New regression tests:
+  - `test_email_no_matching_domain_does_not_escalate` (TF-001) proves
+    the removed typosquat heuristic does not return.
+  - `test_burst_out_of_sandbox_escalates_to_high` and
+    `test_burst_in_sandbox_stays_medium` cover the new escalation rule.
+  - `test_burst_only_counts_recent_identities` verifies the burst
+    counter respects the 14-day window.
+  - `test_cloudgrappler_ua_not_flagged` and
+    `test_detention_dodger_ua_not_flagged` (TF-004) prove defensive
+    tools are now excluded.
+
 ## [2.2.0] - 2026-05-12
 
 ### Added
 
-- **Threat Feed v1** — new `cloud-audit threat-feed` command and a dedicated
+- **Threat Feed v1** - new `cloud-audit threat-feed` command and a dedicated
   detector pipeline (`providers/aws/threat_feed/`) that flags ACTIVE abuse
   indicators rather than misconfiguration. Each pattern has a versioned
   `TF-XXX` ID, maps to the new `Category.THREAT`, and carries external
@@ -20,44 +186,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
   Ten patterns shipped:
 
-  - `TF-001-ses-phishing-setup` (MEDIUM/HIGH) — SES email/domain identities
+  - `TF-001-ses-phishing-setup` (MEDIUM/HIGH) - SES email/domain identities
     verified within the last 14 days, with severity escalating when an
     out-of-sandbox account hosts a typosquat-style email identity that has
     no matching domain identity. Tracks the Wiz May 2025 + BleepingComputer
     May 2026 SES abuse campaigns.
-  - `TF-002-lambda-function-url-persistence` (HIGH/CRITICAL) — Lambda
+  - `TF-002-lambda-function-url-persistence` (HIGH/CRITICAL) - Lambda
     functions exposed via `AuthType=NONE` Function URLs, escalating to
     CRITICAL when the execution role grants admin-class permissions
     (matching the role profile of the Nov-Dec 2025 cryptomining campaign).
-  - `TF-003-quarantine-policy` (CRITICAL) — IAM principals with
+  - `TF-003-quarantine-policy` (CRITICAL) - IAM principals with
     `AWSCompromisedKeyQuarantineV1/V2/V3` attached. AWS auto-attaches these
     after detecting credential exposure (typically a public GitHub commit).
-  - `TF-004-trufflehog-ua-cloudtrail` (CRITICAL) — `sts:GetCallerIdentity`
+  - `TF-004-trufflehog-ua-cloudtrail` (CRITICAL) - `sts:GetCallerIdentity`
     calls in the last 24h whose user-agent matches known leaked-credentials
     discovery scanners (TruffleHog, gitleaks, CloudGrappler, DetentionDodger,
     NoseyParker). Confirmed credential validation by an external scanner.
-  - `TF-005-cryptomining-role` (HIGH/CRITICAL) — IAM roles created within
+  - `TF-005-cryptomining-role` (HIGH/CRITICAL) - IAM roles created within
     the last 48 hours that carry broad compute managed policies (EC2 Full,
     PowerUser, Admin, ECS Full, Lambda Full). Escalates to CRITICAL when
     the same role also has SES sending permissions (mining + email-spam
     combo from the documented late-2025 campaign cluster).
-  - `TF-006-mmdsv1-in-use` (HIGH/CRITICAL) — EC2 instances where
+  - `TF-006-mmdsv1-in-use` (HIGH/CRITICAL) - EC2 instances where
     `HttpTokens != required` (IMDSv1 still callable) and Bedrock AgentCore
-    agents on `metadataVersion=v1` (CRITICAL — addresses Unit 42 'Cracks in
+    agents on `metadataVersion=v1` (CRITICAL - addresses Unit 42 'Cracks in
     the Bedrock' research and the Feb 2026 MMDSv2 default).
-  - `TF-007-whoami-confusion` (MEDIUM) — IAM roles trusted by CI/CD
+  - `TF-007-whoami-confusion` (MEDIUM) - IAM roles trusted by CI/CD
     identities (codebuild service principals, GitHub OIDC, GitLab OIDC,
-    Buildkite federation) that have a broad EC2 managed policy attached —
+    Buildkite federation) that have a broad EC2 managed policy attached -
     the precondition for the Datadog Feb 2025 whoAMI confusion attack.
-  - `TF-008-cloudtrail-tampering` (HIGH/CRITICAL) — CloudTrail trails with
-    `IsLogging=False` (CRITICAL — canonical post-credential-theft attacker
+  - `TF-008-cloudtrail-tampering` (HIGH/CRITICAL) - CloudTrail trails with
+    `IsLogging=False` (CRITICAL - canonical post-credential-theft attacker
     behaviour, AiTM phishing follow-on per Datadog March 2026) or with a
-    populated `LatestDeliveryError` (HIGH — S3 destination broken).
-  - `TF-009-roles-anywhere-abuse` (HIGH/MEDIUM) — IAM Roles Anywhere trust
+    populated `LatestDeliveryError` (HIGH - S3 destination broken).
+  - `TF-009-roles-anywhere-abuse` (HIGH/MEDIUM) - IAM Roles Anywhere trust
     anchors with `sourceType=CERTIFICATE_BUNDLE` instead of the recommended
     AWS_ACM_PCA. Anyone able to issue a chain-valid cert can mint AWS
     credentials (fwd:cloudsec 2025 'Let's Encrypt for AWS Console').
-  - `TF-010-datazone-overgrant` (HIGH) — `AmazonDataZoneFullAccess` attached
+  - `TF-010-datazone-overgrant` (HIGH) - `AmazonDataZoneFullAccess` attached
     to non-admin principals (the "easy" onboarding policy that bridges
     identity, Glue catalog, and S3 storage in a single grant).
 
@@ -172,7 +338,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - AC-29: Unpatched Instance Exposed to Internet (CRITICAL)
   - AC-30: Unpatched Instances Without Vulnerability Scanning (HIGH)
   - AC-31: Internet-Exposed Without WAF or Flow Logs (HIGH)
-  - AC-32: CloudTrail Blind Spot — Alarms Non-Functional (HIGH)
+  - AC-32: CloudTrail Blind Spot - Alarms Non-Functional (HIGH)
   - AC-33: All-Public VPC Without Network Segmentation (HIGH)
 - 3 new service modules: AWS Backup, Amazon Inspector, AWS WAF
 - 67 new tests for framework validation (412 total)

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 2.2.0
-Summary: Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation.
+Version: 2.3.0
+Summary: Open-source AWS security scanner. Blast Radius CLI (forward BFS from arbitrary resource), Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation.
 Project-URL: Homepage, https://haitmg.pl/cloud-audit/
 Project-URL: Documentation, https://haitmg.pl/cloud-audit/
 Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
@@ -57,7 +57,7 @@ Description-Content-Type: text/markdown
 </p>
 
 <p align="center">
-  Open-source CLI scanner that helps you decide what to fix first &mdash;<br>
+  Open-source CLI scanner that helps you decide what to fix first -<br>
   not just what's wrong.
 </p>
 
@@ -101,6 +101,31 @@ Uses your default AWS credentials and region. Try without an AWS account:
 cloud-audit demo
 ```
 
+### NEW in v2.3: Blast Radius CLI
+
+Walk outward from a single AWS resource and show what an attacker could reach
+if THAT resource were compromised. Pure offline analysis against a saved scan -
+zero AWS API calls at blast-radius time. Seed any EC2 instance, IAM role/user,
+Lambda function, S3 bucket, or Secrets Manager secret.
+
+```bash
+# Quick view: tree of reachable identities + data + impact
+cloud-audit blast-radius --resource i-0abc123def456
+
+# JSON for the blast-audit visualizer (https://blast-audit.haitmg.pl)
+cloud-audit blast-radius --resource arn:aws:iam::123456789012:role/deploy \
+                        --format json --output blast.json
+
+# Mermaid diagram for docs / slides
+cloud-audit blast-radius --resource i-0abc123 --format mermaid
+
+# Markdown summary for PR comments
+cloud-audit blast-radius --resource i-0abc123 --format markdown
+```
+
+See [docs/features/blast-radius.md](docs/features/blast-radius.md) for the
+expansion rules, JSON schema (BlastRadiusGraph v1.0), and risk score heuristic.
+
 ### NEW in v2.2: Threat Feed
 
 Detect ACTIVE abuse patterns from 2025-2026 incidents (cryptomining campaigns,

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/README.md

@@ -10,7 +10,7 @@
 </p>
 
 <p align="center">
-  Open-source CLI scanner that helps you decide what to fix first &mdash;<br>
+  Open-source CLI scanner that helps you decide what to fix first -<br>
   not just what's wrong.
 </p>
 
@@ -54,6 +54,31 @@ Uses your default AWS credentials and region. Try without an AWS account:
 cloud-audit demo
 ```
 
+### NEW in v2.3: Blast Radius CLI
+
+Walk outward from a single AWS resource and show what an attacker could reach
+if THAT resource were compromised. Pure offline analysis against a saved scan -
+zero AWS API calls at blast-radius time. Seed any EC2 instance, IAM role/user,
+Lambda function, S3 bucket, or Secrets Manager secret.
+
+```bash
+# Quick view: tree of reachable identities + data + impact
+cloud-audit blast-radius --resource i-0abc123def456
+
+# JSON for the blast-audit visualizer (https://blast-audit.haitmg.pl)
+cloud-audit blast-radius --resource arn:aws:iam::123456789012:role/deploy \
+                        --format json --output blast.json
+
+# Mermaid diagram for docs / slides
+cloud-audit blast-radius --resource i-0abc123 --format mermaid
+
+# Markdown summary for PR comments
+cloud-audit blast-radius --resource i-0abc123 --format markdown
+```
+
+See [docs/features/blast-radius.md](docs/features/blast-radius.md) for the
+expansion rules, JSON schema (BlastRadiusGraph v1.0), and risk score heuristic.
+
 ### NEW in v2.2: Threat Feed
 
 Detect ACTIVE abuse patterns from 2025-2026 incidents (cryptomining campaigns,

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/ROADMAP.md

@@ -1,6 +1,6 @@
 # Roadmap
 
-> Current version: **v2.0.0** (April 2026)
+> Current version: **v2.3.0** (May 2026)
 
 ## Completed
 
@@ -73,13 +73,17 @@
 
 ## What's Next
 
+### v2.3.0 -- Blast Radius CLI (shipped May 2026)
+
+- **Blast Radius CLI** (MVP) -- `cloud-audit blast-radius --resource <id>` walks outward from a single AWS resource (EC2, IAM Role/User, Lambda, S3 bucket, secret) and reports what an attacker could reach if that resource were compromised. Tree, JSON (BlastRadiusGraph v1.0 schema), Mermaid, and Markdown output. Pure in-memory, no AWS calls at blast-radius time. Built on the existing IAM trust graph + escalation catalog. 26 new tests, 812 total. Includes a full pre-release security pass (SEC-001 through SEC-009 plus F-S2-01 through F-S2-06 hardening — URL scheme allowlisting in HTML reports, symlink-safe writes, markdown injection escape, cycle dedup in BFS).
+
 ### v3.0.0 -- Security Graph & Exposure Analysis (target: June 2026)
 
 **1. Security Graph + Effective Exposure Score**
 In-memory graph (networkx) modeling all resource relationships: VPC routing, subnets, security groups, EC2 instances, IAM roles, policies, S3 buckets, RDS instances. BFS/DFS from internet nodes to high-value targets. Per-resource "effective exposure score" combining network reachability + identity privilege + data sensitivity. Output: "3 paths from internet to production database."
 
-**2. Blast Radius Analysis**
-`cloud-audit blast-radius --resource i-0abc123` shows the full impact zone if a specific resource is compromised: IAM role access, network reach, lateral movement paths, data at risk, breach cost estimate. The inverse of attack path analysis.
+**2. Blast Radius Analysis (full v3.0.0 expansion)**
+MVP shipped in v2.3.0. Remaining for v3.0.0: network reachability (VPC peering, TGW, on-prem CIDR), cross-account propagation, permission boundary / SCP semantic evaluation, data classification (PII / PCI / PHI tagging on buckets), expanded storytelling templates, HTML report integration, MCP server `compute_blast_radius` tool.
 
 **3. NHI (Non-Human Identity) Audit + Data Perimeter Scanner**
 Full inventory of all non-human identities: IAM users with access keys, IAM roles, OIDC providers, Lambda/ECS/CodeBuild execution roles. Aging, rotation, privilege scoring, trust chain mapping. Data perimeter: RCPs, VPC endpoint policies, aws:SourceOrgID conditions, snapshot sharing.

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/pyproject.toml

@@ -4,8 +4,8 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cloud-audit"
-version = "2.2.0"
-description = "Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation."
+version = "2.3.0"
+description = "Open-source AWS security scanner. Blast Radius CLI (forward BFS from arbitrary resource), Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation."
 readme = "README.md"
 license = "MIT"
 requires-python = ">=3.10"
@@ -81,6 +81,11 @@ select = ["E", "F", "I", "N", "W", "UP", "S", "B", "A", "C4", "SIM", "TCH", "RUF
 "src/cloud_audit/reports/compliance_markdown.py" = ["E501"]
 "src/cloud_audit/cli.py" = ["TC003"]
 "src/cloud_audit/mcp_server.py" = ["TC003"]
+# Blast radius uses camelCase field names to match the BlastRadiusGraph v1.0
+# wire-format contract shared with cloud-audit-demo (TypeScript types).
+# Renaming would break the JSON output schema consumers depend on.
+"src/cloud_audit/blast_radius.py" = ["N815"]
+"tests/test_blast_radius.py" = ["S101", "N803", "N806", "N815"]
 # Threat-feed modules and tests intentionally use boto3-style CamelCase
 # kwargs (UserName, RoleName, FunctionName, EmailIdentity) to match the
 # AWS API surface they wrap. N803 (lower_snake_case argument) is wrong here.

{cloud_audit-2.2.0 → cloud_audit-2.3.0}/server.json

@@ -8,12 +8,12 @@
     "url": "https://github.com/gebalamariusz/cloud-audit",
     "source": "github"
   },
-  "version": "2.0.1",
+  "version": "2.3.0",
   "packages": [
     {
       "registryType": "pypi",
       "identifier": "cloud-audit",
-      "version": "2.0.1",
+      "version": "2.3.0",
       "transport": {
         "type": "stdio"
       },