cloud-audit 2.3.1__tar.gz → 2.4.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/workflows/ci.yml +4 -4
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/workflows/docs.yml +1 -1
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/workflows/example-scan.yml +1 -1
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/workflows/release.yml +7 -7
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/CHANGELOG.md +102 -0
- cloud_audit-2.4.0/PKG-INFO +240 -0
- cloud_audit-2.4.0/README.md +193 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/pyproject.toml +2 -2
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/cli.py +11 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/bsi_c5_2020.json +6 -1
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/cis_aws_v3.json +6 -1
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/hipaa_security.json +12 -2
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/iso27001_2022.json +12 -2
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/nis2_directive.json +6 -1
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/frameworks/soc2_type2.json +24 -4
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/cost_model.py +89 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/models.py +10 -0
- cloud_audit-2.4.0/src/cloud_audit/proof.py +198 -0
- cloud_audit-2.4.0/src/cloud_audit/providers/aws/checks/agentcore.py +520 -0
- cloud_audit-2.4.0/src/cloud_audit/providers/aws/checks/data_perimeter.py +702 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/provider.py +4 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/scanner.py +24 -0
- cloud_audit-2.4.0/tests/aws/test_agentcore.py +324 -0
- cloud_audit-2.4.0/tests/aws/test_data_perimeter.py +662 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_compliance_frameworks.py +5 -0
- cloud_audit-2.4.0/tests/test_proof.py +298 -0
- cloud_audit-2.3.1/PKG-INFO +0 -535
- cloud_audit-2.3.1/README.md +0 -488
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.cloud-audit.example.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/FUNDING.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/ISSUE_TEMPLATE/bug_report.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/ISSUE_TEMPLATE/config.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/ISSUE_TEMPLATE/feature_request.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.github/dependabot.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.gitignore +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.mcp.json +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/.pre-commit-hooks.yaml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/CODEOWNERS +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/CODE_OF_CONDUCT.md +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/CONTRIBUTING.md +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/Dockerfile +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/LICENSE +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/Makefile +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/ROADMAP.md +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/SECURITY.md +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/action.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/blast-audit-boardroom.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/blast-audit-counterfactual.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/blast-audit-hero.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/demo.gif +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/logo-nobg.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/logo.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/report-preview.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/assets/social-preview.png +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/examples/daily-scan-with-diff.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/examples/github-actions.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/examples/post-deploy-scan.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/mkdocs.yml +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/overrides/main.html +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/scripts/generate_demo_gif.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/scripts/generate_report_screenshot.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/server.json +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/__main__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/blast_radius.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/compliance/engine.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/config.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/correlate.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/diff.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/graph.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/history.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/mcp_server.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/account.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/backup.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/bedrock.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/cloudtrail.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/cloudwatch.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/config_.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/ddb.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/ec2.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/ecs.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/efs.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/eip.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/guardduty.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/iam.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/inspector.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/kms.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/lambda_.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/rds.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/s3.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/sagemaker.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/secrets.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/securityhub.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/ssm.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/vpc.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/checks/waf.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/iam_analyzer.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/iam_trust_graph.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/cloudtrail_tampering.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/cryptomining_role.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/datazone_overgrant.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/lambda_function_url.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/mmdsv1_in_use.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/quarantine_policy.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/roles_anywhere_abuse.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/ses_phishing.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/trufflehog_ua.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/aws/threat_feed/whoami_confusion.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/providers/base.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/py.typed +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/compliance_html.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/compliance_markdown.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/diff_markdown.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/html.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/markdown.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/sarif.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/reports/templates/report.html.j2 +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/root_cause.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/src/cloud_audit/simulate.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_bedrock.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_cis_checks.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_cloudtrail.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_cloudwatch.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_config.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_ddb.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_ec2.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_ecs.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_eip.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_guardduty.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_iam.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_iam_analyzer.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_iam_trust_graph.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_kms.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_lambda.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_rds.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_s3.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_sagemaker.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_secrets.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_ssm.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/test_vpc.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/__init__.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_cloudtrail_tampering.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_cryptomining_role.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_datazone_overgrant.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_lambda_function_url.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_mmdsv1_in_use.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_quarantine_policy.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_roles_anywhere_abuse.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_ses_phishing.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_trufflehog_ua.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/aws/threat_feed/test_whoami_confusion.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/conftest.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_blast_radius.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_cli.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_cli_scan.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_config.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_correlate.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_cost_model.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_diff.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_graph.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_history.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_html.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_markdown.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_mcp_server.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_models.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_provider.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_root_cause.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_sarif.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_scanner.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_simulate.py +0 -0
- {cloud_audit-2.3.1 → cloud_audit-2.4.0}/tests/test_soc2_framework.py +0 -0
|
@@ -15,7 +15,7 @@ jobs:
|
|
|
15
15
|
name: Lint & Format
|
|
16
16
|
runs-on: ubuntu-latest
|
|
17
17
|
steps:
|
|
18
|
-
- uses: actions/checkout@
|
|
18
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
19
19
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
|
20
20
|
with:
|
|
21
21
|
python-version: "3.12"
|
|
@@ -28,7 +28,7 @@ jobs:
|
|
|
28
28
|
name: Type Check
|
|
29
29
|
runs-on: ubuntu-latest
|
|
30
30
|
steps:
|
|
31
|
-
- uses: actions/checkout@
|
|
31
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
32
32
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
|
33
33
|
with:
|
|
34
34
|
python-version: "3.12"
|
|
@@ -43,7 +43,7 @@ jobs:
|
|
|
43
43
|
matrix:
|
|
44
44
|
python-version: ["3.10", "3.11", "3.12", "3.13"]
|
|
45
45
|
steps:
|
|
46
|
-
- uses: actions/checkout@
|
|
46
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
47
47
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
|
48
48
|
with:
|
|
49
49
|
python-version: ${{ matrix.python-version }}
|
|
@@ -55,6 +55,6 @@ jobs:
|
|
|
55
55
|
name: Docker Build
|
|
56
56
|
runs-on: ubuntu-latest
|
|
57
57
|
steps:
|
|
58
|
-
- uses: actions/checkout@
|
|
58
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
59
59
|
- run: docker build -t cloud-audit:test .
|
|
60
60
|
- run: docker run --rm cloud-audit:test version
|
|
@@ -18,7 +18,7 @@ jobs:
|
|
|
18
18
|
needs: ci
|
|
19
19
|
runs-on: ubuntu-latest
|
|
20
20
|
steps:
|
|
21
|
-
- uses: actions/checkout@
|
|
21
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
22
22
|
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
|
|
23
23
|
with:
|
|
24
24
|
python-version: "3.12"
|
|
@@ -61,17 +61,17 @@ jobs:
|
|
|
61
61
|
contents: read
|
|
62
62
|
packages: write
|
|
63
63
|
steps:
|
|
64
|
-
- uses: actions/checkout@
|
|
65
|
-
- uses: docker/login-action@
|
|
64
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
65
|
+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
66
66
|
with:
|
|
67
67
|
registry: ghcr.io
|
|
68
68
|
username: ${{ github.actor }}
|
|
69
69
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
70
|
-
- uses: docker/login-action@
|
|
70
|
+
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
|
|
71
71
|
with:
|
|
72
72
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
73
73
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
74
|
-
- uses: docker/metadata-action@
|
|
74
|
+
- uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
|
|
75
75
|
id: meta
|
|
76
76
|
with:
|
|
77
77
|
images: |
|
|
@@ -81,7 +81,7 @@ jobs:
|
|
|
81
81
|
type=semver,pattern={{version}}
|
|
82
82
|
type=semver,pattern={{major}}.{{minor}}
|
|
83
83
|
type=raw,value=latest
|
|
84
|
-
- uses: docker/build-push-action@
|
|
84
|
+
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
|
|
85
85
|
with:
|
|
86
86
|
context: .
|
|
87
87
|
push: true
|
|
@@ -95,7 +95,7 @@ jobs:
|
|
|
95
95
|
permissions:
|
|
96
96
|
contents: write
|
|
97
97
|
steps:
|
|
98
|
-
- uses: actions/checkout@
|
|
98
|
+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
|
|
99
99
|
- name: Extract changelog for this version
|
|
100
100
|
id: changelog
|
|
101
101
|
run: |
|
|
@@ -7,6 +7,108 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.4.0] - 2026-06-30
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- **Data Perimeter Scanner** - new check category (`aws-dp-001` .. `aws-dp-005`)
|
|
15
|
+
that evaluates resource-based policies for the two boundary failures detectable
|
|
16
|
+
from a single account's configuration - read-only, and without AWS Organizations
|
|
17
|
+
access:
|
|
18
|
+
|
|
19
|
+
- **Confused deputy**: an `Allow` statement grants an AWS service principal
|
|
20
|
+
without an `aws:SourceAccount` / `aws:SourceArn` / `aws:SourceOrgID` /
|
|
21
|
+
`aws:SourceOwner` condition (`MEDIUM`). A service acting on behalf of another
|
|
22
|
+
account could be coerced into operating on your resource.
|
|
23
|
+
- **Cross-organization exposure**: an `Allow` statement grants a wildcard
|
|
24
|
+
(`"*"`) or external-account AWS principal without an organization-boundary
|
|
25
|
+
condition (`aws:PrincipalOrgID`, `aws:ResourceOrgID`, `aws:SourceOrgID`, ...).
|
|
26
|
+
Wildcard grants are `HIGH`; a named external account is `LOW` (often an
|
|
27
|
+
intentional partner share). On Secrets Manager these are escalated to
|
|
28
|
+
`CRITICAL` (wildcard) / `MEDIUM` (external) as a direct credential-exfiltration
|
|
29
|
+
path.
|
|
30
|
+
|
|
31
|
+
Services covered: S3 bucket policies (`aws-dp-001`), SNS topic policies
|
|
32
|
+
(`aws-dp-002`), SQS queue policies (`aws-dp-003`), Secrets Manager resource
|
|
33
|
+
policies (`aws-dp-004`), and Lambda resource policies (`aws-dp-005`). Every
|
|
34
|
+
finding ships CLI + Terraform remediation and a breach-cost estimate. Condition
|
|
35
|
+
keys are matched case-insensitively, and condition **values** are evaluated (not
|
|
36
|
+
just key presence) - a guardrail scoped to a *foreign* account or org is still
|
|
37
|
+
flagged. Default SNS/SQS policies relying on `aws:SourceOwner` set to the owner
|
|
38
|
+
account are correctly treated as account-scoped (no false positive). Federated
|
|
39
|
+
provider ARNs in a foreign account are flagged as external; federated URL IdPs
|
|
40
|
+
and `CanonicalUser` principals are out of scope.
|
|
41
|
+
|
|
42
|
+
This closes a gap the dominant open-source scanner explicitly does not cover
|
|
43
|
+
(Prowler issue #7114, "Integrating SCP/RCP Policy Awareness", open since
|
|
44
|
+
2025-03): evaluating data-perimeter condition keys on resource policies. SCP/RCP
|
|
45
|
+
enforcement at the AWS Organizations level is intentionally out of scope.
|
|
46
|
+
Detection taxonomy follows the AWS data perimeter whitepaper and the AWS
|
|
47
|
+
cross-service confused-deputy guidance.
|
|
48
|
+
|
|
49
|
+
- **Proof Mode** - new opt-in `scan --verify` that cross-checks each detected IAM
|
|
50
|
+
privilege-escalation path against the read-only `iam:SimulatePrincipalPolicy`
|
|
51
|
+
API to confirm the principal's policies actually allow the required actions. Each
|
|
52
|
+
path is annotated `verified` with `verification_detail` evidence: `true` = the
|
|
53
|
+
simulator allowed every required action (policy-allowed; *simulated, not
|
|
54
|
+
executed*); `false` = the simulator denied one (the static path is likely a
|
|
55
|
+
false positive); `null` = not asserted. The scan prints
|
|
56
|
+
`Proof Mode: N/M escalation path(s) policy-allowed by IAM simulator`. Honest
|
|
57
|
+
framing throughout: this confirms the permission exists, not end-to-end
|
|
58
|
+
exploitability - the simulator does not factor in SCPs, permission boundaries,
|
|
59
|
+
resource policies, or trust conditions. Resource-scoped methods (`iam:PassRole`,
|
|
60
|
+
`sts:AssumeRole`, compute-hijack) are deliberately left `null` because without
|
|
61
|
+
resource ARNs the simulator evaluates against `*` and would over-report; paths
|
|
62
|
+
gated by unevaluated condition keys are also left `null`.
|
|
63
|
+
`iam:SimulatePrincipalPolicy` has no per-call charge, so the opt-in controls
|
|
64
|
+
latency/throttling only; calls are deduplicated per (principal, action-set). New
|
|
65
|
+
module `proof.py`; `EscalationPath` gains `verified` / `verification_detail`
|
|
66
|
+
(backward compatible, default unchecked). Brings the 2026 "proof, not
|
|
67
|
+
probability" validation trend - which commercial scanners sell as a paid
|
|
68
|
+
flagship - to open-source AWS.
|
|
69
|
+
|
|
70
|
+
- **AgentCore checks** - first OSS scanner with dedicated Amazon Bedrock AgentCore
|
|
71
|
+
(GA 2025-10) coverage: 6 read-only checks `aws-agc-001..006` over the AI agent
|
|
72
|
+
platform. Flags Code Interpreter / Runtime in PUBLIC network mode (egress
|
|
73
|
+
exfiltration), Runtime not enforcing MMDSv2 (metadata credential theft), Memory
|
|
74
|
+
without a customer-managed KMS key, Gateway with no inbound authorizer
|
|
75
|
+
(`authorizerType=NONE`), and Gateway with no enforcing policy engine (missing or
|
|
76
|
+
`LOG_ONLY`). Each finding ships a CLI + Terraform fix and breach-cost estimate,
|
|
77
|
+
and maps to Palo Alto Unit 42 "Cracks in the Bedrock" research. Read-only
|
|
78
|
+
`bedrock-agentcore-control` (no per-call charge); the service is regional and
|
|
79
|
+
absent regions are skipped silently. New module `agentcore.py`; field names,
|
|
80
|
+
operations and enum values verified against the live boto3 service model.
|
|
81
|
+
|
|
82
|
+
### Changed
|
|
83
|
+
|
|
84
|
+
- Check count: 99 -> 110 (across 25 services). AgentCore adds a new service module
|
|
85
|
+
of 6 checks; the data perimeter's 5 checks remain a cross-cutting category over
|
|
86
|
+
existing services, like Threat Feed.
|
|
87
|
+
|
|
88
|
+
### Tests
|
|
89
|
+
|
|
90
|
+
- 836 -> 948 (+112). New file `tests/aws/test_data_perimeter.py`: 43 unit tests
|
|
91
|
+
pinning the `_find_perimeter_gaps` detection engine (confused deputy, cross-org
|
|
92
|
+
wildcard/external, condition-value evaluation so a guardrail pointing at a
|
|
93
|
+
foreign account/org is still flagged, federated provider ARNs, case-insensitive
|
|
94
|
+
conditions, Deny/NotPrincipal/CanonicalUser/malformed handling) plus 17 moto
|
|
95
|
+
integration tests across all five services. New file `tests/test_proof.py`:
|
|
96
|
+
28 tests pinning the Proof Mode engine (decision semantics: allowed /
|
|
97
|
+
explicit+implicit deny / unknown-decision / incomplete / empty / malformed; the
|
|
98
|
+
resource-scoping gate that leaves PassRole/AssumeRole and deny-removal paths
|
|
99
|
+
unasserted; condition-key gating; API-call dedup; per-path error isolation;
|
|
100
|
+
provider-backed path). New file `tests/aws/test_agentcore.py`: 24 fixture-based
|
|
101
|
+
tests (moto lacks bedrock-agentcore-control) covering each check's positive and
|
|
102
|
+
negative cases across network mode, MMDSv2, memory KMS, gateway authorizer and
|
|
103
|
+
policy engine, empty policy config, multi-page pagination, plus
|
|
104
|
+
region-unavailable / access-denied skip and multi-region aggregation.
|
|
105
|
+
|
|
106
|
+
### Compliance
|
|
107
|
+
|
|
108
|
+
- `aws-dp-001` .. `aws-dp-005` mapped: SOC 2 (CC5.2, CC6.1, CC6.6, C1.1),
|
|
109
|
+
CIS AWS v3.0 (2.1.4), HIPAA (164.308(a)(1)(ii)(A), 164.312(a)(1)),
|
|
110
|
+
ISO/IEC 27001:2022 (A.8.3, A.8.12), NIS2 (NIS2-RM-09a), BSI C5:2020 (IDM-07).
|
|
111
|
+
|
|
10
112
|
## [2.3.1] - 2026-05-26
|
|
11
113
|
|
|
12
114
|
### Added
|
|
@@ -0,0 +1,240 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: cloud-audit
|
|
3
|
+
Version: 2.4.0
|
|
4
|
+
Summary: Open-source, read-only AWS security scanner. 110 checks across 25 services, 31 attack-chain rules, 64 IAM escalation methods (incl. lateral AssumeRole graph), Proof Mode exploitability verification, data perimeter and Bedrock AgentCore checks, Blast Radius CLI, Threat Feed, What-If simulator, AI-SPM, 6 compliance frameworks, breach-cost estimation, MCP server. CLI + Terraform remediation on every finding.
|
|
5
|
+
Project-URL: Homepage, https://haitmg.pl/cloud-audit/
|
|
6
|
+
Project-URL: Documentation, https://haitmg.pl/cloud-audit/
|
|
7
|
+
Project-URL: Source, https://github.com/gebalamariusz/cloud-audit
|
|
8
|
+
Project-URL: Repository, https://github.com/gebalamariusz/cloud-audit
|
|
9
|
+
Project-URL: Issues, https://github.com/gebalamariusz/cloud-audit/issues
|
|
10
|
+
Project-URL: Changelog, https://github.com/gebalamariusz/cloud-audit/blob/main/CHANGELOG.md
|
|
11
|
+
Author-email: Mariusz Gebala <kontakt@haitmg.pl>
|
|
12
|
+
License-Expression: MIT
|
|
13
|
+
License-File: LICENSE
|
|
14
|
+
Keywords: audit,aws,aws-security,breach-cost,cis,cis-benchmark,cloud,cloud-security,compliance,devops,devsecops,mcp,mcp-server,model-context-protocol,remediation,sarif,scanner,security,security-scanner,soc2,terraform
|
|
15
|
+
Classifier: Development Status :: 4 - Beta
|
|
16
|
+
Classifier: Environment :: Console
|
|
17
|
+
Classifier: Intended Audience :: Developers
|
|
18
|
+
Classifier: Intended Audience :: Information Technology
|
|
19
|
+
Classifier: Intended Audience :: System Administrators
|
|
20
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
21
|
+
Classifier: Operating System :: OS Independent
|
|
22
|
+
Classifier: Programming Language :: Python :: 3
|
|
23
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
24
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
25
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
26
|
+
Classifier: Programming Language :: Python :: 3.13
|
|
27
|
+
Classifier: Topic :: Security
|
|
28
|
+
Classifier: Topic :: System :: Systems Administration
|
|
29
|
+
Classifier: Typing :: Typed
|
|
30
|
+
Requires-Python: >=3.10
|
|
31
|
+
Requires-Dist: boto3>=1.35.0
|
|
32
|
+
Requires-Dist: jinja2>=3.1.6
|
|
33
|
+
Requires-Dist: mcp>=1.20.0
|
|
34
|
+
Requires-Dist: pydantic>=2.10.0
|
|
35
|
+
Requires-Dist: pyyaml>=6.0
|
|
36
|
+
Requires-Dist: rich>=13.9.0
|
|
37
|
+
Requires-Dist: typer>=0.15.0
|
|
38
|
+
Provides-Extra: dev
|
|
39
|
+
Requires-Dist: boto3-stubs[essential]>=1.35.0; extra == 'dev'
|
|
40
|
+
Requires-Dist: moto[all]>=5.0.0; extra == 'dev'
|
|
41
|
+
Requires-Dist: mypy>=1.13.0; extra == 'dev'
|
|
42
|
+
Requires-Dist: pytest-cov>=6.0; extra == 'dev'
|
|
43
|
+
Requires-Dist: pytest>=8.0; extra == 'dev'
|
|
44
|
+
Requires-Dist: ruff>=0.8.0; extra == 'dev'
|
|
45
|
+
Requires-Dist: types-pyyaml>=6.0; extra == 'dev'
|
|
46
|
+
Description-Content-Type: text/markdown
|
|
47
|
+
|
|
48
|
+
<p align="center">
|
|
49
|
+
<img src="assets/logo-nobg.png" alt="cloud-audit logo" width="200">
|
|
50
|
+
</p>
|
|
51
|
+
|
|
52
|
+
<!-- mcp-name: io.github.gebalamariusz/cloud-audit -->
|
|
53
|
+
<h1 align="center">cloud-audit</h1>
|
|
54
|
+
|
|
55
|
+
<p align="center">
|
|
56
|
+
<a href="README.md">English</a> | <a href="README_zh-CN.md">简体中文</a>
|
|
57
|
+
</p>
|
|
58
|
+
|
|
59
|
+
<p align="center">
|
|
60
|
+
<strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
|
|
61
|
+
</p>
|
|
62
|
+
|
|
63
|
+
<p align="center">
|
|
64
|
+
Open-source, read-only AWS security scanner. It correlates findings into attack chains,
|
|
65
|
+
ranks fixes by how many chains they break, and ships an <strong>AWS CLI + Terraform fix with
|
|
66
|
+
every finding</strong>. No agent, no infrastructure, nothing written to your account.
|
|
67
|
+
</p>
|
|
68
|
+
|
|
69
|
+
<p align="center">
|
|
70
|
+
<a href="https://pypi.org/project/cloud-audit/"><img src="https://img.shields.io/pypi/v/cloud-audit?style=flat" alt="PyPI version"></a>
|
|
71
|
+
<a href="https://pypi.org/project/cloud-audit/"><img src="https://img.shields.io/pypi/pyversions/cloud-audit?style=flat" alt="Python versions"></a>
|
|
72
|
+
<a href="https://github.com/gebalamariusz/cloud-audit/actions/workflows/ci.yml"><img src="https://github.com/gebalamariusz/cloud-audit/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
|
|
73
|
+
<a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow?style=flat" alt="License: MIT"></a>
|
|
74
|
+
<a href="https://ghcr.io/gebalamariusz/cloud-audit"><img src="https://img.shields.io/badge/Docker-GHCR-blue?style=flat&logo=docker" alt="Docker"></a>
|
|
75
|
+
<a href="https://haitmg.pl/cloud-audit/"><img src="https://img.shields.io/badge/Docs-haitmg.pl-blue?style=flat" alt="Documentation"></a>
|
|
76
|
+
</p>
|
|
77
|
+
|
|
78
|
+
<p align="center">
|
|
79
|
+
<a href="#quick-start">Quick Start</a> -
|
|
80
|
+
<a href="#what-you-get">What You Get</a> -
|
|
81
|
+
<a href="#installation">Installation</a> -
|
|
82
|
+
<a href="#whats-checked">What's Checked</a> -
|
|
83
|
+
<a href="https://haitmg.pl/cloud-audit/">Documentation</a>
|
|
84
|
+
</p>
|
|
85
|
+
|
|
86
|
+
## Quick Start
|
|
87
|
+
|
|
88
|
+
```bash
|
|
89
|
+
pip install cloud-audit
|
|
90
|
+
cloud-audit scan # uses your default AWS credentials and region
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
No AWS account handy? Run a full sample report offline:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
cloud-audit demo
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
cloud-audit is **read-only**. It never modifies your infrastructure; `SecurityAudit` is enough ([permissions](#aws-permissions)).
|
|
100
|
+
|
|
101
|
+
## Example Output
|
|
102
|
+
|
|
103
|
+
```
|
|
104
|
+
+---- Attack Chains (5 detected) -----------------------------------+
|
|
105
|
+
| CRITICAL Internet-Exposed Admin Instance |
|
|
106
|
+
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
|
|
107
|
+
| CRITICAL IAM Privilege Escalation via iam:PassRole |
|
|
108
|
+
| ci-deploy-role - 3-step path to admin |
|
|
109
|
+
| CRITICAL CI/CD to Admin Takeover |
|
|
110
|
+
| github-deploy - OIDC without sub + admin policy |
|
|
111
|
+
+-------------------------------------------------------------------+
|
|
112
|
+
|
|
113
|
+
+---- Remediation Plan ---------------------------------------------+
|
|
114
|
+
| Fix 4 root causes, break 22 attack chains |
|
|
115
|
+
| Quick wins (effort LOW, 14 chains): |
|
|
116
|
+
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
|
|
117
|
+
| 2. Add OIDC sub condition -> breaks 6 chains |
|
|
118
|
+
+-------------------------------------------------------------------+
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
Preview a fix before you touch anything:
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
cloud-audit simulate --fix aws-vpc-002
|
|
125
|
+
# Score 34 -> 58 (+24) | Chains broken 8 of 22 | Findings resolved 11
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
## What You Get
|
|
129
|
+
|
|
130
|
+
- **Attack chains** // 31 rules correlate individual findings into exploitable paths (MITRE ATT&CK + pathfinding.cloud). [docs](https://haitmg.pl/cloud-audit/features/attack-chains/)
|
|
131
|
+
- **Root-cause fixes** // groups findings by shared cause and ranks them: "fix 4 things, break 22 chains," with a what-if `simulate` to preview impact. [docs](https://haitmg.pl/cloud-audit/features/simulate/)
|
|
132
|
+
- **IAM privilege escalation** // 64 methods across 9 categories, including lateral movement through the AssumeRole graph. [docs](https://haitmg.pl/cloud-audit/features/iam-escalation/)
|
|
133
|
+
- **Blast radius** // walk outward from any resource to see what an attacker reaches; export JSON to the live [visualizer](https://blast-audit.haitmg.pl/). [docs](https://haitmg.pl/cloud-audit/features/blast-radius/)
|
|
134
|
+
- **Proof Mode** // `scan --verify` checks each escalation path against the IAM policy simulator (read-only) and flags the ones the principal can actually perform. [docs](https://haitmg.pl/cloud-audit/features/proof-mode/)
|
|
135
|
+
- **Data perimeter** // resource-policy checks for confused-deputy and cross-org exposure, evaluating condition *values* (not just their presence). [docs](https://haitmg.pl/cloud-audit/features/data-perimeter/)
|
|
136
|
+
- **AgentCore security** // checks for Amazon Bedrock AgentCore AI agents: network mode, MMDSv2, memory encryption, gateway authorizer. [docs](https://haitmg.pl/cloud-audit/features/agentcore/)
|
|
137
|
+
- **Threat Feed** // 10 detectors for active-abuse patterns from 2025-2026 incidents, each with a primary-source citation. [docs](https://haitmg.pl/cloud-audit/features/threat-feed/)
|
|
138
|
+
- **Remediation on every finding** // copy-paste AWS CLI + reviewable Terraform you apply yourself; security findings also carry a USD breach-cost estimate with sources.
|
|
139
|
+
- **Trend & drift** // `cloud-audit diff` catches ClickOps drift between scans; `cloud-audit trend` tracks posture over time.
|
|
140
|
+
|
|
141
|
+
<p align="center">
|
|
142
|
+
<a href="https://blast-audit.haitmg.pl/">
|
|
143
|
+
<img src="assets/blast-audit-boardroom.png" alt="blast-audit visualizer - executive briefing view" width="760">
|
|
144
|
+
</a>
|
|
145
|
+
<br>
|
|
146
|
+
<sub>Drop a <code>cloud-audit blast-radius --format json</code> export into the open visualizer at
|
|
147
|
+
<a href="https://blast-audit.haitmg.pl/">blast-audit.haitmg.pl</a> - everything runs in your browser.</sub>
|
|
148
|
+
</p>
|
|
149
|
+
|
|
150
|
+
## Reports
|
|
151
|
+
|
|
152
|
+
```bash
|
|
153
|
+
cloud-audit scan --format html -o report.html # client-ready
|
|
154
|
+
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
|
|
155
|
+
cloud-audit scan --format json -o report.json # machine-readable
|
|
156
|
+
cloud-audit scan --format markdown -o report.md # PR comments
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
## CI/CD
|
|
160
|
+
|
|
161
|
+
```yaml
|
|
162
|
+
- run: pip install cloud-audit
|
|
163
|
+
- run: cloud-audit scan --format sarif --output results.sarif
|
|
164
|
+
- uses: github/codeql-action/upload-sarif@v3
|
|
165
|
+
with:
|
|
166
|
+
sarif_file: results.sarif
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
`--quiet` exits with a code only: `0` clean, `1` findings, `2` error. Gate on severity with `--min-severity high`. Ready-made workflows: [basic scan](examples/github-actions.yml), [daily diff](examples/daily-scan-with-diff.yml), [post-deploy](examples/post-deploy-scan.yml).
|
|
170
|
+
|
|
171
|
+
## Installation
|
|
172
|
+
|
|
173
|
+
```bash
|
|
174
|
+
pip install cloud-audit # pip (recommended)
|
|
175
|
+
pipx install cloud-audit # isolated
|
|
176
|
+
docker run ghcr.io/gebalamariusz/cloud-audit scan # Docker
|
|
177
|
+
```
|
|
178
|
+
|
|
179
|
+
Docker with credentials:
|
|
180
|
+
|
|
181
|
+
```bash
|
|
182
|
+
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan
|
|
183
|
+
```
|
|
184
|
+
|
|
185
|
+
## AWS Permissions
|
|
186
|
+
|
|
187
|
+
Read-only. Attach the AWS-managed `SecurityAudit` policy (covers every check, including IAM escalation analysis):
|
|
188
|
+
|
|
189
|
+
```bash
|
|
190
|
+
aws iam attach-role-policy --role-name auditor \
|
|
191
|
+
--policy-arn arn:aws:iam::aws:policy/SecurityAudit
|
|
192
|
+
```
|
|
193
|
+
|
|
194
|
+
cloud-audit never modifies your infrastructure. `simulate` runs locally against scan data and makes no AWS calls.
|
|
195
|
+
|
|
196
|
+
## What's Checked
|
|
197
|
+
|
|
198
|
+
**110 checks across 25 AWS services** - IAM, S3, EC2, VPC, RDS, KMS, CloudTrail, GuardDuty, Lambda, Secrets Manager, Bedrock, SageMaker, Bedrock AgentCore, DynamoDB, and more. Run `cloud-audit list-checks`, or see the [full check reference](https://haitmg.pl/cloud-audit/checks/).
|
|
199
|
+
|
|
200
|
+
**6 compliance frameworks** via `scan --compliance <id>`: CIS AWS v3.0 and SOC 2 Type II (stable), plus ISO 27001:2022, HIPAA, NIS2, and BSI C5:2020 (beta). [docs](https://haitmg.pl/cloud-audit/compliance/overview/)
|
|
201
|
+
|
|
202
|
+
**MCP server** for AI agents - 6 read-only tools (`scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`):
|
|
203
|
+
|
|
204
|
+
```bash
|
|
205
|
+
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
|
|
206
|
+
```
|
|
207
|
+
|
|
208
|
+
<details>
|
|
209
|
+
<summary>Common flags and configuration</summary>
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
cloud-audit scan -R # show remediation inline
|
|
213
|
+
cloud-audit scan --profile prod --regions eu-central-1 # profile / region
|
|
214
|
+
cloud-audit scan --regions all # all enabled regions
|
|
215
|
+
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # cross-account
|
|
216
|
+
cloud-audit scan --export-fixes fixes.sh # export all fixes
|
|
217
|
+
```
|
|
218
|
+
|
|
219
|
+
Configure defaults in `.cloud-audit.yml` (regions, `min_severity`, `exclude_checks`, time-boxed `suppressions`). Environment variables (`CLOUD_AUDIT_REGIONS`, `CLOUD_AUDIT_MIN_SEVERITY`, ...) override the file; CLI flags override everything. See the [configuration guide](https://haitmg.pl/cloud-audit/configuration/config-file/).
|
|
220
|
+
|
|
221
|
+
</details>
|
|
222
|
+
|
|
223
|
+
## Documentation
|
|
224
|
+
|
|
225
|
+
Full documentation at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**: [getting started](https://haitmg.pl/cloud-audit/getting-started/installation/), [attack chains](https://haitmg.pl/cloud-audit/features/attack-chains/), [IAM escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/), [blast radius](https://haitmg.pl/cloud-audit/features/blast-radius/), [Proof Mode](https://haitmg.pl/cloud-audit/features/proof-mode/), [data perimeter](https://haitmg.pl/cloud-audit/features/data-perimeter/), [AgentCore](https://haitmg.pl/cloud-audit/features/agentcore/), [compliance](https://haitmg.pl/cloud-audit/compliance/overview/), and the [full check reference](https://haitmg.pl/cloud-audit/checks/).
|
|
226
|
+
|
|
227
|
+
## Development
|
|
228
|
+
|
|
229
|
+
```bash
|
|
230
|
+
git clone https://github.com/gebalamariusz/cloud-audit.git
|
|
231
|
+
cd cloud-audit
|
|
232
|
+
pip install -e ".[dev]"
|
|
233
|
+
pytest -q && ruff check src/ tests/ && mypy src/
|
|
234
|
+
```
|
|
235
|
+
|
|
236
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md) to add a check. Past releases in [CHANGELOG.md](CHANGELOG.md).
|
|
237
|
+
|
|
238
|
+
## License
|
|
239
|
+
|
|
240
|
+
[MIT](LICENSE) - Mariusz Gebala / [HAIT](https://haitmg.pl)
|
|
@@ -0,0 +1,193 @@
|
|
|
1
|
+
<p align="center">
|
|
2
|
+
<img src="assets/logo-nobg.png" alt="cloud-audit logo" width="200">
|
|
3
|
+
</p>
|
|
4
|
+
|
|
5
|
+
<!-- mcp-name: io.github.gebalamariusz/cloud-audit -->
|
|
6
|
+
<h1 align="center">cloud-audit</h1>
|
|
7
|
+
|
|
8
|
+
<p align="center">
|
|
9
|
+
<a href="README.md">English</a> | <a href="README_zh-CN.md">简体中文</a>
|
|
10
|
+
</p>
|
|
11
|
+
|
|
12
|
+
<p align="center">
|
|
13
|
+
<strong>Find AWS attack paths, IAM escalation routes, and the fixes that matter most.</strong>
|
|
14
|
+
</p>
|
|
15
|
+
|
|
16
|
+
<p align="center">
|
|
17
|
+
Open-source, read-only AWS security scanner. It correlates findings into attack chains,
|
|
18
|
+
ranks fixes by how many chains they break, and ships an <strong>AWS CLI + Terraform fix with
|
|
19
|
+
every finding</strong>. No agent, no infrastructure, nothing written to your account.
|
|
20
|
+
</p>
|
|
21
|
+
|
|
22
|
+
<p align="center">
|
|
23
|
+
<a href="https://pypi.org/project/cloud-audit/"><img src="https://img.shields.io/pypi/v/cloud-audit?style=flat" alt="PyPI version"></a>
|
|
24
|
+
<a href="https://pypi.org/project/cloud-audit/"><img src="https://img.shields.io/pypi/pyversions/cloud-audit?style=flat" alt="Python versions"></a>
|
|
25
|
+
<a href="https://github.com/gebalamariusz/cloud-audit/actions/workflows/ci.yml"><img src="https://github.com/gebalamariusz/cloud-audit/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
|
|
26
|
+
<a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-yellow?style=flat" alt="License: MIT"></a>
|
|
27
|
+
<a href="https://ghcr.io/gebalamariusz/cloud-audit"><img src="https://img.shields.io/badge/Docker-GHCR-blue?style=flat&logo=docker" alt="Docker"></a>
|
|
28
|
+
<a href="https://haitmg.pl/cloud-audit/"><img src="https://img.shields.io/badge/Docs-haitmg.pl-blue?style=flat" alt="Documentation"></a>
|
|
29
|
+
</p>
|
|
30
|
+
|
|
31
|
+
<p align="center">
|
|
32
|
+
<a href="#quick-start">Quick Start</a> -
|
|
33
|
+
<a href="#what-you-get">What You Get</a> -
|
|
34
|
+
<a href="#installation">Installation</a> -
|
|
35
|
+
<a href="#whats-checked">What's Checked</a> -
|
|
36
|
+
<a href="https://haitmg.pl/cloud-audit/">Documentation</a>
|
|
37
|
+
</p>
|
|
38
|
+
|
|
39
|
+
## Quick Start
|
|
40
|
+
|
|
41
|
+
```bash
|
|
42
|
+
pip install cloud-audit
|
|
43
|
+
cloud-audit scan # uses your default AWS credentials and region
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
No AWS account handy? Run a full sample report offline:
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
cloud-audit demo
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
cloud-audit is **read-only**. It never modifies your infrastructure; `SecurityAudit` is enough ([permissions](#aws-permissions)).
|
|
53
|
+
|
|
54
|
+
## Example Output
|
|
55
|
+
|
|
56
|
+
```
|
|
57
|
+
+---- Attack Chains (5 detected) -----------------------------------+
|
|
58
|
+
| CRITICAL Internet-Exposed Admin Instance |
|
|
59
|
+
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
|
|
60
|
+
| CRITICAL IAM Privilege Escalation via iam:PassRole |
|
|
61
|
+
| ci-deploy-role - 3-step path to admin |
|
|
62
|
+
| CRITICAL CI/CD to Admin Takeover |
|
|
63
|
+
| github-deploy - OIDC without sub + admin policy |
|
|
64
|
+
+-------------------------------------------------------------------+
|
|
65
|
+
|
|
66
|
+
+---- Remediation Plan ---------------------------------------------+
|
|
67
|
+
| Fix 4 root causes, break 22 attack chains |
|
|
68
|
+
| Quick wins (effort LOW, 14 chains): |
|
|
69
|
+
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
|
|
70
|
+
| 2. Add OIDC sub condition -> breaks 6 chains |
|
|
71
|
+
+-------------------------------------------------------------------+
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Preview a fix before you touch anything:
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
cloud-audit simulate --fix aws-vpc-002
|
|
78
|
+
# Score 34 -> 58 (+24) | Chains broken 8 of 22 | Findings resolved 11
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
## What You Get
|
|
82
|
+
|
|
83
|
+
- **Attack chains** // 31 rules correlate individual findings into exploitable paths (MITRE ATT&CK + pathfinding.cloud). [docs](https://haitmg.pl/cloud-audit/features/attack-chains/)
|
|
84
|
+
- **Root-cause fixes** // groups findings by shared cause and ranks them: "fix 4 things, break 22 chains," with a what-if `simulate` to preview impact. [docs](https://haitmg.pl/cloud-audit/features/simulate/)
|
|
85
|
+
- **IAM privilege escalation** // 64 methods across 9 categories, including lateral movement through the AssumeRole graph. [docs](https://haitmg.pl/cloud-audit/features/iam-escalation/)
|
|
86
|
+
- **Blast radius** // walk outward from any resource to see what an attacker reaches; export JSON to the live [visualizer](https://blast-audit.haitmg.pl/). [docs](https://haitmg.pl/cloud-audit/features/blast-radius/)
|
|
87
|
+
- **Proof Mode** // `scan --verify` checks each escalation path against the IAM policy simulator (read-only) and flags the ones the principal can actually perform. [docs](https://haitmg.pl/cloud-audit/features/proof-mode/)
|
|
88
|
+
- **Data perimeter** // resource-policy checks for confused-deputy and cross-org exposure, evaluating condition *values* (not just their presence). [docs](https://haitmg.pl/cloud-audit/features/data-perimeter/)
|
|
89
|
+
- **AgentCore security** // checks for Amazon Bedrock AgentCore AI agents: network mode, MMDSv2, memory encryption, gateway authorizer. [docs](https://haitmg.pl/cloud-audit/features/agentcore/)
|
|
90
|
+
- **Threat Feed** // 10 detectors for active-abuse patterns from 2025-2026 incidents, each with a primary-source citation. [docs](https://haitmg.pl/cloud-audit/features/threat-feed/)
|
|
91
|
+
- **Remediation on every finding** // copy-paste AWS CLI + reviewable Terraform you apply yourself; security findings also carry a USD breach-cost estimate with sources.
|
|
92
|
+
- **Trend & drift** // `cloud-audit diff` catches ClickOps drift between scans; `cloud-audit trend` tracks posture over time.
|
|
93
|
+
|
|
94
|
+
<p align="center">
|
|
95
|
+
<a href="https://blast-audit.haitmg.pl/">
|
|
96
|
+
<img src="assets/blast-audit-boardroom.png" alt="blast-audit visualizer - executive briefing view" width="760">
|
|
97
|
+
</a>
|
|
98
|
+
<br>
|
|
99
|
+
<sub>Drop a <code>cloud-audit blast-radius --format json</code> export into the open visualizer at
|
|
100
|
+
<a href="https://blast-audit.haitmg.pl/">blast-audit.haitmg.pl</a> - everything runs in your browser.</sub>
|
|
101
|
+
</p>
|
|
102
|
+
|
|
103
|
+
## Reports
|
|
104
|
+
|
|
105
|
+
```bash
|
|
106
|
+
cloud-audit scan --format html -o report.html # client-ready
|
|
107
|
+
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
|
|
108
|
+
cloud-audit scan --format json -o report.json # machine-readable
|
|
109
|
+
cloud-audit scan --format markdown -o report.md # PR comments
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## CI/CD
|
|
113
|
+
|
|
114
|
+
```yaml
|
|
115
|
+
- run: pip install cloud-audit
|
|
116
|
+
- run: cloud-audit scan --format sarif --output results.sarif
|
|
117
|
+
- uses: github/codeql-action/upload-sarif@v3
|
|
118
|
+
with:
|
|
119
|
+
sarif_file: results.sarif
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
`--quiet` exits with a code only: `0` clean, `1` findings, `2` error. Gate on severity with `--min-severity high`. Ready-made workflows: [basic scan](examples/github-actions.yml), [daily diff](examples/daily-scan-with-diff.yml), [post-deploy](examples/post-deploy-scan.yml).
|
|
123
|
+
|
|
124
|
+
## Installation
|
|
125
|
+
|
|
126
|
+
```bash
|
|
127
|
+
pip install cloud-audit # pip (recommended)
|
|
128
|
+
pipx install cloud-audit # isolated
|
|
129
|
+
docker run ghcr.io/gebalamariusz/cloud-audit scan # Docker
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
Docker with credentials:
|
|
133
|
+
|
|
134
|
+
```bash
|
|
135
|
+
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
## AWS Permissions
|
|
139
|
+
|
|
140
|
+
Read-only. Attach the AWS-managed `SecurityAudit` policy (covers every check, including IAM escalation analysis):
|
|
141
|
+
|
|
142
|
+
```bash
|
|
143
|
+
aws iam attach-role-policy --role-name auditor \
|
|
144
|
+
--policy-arn arn:aws:iam::aws:policy/SecurityAudit
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
cloud-audit never modifies your infrastructure. `simulate` runs locally against scan data and makes no AWS calls.
|
|
148
|
+
|
|
149
|
+
## What's Checked
|
|
150
|
+
|
|
151
|
+
**110 checks across 25 AWS services** - IAM, S3, EC2, VPC, RDS, KMS, CloudTrail, GuardDuty, Lambda, Secrets Manager, Bedrock, SageMaker, Bedrock AgentCore, DynamoDB, and more. Run `cloud-audit list-checks`, or see the [full check reference](https://haitmg.pl/cloud-audit/checks/).
|
|
152
|
+
|
|
153
|
+
**6 compliance frameworks** via `scan --compliance <id>`: CIS AWS v3.0 and SOC 2 Type II (stable), plus ISO 27001:2022, HIPAA, NIS2, and BSI C5:2020 (beta). [docs](https://haitmg.pl/cloud-audit/compliance/overview/)
|
|
154
|
+
|
|
155
|
+
**MCP server** for AI agents - 6 read-only tools (`scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`):
|
|
156
|
+
|
|
157
|
+
```bash
|
|
158
|
+
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
<details>
|
|
162
|
+
<summary>Common flags and configuration</summary>
|
|
163
|
+
|
|
164
|
+
```bash
|
|
165
|
+
cloud-audit scan -R # show remediation inline
|
|
166
|
+
cloud-audit scan --profile prod --regions eu-central-1 # profile / region
|
|
167
|
+
cloud-audit scan --regions all # all enabled regions
|
|
168
|
+
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # cross-account
|
|
169
|
+
cloud-audit scan --export-fixes fixes.sh # export all fixes
|
|
170
|
+
```
|
|
171
|
+
|
|
172
|
+
Configure defaults in `.cloud-audit.yml` (regions, `min_severity`, `exclude_checks`, time-boxed `suppressions`). Environment variables (`CLOUD_AUDIT_REGIONS`, `CLOUD_AUDIT_MIN_SEVERITY`, ...) override the file; CLI flags override everything. See the [configuration guide](https://haitmg.pl/cloud-audit/configuration/config-file/).
|
|
173
|
+
|
|
174
|
+
</details>
|
|
175
|
+
|
|
176
|
+
## Documentation
|
|
177
|
+
|
|
178
|
+
Full documentation at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**: [getting started](https://haitmg.pl/cloud-audit/getting-started/installation/), [attack chains](https://haitmg.pl/cloud-audit/features/attack-chains/), [IAM escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/), [blast radius](https://haitmg.pl/cloud-audit/features/blast-radius/), [Proof Mode](https://haitmg.pl/cloud-audit/features/proof-mode/), [data perimeter](https://haitmg.pl/cloud-audit/features/data-perimeter/), [AgentCore](https://haitmg.pl/cloud-audit/features/agentcore/), [compliance](https://haitmg.pl/cloud-audit/compliance/overview/), and the [full check reference](https://haitmg.pl/cloud-audit/checks/).
|
|
179
|
+
|
|
180
|
+
## Development
|
|
181
|
+
|
|
182
|
+
```bash
|
|
183
|
+
git clone https://github.com/gebalamariusz/cloud-audit.git
|
|
184
|
+
cd cloud-audit
|
|
185
|
+
pip install -e ".[dev]"
|
|
186
|
+
pytest -q && ruff check src/ tests/ && mypy src/
|
|
187
|
+
```
|
|
188
|
+
|
|
189
|
+
See [CONTRIBUTING.md](CONTRIBUTING.md) to add a check. Past releases in [CHANGELOG.md](CHANGELOG.md).
|
|
190
|
+
|
|
191
|
+
## License
|
|
192
|
+
|
|
193
|
+
[MIT](LICENSE) - Mariusz Gebala / [HAIT](https://haitmg.pl)
|
|
@@ -4,8 +4,8 @@ build-backend = "hatchling.build"
|
|
|
4
4
|
|
|
5
5
|
[project]
|
|
6
6
|
name = "cloud-audit"
|
|
7
|
-
version = "2.
|
|
8
|
-
description = "Open-source AWS security scanner.
|
|
7
|
+
version = "2.4.0"
|
|
8
|
+
description = "Open-source, read-only AWS security scanner. 110 checks across 25 services, 31 attack-chain rules, 64 IAM escalation methods (incl. lateral AssumeRole graph), Proof Mode exploitability verification, data perimeter and Bedrock AgentCore checks, Blast Radius CLI, Threat Feed, What-If simulator, AI-SPM, 6 compliance frameworks, breach-cost estimation, MCP server. CLI + Terraform remediation on every finding."
|
|
9
9
|
readme = "README.md"
|
|
10
10
|
license = "MIT"
|
|
11
11
|
requires-python = ">=3.10"
|