PyPI - cloud-audit - Versions diffs - 2.2.1__tar.gz → 2.3.1__tar.gz - Mend

cloud-audit 2.2.1tar.gz → 2.3.1tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

{cloud_audit-2.2.1 → cloud_audit-2.3.1}/CHANGELOG.md RENAMED Viewed

@@ -7,6 +7,286 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [2.3.1] - 2026-05-26
+### Added
+- **DynamoDB hygiene module** - new `ddb.py` module adds 3 checks covering
+  production-baseline DynamoDB configuration. cloud-audit previously had zero
+  DynamoDB coverage across 23 services; v2.3.1 closes that gap.
+  - **`aws-ddb-001` - Encryption at rest visibility** (tiered severity).
+    Surfaces tables where `SSEDescription` is absent (AWS-owned default key,
+    `LOW` - encryption is on but no CloudTrail audit trail, no rotation
+    control, no incident-time revocation), `InaccessibleEncryptionDateTime`
+    is set (`CRITICAL` - CMK was disabled or access revoked, table will be
+    archived in 7 days), or `Status != ENABLED` on a steady-state table
+    (`HIGH`). AWS-managed KMS (`alias/aws/dynamodb`) and customer-managed
+    CMKs both pass. The AWS Security Hub managed standard has no equivalent
+    control; cloud-audit is more opinionated because compliance auditors
+    (SOC 2, HIPAA, ISO 27001) typically require an auditable key.
+  - **`aws-ddb-002` - Point-in-time recovery enabled** (`MEDIUM`). Matches
+    AWS Security Hub `DynamoDB.2` severity. Without PITR, accidental drops
+    or mass conditional-update bugs are unrecoverable except from on-demand
+    backups, which require explicit scheduling.
+  - **`aws-ddb-003` - Autoscaling on PROVISIONED tables** (`MEDIUM`). Matches
+    AWS Security Hub `DynamoDB.1` severity. PROVISIONED billing with manual
+    capacity either over-provisions (cost waste, billed 24/7) or
+    under-provisions (`ProvisionedThroughputExceededException`, client
+    retries amplifying load). `PAY_PER_REQUEST` tables are skipped. Read-only
+    or write-only autoscaling registrations produce a sub-finding identifying
+    the missing dimension.
+  All three checks include CLI + Terraform remediation. Pagination via
+  `list_tables`. Application Auto Scaling targets are cached per-region for
+  the duration of the scan (one API call returns every DDB target in the
+  region).
+- **`aws-cfg-003` - AWS Config recording group complete** (`MEDIUM`). Detects
+  recorders that record only a subset of resource types - either via the
+  legacy `allSupported=false` configuration or the modern
+  `recordingStrategy.useOnly` set to `INCLUSION_BY_RESOURCE_TYPES` or
+  `EXCLUSION_BY_RESOURCE_TYPES`. Also fires when `includeGlobalResourceTypes`
+  is false, which silently drops every IAM/CloudFront/Route53 change from
+  the configuration timeline. Filters out service-linked recorders
+  (`recordingScope=INTERNAL`).
+- **`aws-cfg-004` - AWS Config delivery channel exists and is configured**
+  (tiered). Reports `HIGH` when a recorder exists but no delivery channel
+  is configured (snapshots and configuration history items go nowhere).
+  Reports `LOW` when the delivery channel exists but is throttled to the
+  slowest `TwentyFour_Hours` snapshot frequency, or when `s3KmsKeyArn` is
+  not set (delivery uses SSE-S3 instead of a CMK).
+### Changed
+- **`aws-s3-004` - Smarter S3 lifecycle check** (community feedback). The
+  prior check only fired when a bucket had zero lifecycle rules - which
+  missed the most expensive anti-pattern in production: a versioning-enabled
+  bucket whose lifecycle rules don't include `NoncurrentVersionExpiration`.
+  Without NCVE every object overwrite or delete retains the old version at
+  full storage rates indefinitely. The check now cross-references bucket
+  versioning state with lifecycle rules:
+  - Versioning `Enabled` or `Suspended` + no `NoncurrentVersionExpiration` in
+    any enabled rule -> `MEDIUM` (the storage runaway case; matches AWS
+    Security Hub `S3.10`).
+  - No enabled lifecycle on an unversioned bucket -> `LOW` (existing
+    behaviour preserved).
+  - No `AbortIncompleteMultipartUpload` rule -> `LOW` (new sub-finding;
+    orphaned multipart uploads accumulate billable storage that never
+    appears in regular object listings).
+  Cross-check adds one `get_bucket_versioning` call per bucket; result is
+  cached implicitly via the existing bucket-list cache pattern. Backward
+  compatible: same check ID, no behaviour change for unversioned buckets.
+- **`aws-cfg-001` and `aws-cfg-002` - service-linked recorder filtering**.
+  Both existing checks now filter out service-linked recorders
+  (`recordingScope=INTERNAL`), which are created by other AWS services
+  (AWS Security Hub, AWS Audit Manager) and do not replace a
+  customer-managed recorder.
+### Tests
+- 812 -> 836 (+24 net). New test files: `tests/aws/test_ddb.py` (12 tests
+  covering all four encryption states, PITR enabled/disabled, autoscaling
+  with read+write/read-only/none/pay-per-request). `tests/aws/test_config.py`
+  expanded with 8 new tests for `aws-cfg-003` and `aws-cfg-004`.
+  `tests/aws/test_s3.py` expanded with 4 new tests for the smart lifecycle
+  cross-check (versioned without NCVE, versioned with NCVE, lifecycle
+  rules-but-no-NCVE, AbortMPU missing).
+### Compliance
+Compliance framework mappings updated to cover the new check IDs:
+- **SOC 2 Type II**: `aws-cfg-003` and `aws-cfg-004` added to CC2.1, CC3.4,
+  CC4.1, CC7.1, CC8.1; `aws-ddb-001` mapped to CC6.1; `aws-ddb-002` mapped
+  to A1.2.
+- **HIPAA Security Rule**: `aws-cfg-003` and `aws-cfg-004` added to
+  164.308(a)(1)(i) and 164.308(a)(8); `aws-ddb-001` to 164.312(a)(2)(iv);
+  `aws-ddb-002` to 164.308(a)(7)(i).
+- **ISO/IEC 27001:2022**: `aws-cfg-003` and `aws-cfg-004` added to A.5.9,
+  A.5.23, A.5.36, A.8.9, A.8.32; `aws-ddb-001` to A.8.24; `aws-ddb-002` to
+  A.8.13.
+- **NIS2 Directive**: `aws-cfg-003` and `aws-cfg-004` added to NIS2-RM-01b,
+  NIS2-RM-05, NIS2-RM-05b, NIS2-RM-06, NIS2-RM-06b, NIS2-GOV-01;
+  `aws-ddb-001` to NIS2-RM-05b.
+- **BSI C5:2020**: `aws-cfg-003` and `aws-cfg-004` added to AM-01, OPS-14,
+  COS-07, COS-08, INQ-03; `aws-ddb-001` to CRY-04; `aws-ddb-002` to OPS-06.
+- **CIS AWS Foundations Benchmark v3.0.0**: `aws-cfg-003` and `aws-cfg-004`
+  added to control 3.3. CIS v3.0.0 has no DynamoDB controls; the gap is
+  documented honestly rather than invented.
+### Acknowledgments
+These improvements were prompted by feedback received via community channels.
+### Also in this release (carried over from prior unreleased work)
+- **GitHub Action hardening** - `action.yml` now pins cloud-audit to a specific
+  PyPI version via the new `cloud-audit-version` input (default tracks the
+  action's release tag). Previously installed unpinned `cloud-audit` latest,
+  which made builds non-reproducible. Version string is validated against
+  `[0-9A-Za-z.+-]` before being passed to `pip install`.
+- **GitHub Action shell injection prevention** - all `run:` blocks moved from
+  direct `${{ inputs.* }}` interpolation to env-var pattern (`env:` map +
+  bash arrays). `extra-args`, `regions`, `output`, and `diff-baseline` are
+  now passed as argv entries to `cloud-audit`, not concatenated into shell
+  strings. A malicious workflow author can still pass odd flag values but
+  cannot break out of the cloud-audit invocation.
+- **README polish** - dropped promotional "first/only" wording in three
+  places (blast-radius section, AI-SPM row, IAM Privilege Escalation row).
+  PMapper row reframed from "this is its open-source replacement" to a
+  factual statement of PMapper's last release date and cloud-audit's
+  distinct scope. Honest tone over marketing tone.
+- **README Prowler comparison refreshed** - 572 checks / 83 services / 41
+  frameworks updated to 600 / 84 / 44 (verified against
+  github.com/prowler-cloud/prowler on 2026-05-25). Dropped unsubstantiated
+  "55 fixers" reference and "10+ providers" puffery. Footnote datestamp
+  changed from "April 2026" to "2026-05-25".
+- **README broken links fixed** - two relative links to
+  `docs/features/blast-radius.md` (gitignored - the file is published only
+  via the docs site, not committed to git) replaced with absolute URLs
+  pointing at `https://haitmg.pl/cloud-audit/features/blast-radius/`.
+- **docs/features/blast-radius.md** - same "first pure-CLI open-source"
+  wording softened to "aims to be a lightweight CLI-native alternative".
+- **SECURITY.md supported versions matrix** - stale `1.1.x` / `1.2.x` rows
+  replaced with `2.3.x` (current) / `2.2.x` (security fixes only) / `< 2.2`
+  (no). The matrix had not been touched since the v1.x line was current.
+## [2.3.0] - 2026-05-15
+### Added
+- **Blast Radius CLI** - new `cloud-audit blast-radius --resource <id>` command
+  that walks outward from a single AWS resource and shows what an attacker
+  could reach if THAT resource were compromised. Pure in-memory analysis
+  against a saved scan - zero AWS API calls at blast-radius time.
+  Seed resource types supported:
+  - EC2 instance (short id `i-XXX`)
+  - IAM Role / IAM User (full ARN)
+  - Lambda function (full ARN)
+  - S3 bucket (full ARN)
+  - Secrets Manager secret (full ARN)
+  Expansion rules:
+  - Compute -> attached IAM role (via attack chain `viz_steps` from AC-01,
+    AC-02, AC-05 etc.) -> reachable identities and data
+  - Identity -> admin impact node when `escalation_paths` indicate admin
+  - Identity -> AssumeRole chain targets from `iam_trust_graph`
+  - Identity (admin) -> S3 buckets / Secrets Manager secrets present in
+    findings as candidate exfiltration targets
+  Output formats (`--format`):
+  - `tree` (default) - Rich tree in CLI with color-coded node types
+  - `json` - BlastRadiusGraph v1.0 schema, the wire-format contract with
+    cloud-audit-demo's 3D visualization (camelCase fields preserved on purpose)
+  - `mermaid` - Mermaid `graph TD` diagram with per-type styling
+  - `markdown` - compact summary for PRs or reports
+  Bounds:
+  - `--max-depth N` (default 5) caps BFS hops
+  - `--max-nodes N` (default 50) caps total nodes in the graph
+  Pure CLI, no Neo4j, no Docker, no SaaS account. Built on top of the
+  existing `iam_trust_graph` (524 lines, AssumeRole BFS), `iam_analyzer`
+  (706 lines, 60 escalation methods catalog), `correlate` (1574 lines,
+  31 attack-chain rules with `VizStep`s), and `cost_model` so the
+  same fixes you see in `scan` show up under the same finding ids in the
+  blast-radius output. Documented in `docs/features/blast-radius.md`.
+- **`exposure` command** - new `cloud-audit exposure` rolls up findings by
+  blast-impact heuristic (which identities/data would compound on the next
+  hop). Complements `blast-radius` (single-seed) with an account-wide view.
+### Changed
+- **`ScanReport.security_graph`** - new optional field (`dict[str, object] | None`).
+  Populated by the scanner for blast-radius / exposure consumers. Backwards-
+  compatible: existing parsers that don't know the field will keep working
+  thanks to `default=None`.
+### Fixed
+Nine issues addressed by the pre-release security audit (`SECURITY-AUDIT-2026-05-15.md`):
+- **SEC-001** - Mermaid output now HTML-entity escapes user-controlled node
+  labels (`<`, `>`, `&`, `"`, `\`, plus brackets, braces, pipes). Without this,
+  a crafted scan label `</text>` would break out of the Mermaid SVG context
+  when the diagram is rendered in a GitHub README.
+- **SEC-002** - `_make_id` collision protection: when a sanitised candidate id
+  exceeds 120 chars, a SHA-256(prefix + value) suffix is appended so two
+  long-but-different inputs cannot collide post-truncation (CWE-345 / CWE-1023).
+- **SEC-003** - AssumeRole cycle (A->B->A) no longer re-emits the seed role
+  as a lateral target node. ARN-level dedup (`visited_arns`) catches the
+  cross-prefix duplicate that graph-id dedup alone misses.
+- **SEC-004** - `_find_execution_role_for_lambda` now refuses to return a
+  role belonging to a different function (CWE-697 narrow-match): scan with
+  chain for `fnA` and query for `fnB` returns `None`, not `fnA`'s role.
+- **SEC-005** - `--max-depth` and `--max-nodes` are clamped to safe bounds
+  (1..25 and 1..10_000) instead of accepting unbounded user input (DoS).
+- **SEC-006** - `--format tree` + `--output FILE` returns an error instead of
+  silently writing ANSI escape sequences to disk (CWE-684).
+- **SEC-007** - Exception handler in the CLI wraps `OSError` with a friendly
+  message instead of leaking a full Python traceback to stderr.
+- **SEC-008** - Rich console rendering of node lines escapes Rich markup
+  (`[red]...[/]`) found inside scan labels so a crafted scan can't recolor
+  the terminal output.
+- **SEC-009** - Scanner persists `escalation_paths` to the saved scan so
+  blast-radius can read them without re-running the IAM analyzer.
+Plus pre-release follow-ups from the second security pass:
+- **F-S2-01** - HTML report templates (`report.html.j2`, `compliance_html.py`)
+  now strip non-`http(s)` URL schemes from `finding.cost_estimate.source_url`
+  and `finding.remediation.doc_url`. Without this, a `javascript:` URL in a
+  crafted scan JSON would execute when the user clicks the link in the
+  rendered HTML report.
+- **F-S2-02** - All `--output` writers refuse to follow pre-existing symlinks
+  (TOCTOU symlink attack protection on shared CI runners). The CLI raises a
+  clear error instead of silently clobbering the symlink target.
+- **F-S2-03** - Markdown output (`--format markdown`) now escapes markdown
+  control characters in user-controlled labels so a crafted resource name
+  cannot inject `[link](javascript:...)` into the rendered report.
+- **F-S2-04** - `_resolve_role_arn` falls back to `report.all_findings` when
+  the role isn't present in `escalation_paths` (an EC2 with an attached
+  admin role but no separate escalation path previously returned a
+  seed-only blast graph - now resolves and reports Account Takeover).
+- **F-S2-05** - BFS `--max-depth=1` now surfaces Account Takeover for an
+  EC2 seed with an attached admin role (was off-by-one: compute->role
+  linkage previously consumed the depth budget).
+- **F-S2-06** - Fix/detection matching no longer uses bare `endswith(label)`
+  for short labels - now requires a `/` or `:` boundary, eliminating false
+  positives where label `"admin"` matched `super-admin`.
+### Tests
+- 786 -> 812 (+26 net). New regression tests in `tests/test_blast_radius.py`
+  and `tests/test_graph.py` cover: resource-type detection (8 regex patterns),
+  empty-scan seed-only behaviour, IAM role -> impact node, EC2 with attached
+  role linkage, Lambda with execution role, max-depth and max-nodes
+  enforcement, Rich tree render, Mermaid `graph TD` shape, JSON schema
+  spot-checks (top-level fields, camelCase preservation, node + edge type
+  enums), fixes and detections pulled from findings, and a full
+  `TestSecurityRegression` class for SEC-001 through SEC-009.
+### Schema contract
+The JSON output is the schema documented in
+`cloud-audit-demo/src/types/blast-radius.ts` (`BlastRadiusGraph` v1.0).
+Field names are camelCase by intent because the demo's TypeScript types
+are the consumer. A per-file ruff exemption in `pyproject.toml` documents
+this trade-off.
 ## [2.2.1] - 2026-05-12
 ### Changed
@@ -52,7 +332,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
-- **Threat Feed v1** — new `cloud-audit threat-feed` command and a dedicated
+- **Threat Feed v1** - new `cloud-audit threat-feed` command and a dedicated
   detector pipeline (`providers/aws/threat_feed/`) that flags ACTIVE abuse
   indicators rather than misconfiguration. Each pattern has a versioned
   `TF-XXX` ID, maps to the new `Category.THREAT`, and carries external
@@ -61,44 +341,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   Ten patterns shipped:
-  - `TF-001-ses-phishing-setup` (MEDIUM/HIGH) — SES email/domain identities
+  - `TF-001-ses-phishing-setup` (MEDIUM/HIGH) - SES email/domain identities
     verified within the last 14 days, with severity escalating when an
     out-of-sandbox account hosts a typosquat-style email identity that has
     no matching domain identity. Tracks the Wiz May 2025 + BleepingComputer
     May 2026 SES abuse campaigns.
-  - `TF-002-lambda-function-url-persistence` (HIGH/CRITICAL) — Lambda
+  - `TF-002-lambda-function-url-persistence` (HIGH/CRITICAL) - Lambda
     functions exposed via `AuthType=NONE` Function URLs, escalating to
     CRITICAL when the execution role grants admin-class permissions
     (matching the role profile of the Nov-Dec 2025 cryptomining campaign).
-  - `TF-003-quarantine-policy` (CRITICAL) — IAM principals with
+  - `TF-003-quarantine-policy` (CRITICAL) - IAM principals with
     `AWSCompromisedKeyQuarantineV1/V2/V3` attached. AWS auto-attaches these
     after detecting credential exposure (typically a public GitHub commit).
-  - `TF-004-trufflehog-ua-cloudtrail` (CRITICAL) — `sts:GetCallerIdentity`
+  - `TF-004-trufflehog-ua-cloudtrail` (CRITICAL) - `sts:GetCallerIdentity`
     calls in the last 24h whose user-agent matches known leaked-credentials
     discovery scanners (TruffleHog, gitleaks, CloudGrappler, DetentionDodger,
     NoseyParker). Confirmed credential validation by an external scanner.
-  - `TF-005-cryptomining-role` (HIGH/CRITICAL) — IAM roles created within
+  - `TF-005-cryptomining-role` (HIGH/CRITICAL) - IAM roles created within
     the last 48 hours that carry broad compute managed policies (EC2 Full,
     PowerUser, Admin, ECS Full, Lambda Full). Escalates to CRITICAL when
     the same role also has SES sending permissions (mining + email-spam
     combo from the documented late-2025 campaign cluster).
-  - `TF-006-mmdsv1-in-use` (HIGH/CRITICAL) — EC2 instances where
+  - `TF-006-mmdsv1-in-use` (HIGH/CRITICAL) - EC2 instances where
     `HttpTokens != required` (IMDSv1 still callable) and Bedrock AgentCore
-    agents on `metadataVersion=v1` (CRITICAL — addresses Unit 42 'Cracks in
+    agents on `metadataVersion=v1` (CRITICAL - addresses Unit 42 'Cracks in
     the Bedrock' research and the Feb 2026 MMDSv2 default).
-  - `TF-007-whoami-confusion` (MEDIUM) — IAM roles trusted by CI/CD
+  - `TF-007-whoami-confusion` (MEDIUM) - IAM roles trusted by CI/CD
     identities (codebuild service principals, GitHub OIDC, GitLab OIDC,
-    Buildkite federation) that have a broad EC2 managed policy attached —
+    Buildkite federation) that have a broad EC2 managed policy attached -
     the precondition for the Datadog Feb 2025 whoAMI confusion attack.
-  - `TF-008-cloudtrail-tampering` (HIGH/CRITICAL) — CloudTrail trails with
-    `IsLogging=False` (CRITICAL — canonical post-credential-theft attacker
+  - `TF-008-cloudtrail-tampering` (HIGH/CRITICAL) - CloudTrail trails with
+    `IsLogging=False` (CRITICAL - canonical post-credential-theft attacker
     behaviour, AiTM phishing follow-on per Datadog March 2026) or with a
-    populated `LatestDeliveryError` (HIGH — S3 destination broken).
-  - `TF-009-roles-anywhere-abuse` (HIGH/MEDIUM) — IAM Roles Anywhere trust
+    populated `LatestDeliveryError` (HIGH - S3 destination broken).
+  - `TF-009-roles-anywhere-abuse` (HIGH/MEDIUM) - IAM Roles Anywhere trust
     anchors with `sourceType=CERTIFICATE_BUNDLE` instead of the recommended
     AWS_ACM_PCA. Anyone able to issue a chain-valid cert can mint AWS
     credentials (fwd:cloudsec 2025 'Let's Encrypt for AWS Console').
-  - `TF-010-datazone-overgrant` (HIGH) — `AmazonDataZoneFullAccess` attached
+  - `TF-010-datazone-overgrant` (HIGH) - `AmazonDataZoneFullAccess` attached
     to non-admin principals (the "easy" onboarding policy that bridges
     identity, Glue catalog, and S3 storage in a single grant).
@@ -213,7 +493,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - AC-29: Unpatched Instance Exposed to Internet (CRITICAL)
   - AC-30: Unpatched Instances Without Vulnerability Scanning (HIGH)
   - AC-31: Internet-Exposed Without WAF or Flow Logs (HIGH)
-  - AC-32: CloudTrail Blind Spot — Alarms Non-Functional (HIGH)
+  - AC-32: CloudTrail Blind Spot - Alarms Non-Functional (HIGH)
   - AC-33: All-Public VPC Without Network Segmentation (HIGH)
 - 3 new service modules: AWS Backup, Amazon Inspector, AWS WAF
 - 67 new tests for framework validation (412 total)
@@ -621,7 +901,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Docker image support
 - Rich terminal UI with progress bar and color-coded findings
-[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v1.3.0...HEAD
+[Unreleased]: https://github.com/gebalamariusz/cloud-audit/compare/v2.3.1...HEAD
+[2.3.1]: https://github.com/gebalamariusz/cloud-audit/compare/v2.3.0...v2.3.1
 [1.3.0]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.2...v1.3.0
 [1.2.2]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.1...v1.2.2
 [1.2.1]: https://github.com/gebalamariusz/cloud-audit/compare/v1.2.0...v1.2.1

{cloud_audit-2.2.1 → cloud_audit-2.3.1}/PKG-INFO RENAMED Viewed

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: cloud-audit
-Version: 2.2.1
-Summary: Open-source AWS security scanner. Threat Feed v1 (10 active-abuse patterns from 2025-2026 incidents), 64 IAM escalation methods, What-If simulator, security trends, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, and MCP server. Every finding includes CLI + Terraform remediation.
+Version: 2.3.1
+Summary: Open-source AWS security scanner. 99 checks across 24 services. Blast Radius CLI, Threat Feed v1, DynamoDB hygiene (encryption/PITR/autoscaling), opinionated Config checks, smart S3 lifecycle, 64 IAM escalation methods, What-If simulator, AI-SPM (Bedrock/SageMaker), 6 compliance frameworks, 31 attack chain rules, breach cost estimation, MCP server. CLI + Terraform remediation for every finding.
 Project-URL: Homepage, https://haitmg.pl/cloud-audit/
 Project-URL: Documentation, https://haitmg.pl/cloud-audit/
 Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
@@ -52,12 +52,16 @@ Description-Content-Type: text/markdown
 <!-- mcp-name: io.github.gebalamariusz/cloud-audit -->
 <h1 align="center">cloud-audit</h1>
+<p align="center">
+  <a href="README.md">English</a> | <a href="README_zh-CN.md">简体中文</a>
+</p>
 <p align="center">
   <strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
 </p>
 <p align="center">
-  Open-source CLI scanner that helps you decide what to fix first &mdash;<br>
+  Open-source CLI scanner that helps you decide what to fix first -<br>
   not just what's wrong.
 </p>
@@ -80,14 +84,22 @@ Description-Content-Type: text/markdown
 <p align="center">
   <a href="https://haitmg.pl/cloud-audit/">Documentation</a> -
   <a href="https://haitmg.pl/cloud-audit/getting-started/quick-start/">Quick Start</a> -
-  <a href="https://haitmg.pl/cloud-audit/compliance/overview/">Compliance</a> -
+  <a href="https://haitmg.pl/cloud-audit/features/blast-radius/">Blast Radius</a> -
+  <a href="https://blast-audit.haitmg.pl/">Live Visualizer</a> -
   <a href="https://haitmg.pl/cloud-audit/features/attack-chains/">Attack Chains</a> -
   <a href="https://haitmg.pl/cloud-audit/features/iam-escalation/">IAM Escalation</a> -
   <a href="https://haitmg.pl/cloud-audit/features/threat-feed/">Threat Feed</a> -
-  <a href="https://haitmg.pl/cloud-audit/features/simulate/">Simulator</a> -
   <a href="https://haitmg.pl/cloud-audit/features/mcp-server/">MCP Server</a>
 </p>
+<p align="center">
+  <a href="https://blast-audit.haitmg.pl/demo/capital-one-2019/?board=1">
+    <img src="assets/blast-audit-boardroom.png" alt="blast-audit visualizer - executive briefing view of Snowflake 2024 breach: $28M exposure, 4 years to detect, fix = enforce MFA" width="820">
+  </a>
+  <br>
+  <sub>Drop a <code>cloud-audit blast-radius</code> JSON into the live visualizer at <a href="https://blast-audit.haitmg.pl/">blast-audit.haitmg.pl</a> - or click the screenshot to explore the Snowflake 2024 breach interactively.</sub>
+</p>
 ## Quick Start
 ```bash
@@ -101,6 +113,59 @@ Uses your default AWS credentials and region. Try without an AWS account:
 cloud-audit demo
 ```
+### NEW in v2.3: Blast Radius CLI + live visualizer
+> *Walk outward from any AWS resource and show exactly what an attacker reaches
+> if THAT resource is compromised.* The CLI runs offline against a saved scan
+> (zero AWS API calls at blast-radius time); the matching open visualizer at
+> [blast-audit.haitmg.pl](https://blast-audit.haitmg.pl/) renders the same JSON
+> as an interactive attack graph with break-point highlighting, MITRE ATT&CK
+> overlay, and an executive boardroom mode for CFO/CISO briefings.
+Seeds: EC2 short id (`i-XXX`), IAM role/user ARN, Lambda ARN, S3 bucket ARN,
+Secrets Manager secret ARN.
+```bash
+# 1. Run a scan once (saves to ~/.cloud-audit/last-scan.json)
+cloud-audit scan
+# 2. Inspect blast radius from any resource (uses the last scan automatically)
+cloud-audit blast-radius --resource i-0abc123def456              # tree (default)
+cloud-audit blast-radius --resource i-0abc123 --format mermaid   # for docs/slides
+cloud-audit blast-radius --resource i-0abc123 --format markdown  # for PR comments
+# 3. Export JSON and visualize it interactively
+cloud-audit blast-radius --resource arn:aws:iam::123456789012:role/deploy \
+                        --format json --output blast.json
+# → open https://blast-audit.haitmg.pl/demo/upload/ → drop blast.json
+```
+<p align="center">
+  <img src="assets/blast-audit-counterfactual.png" alt="Counterfactual view: applying the IAM fix collapses Capital One exposure from $270M to $0" width="820">
+  <br>
+  <sub>The visualizer's boardroom mode includes a one-click counterfactual -
+  <em>"What stops this attack?"</em> - that animates the exposure tile to
+  $0 when you preview the recommended IAM remediation.</sub>
+</p>
+Seven historical breach scenarios ship pre-loaded for context
+(Capital One 2019, Cryptomining 2025, AgentCore 2026, Snowflake UNC5537 2024,
+nx Supply Chain 2026, Codefinger SSE-C 2025, Trivy / TeamPCP 2026), each with
+verified primary-source citations. See the [Blast Radius documentation](https://haitmg.pl/cloud-audit/features/blast-radius/)
+for expansion rules, the BlastRadiusGraph v1.0 schema, and the risk-score heuristic.
+### Also new since v2.0
+| Version | Highlight |
+|---|---|
+| **v2.3.0** (May 2026) | **Blast Radius CLI** + live visualizer + 15 security-hardening fixes (Mermaid XSS escape, ID collision, BFS bounds, symlink-safe writes, URL scheme allow-list). 812 tests. |
+| v2.2.1 (May 2026) | TF-001 SES phishing burst escalation + TF-004 defensive-tool exclusion. |
+| v2.2.0 (May 2026) | **Threat Feed v1** - 10 active-abuse detectors from 2025-2026 incidents (cryptomining, leaked-cred scanners, MMDSv1, DataZone, Roles Anywhere, CloudTrail tampering). External research refs on every finding. |
+| v2.1.0 (Apr 2026) | 64 IAM escalation methods, full pathfinding.cloud coverage. |
+| v2.0.0 (Apr 2026) | IAM Escalation graph, What-If simulator, Trend tracking, AI-SPM (Bedrock + SageMaker). |
+Detail per release in [CHANGELOG.md](CHANGELOG.md).
 ### NEW in v2.2: Threat Feed
 Detect ACTIVE abuse patterns from 2025-2026 incidents (cryptomining campaigns,
@@ -150,7 +215,7 @@ cloud-audit simulate --fix aws-vpc-002
 # Score: 34 -> 58 (+24)  |  Chains broken: 8 of 22  |  Findings resolved: 11
 ```
-94 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
+99 checks across 24 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
 <p align="center">
   <a href="https://www.youtube.com/watch?v=5uHoqggmTB8">
@@ -162,15 +227,17 @@ cloud-audit simulate --fix aws-vpc-002
 ---
-## What's New in 2.0
+## Feature matrix
-| Feature | What it does |
+| Capability | What it does |
 |---|---|
-| **IAM Privilege Escalation** | 61 escalation methods across 9 categories, including lateral movement detection via AssumeRole graph traversal. PMapper has been dead since 2022 -- this is its open-source replacement, and it covers paths PMapper never did. |
-| **What-If Simulator** | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
-| **Root Cause Grouping** | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
-| **Security Posture Trend** | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
-| **AI-SPM** | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
+| **Blast Radius CLI** (v2.3) | `cloud-audit blast-radius --resource <id>` walks outward from any AWS resource and emits the reachable attack graph as tree, JSON ([BlastRadiusGraph v1.0](https://haitmg.pl/cloud-audit/features/blast-radius/#output-json-blastradiusgraph-v10)), Mermaid, or Markdown. The JSON drops straight into the [live visualizer](https://blast-audit.haitmg.pl/) for interactive exploration. |
+| **Threat Feed v1** (v2.2) | 10 active-abuse detectors from real 2025-2026 incidents - cryptomining, leaked-cred scanners, MMDSv1, DataZone overgrant, Roles Anywhere, CloudTrail tampering. Each detector ships with primary-source citation. |
+| **IAM Privilege Escalation** (v2.1) | 64 escalation methods across 9 categories, including lateral movement detection via AssumeRole graph traversal. PMapper has been unmaintained since v1.1.5 (Jan 2022); cloud-audit offers a CLI-native alternative that covers additional escalation patterns beyond PMapper's IAM-principal scope. |
+| **What-If Simulator** (v2.0) | `cloud-audit simulate --fix aws-vpc-002` shows score change, chains broken, and risk reduction before you apply anything. |
+| **Root Cause Grouping** (v2.0) | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
+| **Security Posture Trend** (v2.0) | `cloud-audit trend` tracks health score, chains, and risk over time with sparkline visualization. |
+| **AI-SPM** (v2.0) | Open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
 ---
@@ -244,15 +311,15 @@ claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
 ## How It Compares
-[Prowler](https://github.com/prowler-cloud/prowler) is the AWS security standard: 572 checks across 83 services, 41 compliance frameworks (CIS, PCI-DSS, HIPAA, SOC2, NIST 800, ISO 27001, GDPR, FedRAMP, NIS2, MITRE ATT&CK and more), 55 auto-remediation fixers, and graph-based attack path analysis in the Prowler App (Cartography + Neo4j). It also covers Azure, GCP, Kubernetes, M365, and 10+ other providers.
+[Prowler](https://github.com/prowler-cloud/prowler) is the AWS security standard: 600 checks across 84 services, 44 compliance frameworks (CIS, PCI-DSS, HIPAA, SOC2, NIST 800, ISO 27001, GDPR, FedRAMP, NIS2, MITRE ATT&CK and more), auto-remediation fixers, and graph-based attack path analysis in the Prowler App (Cartography + Neo4j). It also covers Azure, GCP, Kubernetes, M365, and several other providers.
-cloud-audit is AWS-only and intentionally narrower (94 curated checks). It goes deep where Prowler goes wide: attack chain correlation and IAM escalation detection run in the free CLI with zero infrastructure, every finding ships with reviewable Terraform + AWS CLI remediation, and scan diff / drift tracking is built into the CLI.
+cloud-audit is AWS-only and intentionally narrower (99 curated checks). It goes deep where Prowler goes wide: attack chain correlation and IAM escalation detection run in the free CLI with zero infrastructure, every finding ships with reviewable Terraform + AWS CLI remediation, and scan diff / drift tracking is built into the CLI.
 | Feature | Prowler | cloud-audit |
 |---------|---------|-------------|
-| AWS checks | 572 across 83 services | 94 across 23 services |
-| Compliance frameworks (AWS) | 41 (CIS, PCI-DSS, HIPAA, SOC2, NIST, ISO 27001, GDPR, FedRAMP, NIS2, ...) | 6 (CIS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2) |
-| Auto-remediation | 55 fixers across 17 AWS services (direct API calls) | 94/94 findings with CLI + Terraform output (reviewable, you apply) |
+| AWS checks | 600 across 84 services | 99 across 24 services |
+| Compliance frameworks (AWS) | 44 (CIS, PCI-DSS, HIPAA, SOC2, NIST, ISO 27001, GDPR, FedRAMP, NIS2, ...) | 6 (CIS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2) |
+| Auto-remediation | 55 fixers across 17 AWS services (direct API calls) | 99/99 findings with CLI + Terraform output (reviewable, you apply) |
 | Attack path / graph analysis | Prowler App (Cartography + graph queries) | CLI-native (31 rules, no infra) |
 | IAM privilege escalation graph | Prowler App | CLI-native (61 methods + AssumeRole graph) |
 | What-If remediation simulator | No | Yes |
@@ -265,7 +332,30 @@ cloud-audit is AWS-only and intentionally narrower (94 curated checks). It goes
 Use Prowler for compliance breadth, multi-cloud coverage, and graph-based attack path analysis. Use cloud-audit for fast CLI-native attack chain detection, reviewable Terraform remediation, and CI/CD drift tracking. They are complementary, not competitors - a common setup is Prowler for quarterly compliance evidence plus cloud-audit daily in CI/CD.
-<sub>Prowler stats verified from github.com/prowler-cloud/prowler (April 2026). cloud-audit snapshot as of v2.0.1.</sub>
+<sub>Prowler stats verified from github.com/prowler-cloud/prowler on 2026-05-25. cloud-audit snapshot as of v2.3.0.</sub>
+### Blast radius specifically
+Most existing AWS blast-radius tooling either lives behind paid SaaS, requires standing up Neo4j + Cartography, or has been unmaintained for years. `cloud-audit blast-radius` aims to be a lightweight CLI-native alternative: arbitrary AWS resource seeds (EC2, IAM, Lambda, S3, secret), a documented JSON contract (BlastRadiusGraph v1.0) that downstream tools can consume, and no infrastructure to stand up.
+| Tool | Forward BFS from arbitrary AWS resource? | Pure CLI? | Last release |
+|---|---|---|---|
+| Wiz / Stream Security CloudTwin | yes | no (paid SaaS) | active |
+| Prowler App | yes | no (needs Neo4j + Cartography) | active |
+| Prowler CLI | no | yes | active |
+| PMapper | IAM-only, optimised for privesc-to-admin | yes | v1.1.5, Jan 2022 (unmaintained) |
+| Cloudsplaining | no (IAM policy analysis only) | yes | v0.8.2, Oct 2024 |
+| CloudFox | no for AWS (`lateral-movement` GCP only) | yes | active |
+| DetentionDodger | IAM-only, only post-quarantine users | yes | v1.0, Oct 2024 |
+| awspx | partial (graph + web UI) | Docker | v1.3.4, Aug 2021 (unmaintained) |
+| ScoutSuite | no | yes | v5.14.0, May 2024 |
+| Cartography | no built-in (bring your own Cypher) | no (graph ingestor) | active |
+| BloodHound CE | no for AWS (AD + Azure scope) | no (web app) | active |
+| pathfinding.cloud | no (it's a catalog) | n/a | n/a |
+| Trivy | no | yes | active |
+| **cloud-audit blast-radius** | **yes** | **yes** | **v2.3.0, May 2026** |
+The companion visualizer at [blast-audit.haitmg.pl](https://blast-audit.haitmg.pl/) consumes the same JSON without an account, install, or upload-to-cloud step. Everything stays in your browser.
 ---
@@ -376,26 +466,53 @@ cloud-audit never modifies your infrastructure. The `simulate` command runs loca
 ## What It Checks
-94 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, Account, AWS Backup, Amazon Inspector, AWS WAF, Amazon Bedrock, and Amazon SageMaker.
+99 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, Account, AWS Backup, Amazon Inspector, AWS WAF, Amazon Bedrock, Amazon SageMaker, and Amazon DynamoDB.
-[See all 94 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
+[See all 99 checks by service](https://haitmg.pl/cloud-audit/checks/) or run `cloud-audit list-checks` locally.
 ## Documentation
 Full docs at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**:
 - **[Getting Started](https://haitmg.pl/cloud-audit/getting-started/installation/)** - installation, quick start, demo mode
+- **[Blast Radius](https://haitmg.pl/cloud-audit/features/blast-radius/)** - forward BFS from arbitrary AWS resource, JSON schema, visualizer integration
 - **[Attack Chains](https://haitmg.pl/cloud-audit/features/attack-chains/)** - all 31 rules with MITRE ATT&CK references
-- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 61 methods, 9 categories (action-based + lateral AssumeRole graph)
+- **[IAM Escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/)** - 64 methods, 9 categories (action-based + lateral AssumeRole graph)
+- **[Threat Feed](https://haitmg.pl/cloud-audit/features/threat-feed/)** - 10 active-abuse detectors from 2025-2026 incidents
 - **[What-If Simulator](https://haitmg.pl/cloud-audit/features/simulate/)** - simulate remediation impact
 - **[Compliance](https://haitmg.pl/cloud-audit/compliance/overview/)** - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
 - **[All 94 Checks](https://haitmg.pl/cloud-audit/checks/)** - full check reference by service
+## Companion visualizer
+The same BlastRadiusGraph v1.0 JSON that `cloud-audit blast-radius --format json` emits also drives the live visualizer at **[blast-audit.haitmg.pl](https://blast-audit.haitmg.pl/)** - no install, no signup, no upload to a third-party cloud (everything runs in your browser).
+<p align="center">
+  <a href="https://blast-audit.haitmg.pl/demo/capital-one-2019/">
+    <img src="assets/blast-audit-hero.png" alt="blast-audit operator view of the Capital One 2019 attack chain with the break-point IAM role highlighted" width="820">
+  </a>
+</p>
+Seven historical breach scenarios are pre-loaded with primary-source citations:
+| Scenario | Year | One-line pitch | URL |
+|---|---|---|---|
+| Capital One | 2019 | SSRF → IMDSv1 → admin S3 (100M records, $190M total damage) | [/demo/capital-one-2019/](https://blast-audit.haitmg.pl/demo/capital-one-2019/) |
+| Cryptomining | 2025 | Leaked AKID → 14 ASGs spinning in 10 minutes | [/demo/cryptomining-2025/](https://blast-audit.haitmg.pl/demo/cryptomining-2025/) |
+| Bedrock AgentCore | 2026 | Sandbox bypass via DNS resolver (AWS classed "won't fix") | [/demo/agentcore-2026/](https://blast-audit.haitmg.pl/demo/agentcore-2026/) |
+| Snowflake / UNC5537 | 2024 | Infostealer-harvested credentials replayed against no-MFA tenants (165 orgs, $28M+ AT&T settlement) | [/demo/snowflake-unc5537-2024/](https://blast-audit.haitmg.pl/demo/snowflake-unc5537-2024/) |
+| nx Supply Chain / UNC6426 | 2026 | Trojanised npm → LLM stealer → GitHub OIDC → AWS Admin in &lt;72 h | [/demo/unc6426-nx-2026/](https://blast-audit.haitmg.pl/demo/unc6426-nx-2026/) |
+| Codefinger | 2025 | AWS-native SSE-C ransomware (no key recovery from CloudTrail) | [/demo/codefinger-ssec-2025/](https://blast-audit.haitmg.pl/demo/codefinger-ssec-2025/) |
+| Trivy / TeamPCP | 2026 | 76 of 77 GitHub Action tags force-pushed to a credential stealer | [/demo/trivy-teampcp-2026/](https://blast-audit.haitmg.pl/demo/trivy-teampcp-2026/) |
+Boardroom mode (`?board=1` on any scenario) renders the same graph as a CFO/CISO briefing with the dollar exposure, time-to-detect, and recommended fix surfaced as 3 big tiles - click *"What stops this attack?"* and the exposure tile animates to $0.
 ## What's Next
 - Multi-account scanning (AWS Organizations)
 - SCP + permission boundary evaluation in IAM escalation
 - Terraform drift detection
+- Security Graph v3.0.0 (network reachability, cross-account propagation, permission-boundary semantics)
 Past releases: [CHANGELOG.md](CHANGELOG.md)
@@ -406,7 +523,7 @@ git clone https://github.com/gebalamariusz/cloud-audit.git
 cd cloud-audit
 pip install -e ".[dev]"
-pytest -v                          # 496 tests
+pytest -v                          # 812 tests
 ruff check src/ tests/             # lint
 mypy src/                          # type check
 ```

cloud-audit 2.2.1__tar.gz → 2.3.1__tar.gz

cloud-audit 2.2.1tar.gz → 2.3.1tar.gz