stacksage 0.7.5__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (48) hide show
  1. stacksage-0.7.5/MANIFEST.in +32 -0
  2. stacksage-0.7.5/PKG-INFO +225 -0
  3. stacksage-0.7.5/README.md +132 -0
  4. stacksage-0.7.5/README.pypi.md +197 -0
  5. stacksage-0.7.5/TROUBLESHOOTING.md +182 -0
  6. stacksage-0.7.5/pyproject.toml +55 -0
  7. stacksage-0.7.5/requirements.txt +10 -0
  8. stacksage-0.7.5/setup.cfg +4 -0
  9. stacksage-0.7.5/stacksage/__init__.py +1 -0
  10. stacksage-0.7.5/stacksage/ai/__init__.py +1 -0
  11. stacksage-0.7.5/stacksage/ai/summarizer.py +49 -0
  12. stacksage-0.7.5/stacksage/analyzer/__init__.py +1 -0
  13. stacksage-0.7.5/stacksage/analyzer/analysis.py +468 -0
  14. stacksage-0.7.5/stacksage/analyzer/detectors/__init__.py +72 -0
  15. stacksage-0.7.5/stacksage/analyzer/detectors/architecture.py +1102 -0
  16. stacksage-0.7.5/stacksage/analyzer/detectors/cdn.py +247 -0
  17. stacksage-0.7.5/stacksage/analyzer/detectors/cloudwatch.py +263 -0
  18. stacksage-0.7.5/stacksage/analyzer/detectors/dynamodb.py +185 -0
  19. stacksage-0.7.5/stacksage/analyzer/detectors/ebs.py +642 -0
  20. stacksage-0.7.5/stacksage/analyzer/detectors/ec2.py +628 -0
  21. stacksage-0.7.5/stacksage/analyzer/detectors/elasticache.py +234 -0
  22. stacksage-0.7.5/stacksage/analyzer/detectors/guardrails.py +234 -0
  23. stacksage-0.7.5/stacksage/analyzer/detectors/network.py +815 -0
  24. stacksage-0.7.5/stacksage/analyzer/detectors/posture.py +1082 -0
  25. stacksage-0.7.5/stacksage/analyzer/detectors/rds.py +517 -0
  26. stacksage-0.7.5/stacksage/analyzer/detectors/s3.py +54 -0
  27. stacksage-0.7.5/stacksage/analyzer/detectors/tagging.py +136 -0
  28. stacksage-0.7.5/stacksage/analyzer/evidence.py +234 -0
  29. stacksage-0.7.5/stacksage/analyzer/metrics.py +251 -0
  30. stacksage-0.7.5/stacksage/cli/__init__.py +1 -0
  31. stacksage-0.7.5/stacksage/cli/cli.py +807 -0
  32. stacksage-0.7.5/stacksage/cli/free_tier.py +82 -0
  33. stacksage-0.7.5/stacksage/cli/logging_util.py +27 -0
  34. stacksage-0.7.5/stacksage/cli/report_gen.py +835 -0
  35. stacksage-0.7.5/stacksage/cli/telemetry.py +115 -0
  36. stacksage-0.7.5/stacksage/config.py +313 -0
  37. stacksage-0.7.5/stacksage/costs.py +237 -0
  38. stacksage-0.7.5/stacksage/licensing.py +213 -0
  39. stacksage-0.7.5/stacksage/pricing.py +526 -0
  40. stacksage-0.7.5/stacksage/scanner/__init__.py +1 -0
  41. stacksage-0.7.5/stacksage/scanner/aws_scanner.py +966 -0
  42. stacksage-0.7.5/stacksage/templates/report.html.jinja +1148 -0
  43. stacksage-0.7.5/stacksage.egg-info/PKG-INFO +225 -0
  44. stacksage-0.7.5/stacksage.egg-info/SOURCES.txt +46 -0
  45. stacksage-0.7.5/stacksage.egg-info/dependency_links.txt +1 -0
  46. stacksage-0.7.5/stacksage.egg-info/entry_points.txt +2 -0
  47. stacksage-0.7.5/stacksage.egg-info/requires.txt +5 -0
  48. stacksage-0.7.5/stacksage.egg-info/top_level.txt +1 -0
@@ -0,0 +1,32 @@
1
+ # MANIFEST.in — controls what gets included in the sdist (source distribution).
2
+ # The wheel is built via build_wheel.sh which compiles + strips .py for key modules.
3
+
4
+ # Include essential project files
5
+ include README.md
6
+ include README.pypi.md
7
+ include TROUBLESHOOTING.md
8
+ include requirements.txt
9
+ include pyproject.toml
10
+
11
+ # Include all package source (sdist only — wheel build script strips the sensitive ones)
12
+ recursive-include stacksage *.py
13
+ recursive-include stacksage *.jinja2
14
+ recursive-include stacksage *.html
15
+ recursive-include stacksage *.css
16
+ recursive-include stacksage *.js
17
+ recursive-include stacksage/templates *
18
+
19
+ # Explicitly exclude compiled artefacts from sdist (they're platform-specific)
20
+ recursive-exclude stacksage *.so
21
+ recursive-exclude stacksage *.pyc
22
+ recursive-exclude stacksage *.c
23
+ recursive-exclude stacksage __pycache__
24
+
25
+ # Exclude test + dev files from distributions
26
+ recursive-exclude tests *
27
+ recursive-exclude docs *
28
+ recursive-exclude scripts *
29
+ exclude Dockerfile
30
+ exclude Dockerfile.trial
31
+ exclude .pre-commit-config.yaml
32
+ exclude pytest.ini
@@ -0,0 +1,225 @@
1
+ Metadata-Version: 2.4
2
+ Name: stacksage
3
+ Version: 0.7.5
4
+ Summary: AWS cost & security audit — runs on your machine, nothing shared
5
+ License-Expression: LicenseRef-Commercial
6
+ Project-URL: Homepage, https://stacksageai.com
7
+ Project-URL: Documentation, https://stacksageai.com/docs
8
+ Project-URL: Changelog, https://stacksageai.com/docs
9
+ Keywords: aws,cloud,cost,audit,security,finops,optimization,cloud-cost
10
+ Classifier: Development Status :: 4 - Beta
11
+ Classifier: Intended Audience :: Developers
12
+ Classifier: Intended Audience :: System Administrators
13
+ Classifier: Operating System :: OS Independent
14
+ Classifier: Programming Language :: Python :: 3
15
+ Classifier: Programming Language :: Python :: 3.10
16
+ Classifier: Programming Language :: Python :: 3.11
17
+ Classifier: Programming Language :: Python :: 3.12
18
+ Classifier: Topic :: System :: Systems Administration
19
+ Classifier: Topic :: Office/Business :: Financial
20
+ Classifier: Topic :: Internet
21
+ Requires-Python: >=3.10
22
+ Description-Content-Type: text/markdown
23
+ Requires-Dist: boto3>=1.28.0
24
+ Requires-Dist: click>=8.1.0
25
+ Requires-Dist: jinja2>=3.1.0
26
+ Requires-Dist: pyyaml>=6.0.0
27
+ Requires-Dist: cryptography>=41.0.0
28
+
29
+ # StackSage
30
+
31
+ **Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.**
32
+
33
+ [![PyPI version](https://badge.fury.io/py/stacksage.svg)](https://pypi.org/project/stacksage/)
34
+ [![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org)
35
+
36
+ StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.
37
+
38
+ → **[Live demo report](https://stacksageai.com/demo-report)** · [Documentation](https://stacksageai.com/docs) · [Pricing](https://stacksageai.com/#pricing)
39
+
40
+ ---
41
+
42
+ ## Install
43
+
44
+ ```bash
45
+ pip install stacksage
46
+ ```
47
+
48
+ ---
49
+
50
+ ## Quick start
51
+
52
+ **Option 1 — local AWS credentials or SSO profile:**
53
+
54
+ ```bash
55
+ stacksage scan
56
+ stacksage scan --profile my-sso-profile
57
+ ```
58
+
59
+ **Option 2 — assume a cross-account read-only role:**
60
+
61
+ ```bash
62
+ stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly
63
+ ```
64
+
65
+ StackSage opens the HTML report in your browser automatically when the scan completes.
66
+
67
+ ---
68
+
69
+ ## Free tier
70
+
71
+ Run a full scan on any AWS account at no cost. The free tier shows your **top 50 findings ranked by estimated monthly savings**.
72
+
73
+ To unlock all findings, [get a license key](https://stacksageai.com/#pricing) and set:
74
+
75
+ ```bash
76
+ export STACKSAGE_LICENSE=your-key
77
+ stacksage scan
78
+ ```
79
+
80
+ ---
81
+
82
+ ## What it detects
83
+
84
+ | Category | Examples |
85
+ |---|---|
86
+ | **Compute** | Idle/stopped EC2 instances, EC2 generation upgrade opportunities |
87
+ | **Storage** | Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration |
88
+ | **Database** | Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters |
89
+ | **Serverless** | Overprovisioned Lambda functions, Graviton migration opportunities |
90
+ | **S3** | Buckets missing lifecycle rules, public buckets, missing encryption |
91
+ | **CDN & DNS** | Unused CloudFront distributions, unused Route53 hosted zones |
92
+ | **Network** | Unused Elastic IPs, idle NAT Gateways, idle load balancers, missing S3 VPC endpoints |
93
+ | **CloudWatch & Logs** | Log groups missing retention policies |
94
+ | **Security & IAM** | Root MFA disabled, root access keys present, weak IAM password policy |
95
+ | **Cost Guardrails** | Missing AWS Budgets, missing Cost Anomaly Detection |
96
+ | **Tagging** | Untagged resources, missing required tags |
97
+
98
+ ---
99
+
100
+ ## IAM setup
101
+
102
+ StackSage requires a read-only IAM policy. Minimum required permissions:
103
+
104
+ ```json
105
+ {
106
+ "Effect": "Allow",
107
+ "Action": [
108
+ "ec2:Describe*",
109
+ "rds:Describe*",
110
+ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
111
+ "cloudwatch:GetMetricStatistics",
112
+ "ce:GetCostAndUsage",
113
+ "tag:GetResources",
114
+ "pricing:GetProducts"
115
+ ],
116
+ "Resource": "*"
117
+ }
118
+ ```
119
+
120
+ → Full IAM setup guide at [stacksageai.com/docs/iam-policy](https://stacksageai.com/docs/iam-policy)
121
+
122
+ ---
123
+
124
+ ## CLI reference
125
+
126
+ StackSage has two commands:
127
+
128
+ | Command | Requires license? | Use case |
129
+ |---|---|---|
130
+ | `stacksage scan` | **No** | Self-serve: run locally or in CI, free tier shows top 50 findings |
131
+ | `stacksage audit` | **Yes** (`STACKSAGE_LICENSE`) | Licensed: full findings + remediation plan, designed for CI pipelines |
132
+
133
+ ### `stacksage scan` (no license needed)
134
+
135
+ ```
136
+ stacksage scan [OPTIONS]
137
+
138
+ Scan your AWS account — no license needed.
139
+
140
+ Free tier (no STACKSAGE_LICENSE set):
141
+ Full infrastructure scan. Top 50 findings by savings shown in the report.
142
+ Security & posture checks always shown in full.
143
+ Remediation plan not included.
144
+
145
+ With license (STACKSAGE_LICENSE env var set):
146
+ All findings visible, remediation plan included.
147
+
148
+ Options:
149
+ --profile TEXT AWS profile name (uses default profile if omitted)
150
+ --role-arn TEXT Assume this read-only IAM role ARN
151
+ --regions TEXT Comma-separated regions to scan (default: all enabled)
152
+ --out DIRECTORY Output directory (default: reports/)
153
+ --use-cloudwatch Enable CloudWatch utilization metrics (recommended)
154
+ --use-cost-explorer Include historical spend from Cost Explorer
155
+ --check-tagging Flag resources missing required tags
156
+ --cw-days INTEGER CloudWatch lookback days (default: 14)
157
+ --cw-max-queries INT Max CloudWatch queries per run (default: 500)
158
+ --no-browser Do not auto-open the HTML report
159
+ --demo Run with synthetic data — no AWS calls needed
160
+ --log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
161
+ --help Show this message and exit.
162
+ ```
163
+
164
+ ### `stacksage audit` (license required)
165
+
166
+ ```
167
+ stacksage audit [OPTIONS]
168
+
169
+ Run a full licensed audit (STACKSAGE_LICENSE required).
170
+
171
+ Designed for CI/CD pipelines and scheduled audits. All findings visible,
172
+ full remediation plan included. Requires a license key.
173
+
174
+ Options:
175
+ --role-arn TEXT Assume this read-only IAM role ARN
176
+ --regions TEXT Comma-separated regions (default: all enabled)
177
+ --out DIRECTORY Output directory (default: reports/)
178
+ --use-cloudwatch Enable CloudWatch utilization metrics
179
+ --use-cost-explorer Include historical spend from Cost Explorer
180
+ --check-tagging Flag resources missing required tags
181
+ --cw-days INTEGER CloudWatch lookback days (default: 14)
182
+ --cw-max-queries INT Max CloudWatch queries per run (default: 500)
183
+ --log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
184
+ --help Show this message and exit.
185
+ ```
186
+
187
+ → Full CLI reference at [stacksageai.com/docs/cli-reference](https://stacksageai.com/docs/cli-reference)
188
+
189
+ ---
190
+
191
+ ## Configuration (optional)
192
+
193
+ Create a `stacksage.yml` in your working directory to customise exclusions, thresholds, and filters:
194
+
195
+ ```yaml
196
+ thresholds:
197
+ idle_cpu_percent: 5.0
198
+ unused_days: 30
199
+
200
+ exclude:
201
+ tags:
202
+ - key: Environment
203
+ value: production
204
+ ```
205
+
206
+ → Full configuration guide at [stacksageai.com/docs/configuration](https://stacksageai.com/docs/configuration)
207
+
208
+ ---
209
+
210
+ ## Troubleshooting
211
+
212
+ - **`pricing:GetProducts` denied** — static pricing is used automatically, no action needed
213
+ - **Cost Explorer denied** — historical spend section is omitted from the report
214
+ - **`skipped-budget` badges in the report** — increase `--cw-max-queries` or narrow `--regions`
215
+
216
+ → [Full troubleshooting guide](https://stacksageai.com/docs/troubleshooting)
217
+
218
+ ---
219
+
220
+ ## Links
221
+
222
+ - [Website](https://stacksageai.com)
223
+ - [Documentation](https://stacksageai.com/docs)
224
+ - [Pricing & licensing](https://stacksageai.com/#pricing)
225
+ - [Live demo report](https://stacksageai.com/demo-report)
@@ -0,0 +1,132 @@
1
+ # StackSage Cloud Cost Audit (MVP)
2
+
3
+ Run an end-to-end AWS cost audit: scan resources, analyze waste, estimate savings, and generate a human-readable report.
4
+
5
+ ## Quick start
6
+
7
+ Requirements:
8
+ - Python 3.10+
9
+ - AWS credentials or a read-only role (see `docs/read-only-policy.json`)
10
+ - (Optional) `stacksage.yml` for custom configuration
11
+
12
+ Install deps (MVP uses boto3, jinja2, click):
13
+
14
+ ```zsh
15
+ # optional: create venv
16
+ python -m venv .venv && source .venv/bin/activate
17
+ pip install boto3 jinja2 click pyyaml
18
+ ```
19
+
20
+ ### Configuration (Optional)
21
+
22
+ StackSage supports optional configuration via `stacksage.yml` in your repository root:
23
+
24
+ ```bash
25
+ cp stacksage.yml.example stacksage.yml
26
+ # Edit stacksage.yml to customize exclusions, thresholds, and filters
27
+ ```
28
+
29
+ See [docs/configuration.md](docs/configuration.md) for full configuration guide.
30
+
31
+ ### Full audit
32
+
33
+ ```zsh
34
+ python -m stacksage.cli.cli audit --role-arn YOUR_ROLE_ARN --out reports --format html
35
+ ```
36
+
37
+ Optional region selection:
38
+ ```zsh
39
+ python -m stacksage.cli.cli audit --regions us-east-1,eu-west-1 --out reports --format html
40
+ ```
41
+
42
+ ### Scan only
43
+
44
+ ```zsh
45
+ python -m stacksage.cli.cli scan --role-arn YOUR_ROLE_ARN --out reports
46
+ ```
47
+
48
+ ### Analyze only
49
+
50
+ ```zsh
51
+ python -m stacksage.cli.cli analyze --in-file reports/scan_raw.json --out reports/findings.json
52
+ ```
53
+
54
+ ### Report only
55
+
56
+ ```zsh
57
+ python -m stacksage.cli.cli report --findings reports/findings.json --out reports
58
+ ```
59
+
60
+ ## CLI options
61
+ - `--role-arn` Assume a read-only role (optional; uses local creds if omitted)
62
+ - `--out` Output directory (`reports` by default)
63
+ - `--format` `html|json` for audit output
64
+ - `--regions` Comma-separated AWS regions (default: all enabled)
65
+ - `--cw-days` CloudWatch metrics lookback days (default: 14)
66
+ - `--cw-max-queries` Max CloudWatch metric queries per run (budget). Budget exhaustion lowers confidence and flags findings as skipped-budget.
67
+ - `--log-level` Logging level: `DEBUG|INFO|WARNING|ERROR` (default: `INFO`). Logs are structured JSON.
68
+
69
+ ## Files
70
+ - `run_scan.py` Scan-only entrypoint (writes `reports/scan_raw.json` with metadata)
71
+ - `stacksage/scanner/aws_scanner.py` Scans EC2/EBS/RDS per region; S3 globally
72
+ - `stacksage/analyzer/analysis.py` Analyzes raw scan data and produces findings
73
+ - CloudWatch helper `cw_avg`: retry/backoff (up to 2 retries) and error classification (`throttle`, `not_authorized`, `no_data`, `other`).
74
+ - Provenance includes CloudWatch counters: `cloudwatch_queries_attempted`, `cloudwatch_queries_used`, `cloudwatch_queries_remaining`.
75
+ - Skipped-budget behavior: detectors set `metric_status=skipped_budget`, `confidence=0.4`, and clear explanation.
76
+ - `stacksage/pricing.py` Static pricing and helper functions
77
+ - `stacksage/cli/cli.py` CLI with `audit`, `scan`, `analyze`, `report`
78
+ - `stacksage/cli/report_gen.py` Generates HTML report from findings JSON
79
+ - `stacksage/templates/report.html.jinja` HTML template (shows metadata, top savings, counts)
80
+ - `docs/read-only-policy.json` IAM policy to grant read-only access
81
+ - `docs/schema.md` Data shapes for resources/findings
82
+ - `docs/function_signatures.md` Signatures for planning/testing
83
+ - `docs/TODOs.md` Roadmap and tasks
84
+
85
+ ## IAM Read-Only Policy
86
+ Provide customers with `docs/read-only-policy.json`. It includes actions:
87
+ - `ec2:Describe*`
88
+ - `s3:ListAllMyBuckets`, `s3:GetBucketLocation`
89
+ - `rds:Describe*`
90
+ - `cloudwatch:GetMetricStatistics` (Phase-1 offline analyzer does not call CloudWatch; keep for future utilization insights)
91
+ - When enabled, StackSage uses only aggregate metrics (Averages) and a bounded query budget.
92
+ - `pricing:GetProducts` (optional; remove if using only static pricing)
93
+ - `ce:GetCostAndUsage`, `ce:GetDimensionValues` (for historical cost summary)
94
+ - `tag:GetResources`
95
+ - `iam:GetRole`
96
+ (Remove unused log event permissions if present.)
97
+
98
+ Recommendations:
99
+ - Keep `cloudwatch:GetMetricStatistics` for utilization metrics.
100
+ - If customers have SCPs, ensure `ec2:Describe*` and `rds:Describe*` are allowed in all target regions.
101
+ - If historical spend is desired, include Cost Explorer permissions (`ce:GetCostAndUsage`).
102
+
103
+ ## Development notes
104
+
105
+ - Install dev tooling + enable local git hooks (recommended):
106
+
107
+ ```zsh
108
+ ./scripts/setup_dev.sh
109
+ ```
110
+
111
+ This installs both `pre-commit` and `pre-push` hooks, so ruff/black/isort run on every commit and push.
112
+
113
+ - Protecting `main` (recommended): enable GitHub branch protection for `main` and require the **CI** workflow checks to pass before merge. This prevents direct pushes and ensures linting/tests gate changes.
114
+
115
+ - Multi-region scanning is supported; omit `--regions` to scan all enabled regions.
116
+ - Findings include both estimated monthly cost and savings where applicable.
117
+ - Analyzer operates offline in Phase-1 and uses only scanner outputs (no live AWS calls).
118
+ - Optional real pricing: set `STACKSAGE_PRICING_MODE=api` to use AWS Pricing API for EC2.
119
+ - Optional CloudWatch live-mode: enable `--use-cloudwatch` or `--live`. Budget enforced via `--cw-max-queries`.
120
+ - Provenance counters are also written to `reports/run_provenance.json` when HTML report is generated.
121
+ - Error classification from CloudWatch is attached to findings (`metrics_error`).
122
+ - Optional historical costs: if `ce:GetCostAndUsage` is allowed, audit includes last 30-day spend summary.
123
+ - Reports include an AI executive summary (heuristic, offline) and CSV export of findings.
124
+
125
+ ## Troubleshooting
126
+ - If `pricing:GetProducts` is denied, static pricing is used.
127
+ - If Cost Explorer is denied, the report will omit historical spend.
128
+ - For IAM setup, see `docs/customer-iam-role-setup.md`. Use `--log-level DEBUG` for detailed structured logs.
129
+ - If you see `skipped-budget` badges in the report, consider increasing `--cw-max-queries` or narrowing regions.
130
+
131
+ ### Refreshing auditor/source credentials
132
+ - See `docs/refresh-auditor-creds.md` for step-by-step instructions to mint fresh auditor/source credentials (IAM user or CloudShell), export them to your shell or `.env`, and re-run `scripts/run_audit.sh` with a preflight identity check.
@@ -0,0 +1,197 @@
1
+ # StackSage
2
+
3
+ **Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.**
4
+
5
+ [![PyPI version](https://badge.fury.io/py/stacksage.svg)](https://pypi.org/project/stacksage/)
6
+ [![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org)
7
+
8
+ StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.
9
+
10
+ → **[Live demo report](https://stacksageai.com/demo-report)** · [Documentation](https://stacksageai.com/docs) · [Pricing](https://stacksageai.com/#pricing)
11
+
12
+ ---
13
+
14
+ ## Install
15
+
16
+ ```bash
17
+ pip install stacksage
18
+ ```
19
+
20
+ ---
21
+
22
+ ## Quick start
23
+
24
+ **Option 1 — local AWS credentials or SSO profile:**
25
+
26
+ ```bash
27
+ stacksage scan
28
+ stacksage scan --profile my-sso-profile
29
+ ```
30
+
31
+ **Option 2 — assume a cross-account read-only role:**
32
+
33
+ ```bash
34
+ stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly
35
+ ```
36
+
37
+ StackSage opens the HTML report in your browser automatically when the scan completes.
38
+
39
+ ---
40
+
41
+ ## Free tier
42
+
43
+ Run a full scan on any AWS account at no cost. The free tier shows your **top 50 findings ranked by estimated monthly savings**.
44
+
45
+ To unlock all findings, [get a license key](https://stacksageai.com/#pricing) and set:
46
+
47
+ ```bash
48
+ export STACKSAGE_LICENSE=your-key
49
+ stacksage scan
50
+ ```
51
+
52
+ ---
53
+
54
+ ## What it detects
55
+
56
+ | Category | Examples |
57
+ |---|---|
58
+ | **Compute** | Idle/stopped EC2 instances, EC2 generation upgrade opportunities |
59
+ | **Storage** | Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration |
60
+ | **Database** | Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters |
61
+ | **Serverless** | Overprovisioned Lambda functions, Graviton migration opportunities |
62
+ | **S3** | Buckets missing lifecycle rules, public buckets, missing encryption |
63
+ | **CDN & DNS** | Unused CloudFront distributions, unused Route53 hosted zones |
64
+ | **Network** | Unused Elastic IPs, idle NAT Gateways, idle load balancers, missing S3 VPC endpoints |
65
+ | **CloudWatch & Logs** | Log groups missing retention policies |
66
+ | **Security & IAM** | Root MFA disabled, root access keys present, weak IAM password policy |
67
+ | **Cost Guardrails** | Missing AWS Budgets, missing Cost Anomaly Detection |
68
+ | **Tagging** | Untagged resources, missing required tags |
69
+
70
+ ---
71
+
72
+ ## IAM setup
73
+
74
+ StackSage requires a read-only IAM policy. Minimum required permissions:
75
+
76
+ ```json
77
+ {
78
+ "Effect": "Allow",
79
+ "Action": [
80
+ "ec2:Describe*",
81
+ "rds:Describe*",
82
+ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
83
+ "cloudwatch:GetMetricStatistics",
84
+ "ce:GetCostAndUsage",
85
+ "tag:GetResources",
86
+ "pricing:GetProducts"
87
+ ],
88
+ "Resource": "*"
89
+ }
90
+ ```
91
+
92
+ → Full IAM setup guide at [stacksageai.com/docs/iam-policy](https://stacksageai.com/docs/iam-policy)
93
+
94
+ ---
95
+
96
+ ## CLI reference
97
+
98
+ StackSage has two commands:
99
+
100
+ | Command | Requires license? | Use case |
101
+ |---|---|---|
102
+ | `stacksage scan` | **No** | Self-serve: run locally or in CI, free tier shows top 50 findings |
103
+ | `stacksage audit` | **Yes** (`STACKSAGE_LICENSE`) | Licensed: full findings + remediation plan, designed for CI pipelines |
104
+
105
+ ### `stacksage scan` (no license needed)
106
+
107
+ ```
108
+ stacksage scan [OPTIONS]
109
+
110
+ Scan your AWS account — no license needed.
111
+
112
+ Free tier (no STACKSAGE_LICENSE set):
113
+ Full infrastructure scan. Top 50 findings by savings shown in the report.
114
+ Security & posture checks always shown in full.
115
+ Remediation plan not included.
116
+
117
+ With license (STACKSAGE_LICENSE env var set):
118
+ All findings visible, remediation plan included.
119
+
120
+ Options:
121
+ --profile TEXT AWS profile name (uses default profile if omitted)
122
+ --role-arn TEXT Assume this read-only IAM role ARN
123
+ --regions TEXT Comma-separated regions to scan (default: all enabled)
124
+ --out DIRECTORY Output directory (default: reports/)
125
+ --use-cloudwatch Enable CloudWatch utilization metrics (recommended)
126
+ --use-cost-explorer Include historical spend from Cost Explorer
127
+ --check-tagging Flag resources missing required tags
128
+ --cw-days INTEGER CloudWatch lookback days (default: 14)
129
+ --cw-max-queries INT Max CloudWatch queries per run (default: 500)
130
+ --no-browser Do not auto-open the HTML report
131
+ --demo Run with synthetic data — no AWS calls needed
132
+ --log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
133
+ --help Show this message and exit.
134
+ ```
135
+
136
+ ### `stacksage audit` (license required)
137
+
138
+ ```
139
+ stacksage audit [OPTIONS]
140
+
141
+ Run a full licensed audit (STACKSAGE_LICENSE required).
142
+
143
+ Designed for CI/CD pipelines and scheduled audits. All findings visible,
144
+ full remediation plan included. Requires a license key.
145
+
146
+ Options:
147
+ --role-arn TEXT Assume this read-only IAM role ARN
148
+ --regions TEXT Comma-separated regions (default: all enabled)
149
+ --out DIRECTORY Output directory (default: reports/)
150
+ --use-cloudwatch Enable CloudWatch utilization metrics
151
+ --use-cost-explorer Include historical spend from Cost Explorer
152
+ --check-tagging Flag resources missing required tags
153
+ --cw-days INTEGER CloudWatch lookback days (default: 14)
154
+ --cw-max-queries INT Max CloudWatch queries per run (default: 500)
155
+ --log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
156
+ --help Show this message and exit.
157
+ ```
158
+
159
+ → Full CLI reference at [stacksageai.com/docs/cli-reference](https://stacksageai.com/docs/cli-reference)
160
+
161
+ ---
162
+
163
+ ## Configuration (optional)
164
+
165
+ Create a `stacksage.yml` in your working directory to customise exclusions, thresholds, and filters:
166
+
167
+ ```yaml
168
+ thresholds:
169
+ idle_cpu_percent: 5.0
170
+ unused_days: 30
171
+
172
+ exclude:
173
+ tags:
174
+ - key: Environment
175
+ value: production
176
+ ```
177
+
178
+ → Full configuration guide at [stacksageai.com/docs/configuration](https://stacksageai.com/docs/configuration)
179
+
180
+ ---
181
+
182
+ ## Troubleshooting
183
+
184
+ - **`pricing:GetProducts` denied** — static pricing is used automatically, no action needed
185
+ - **Cost Explorer denied** — historical spend section is omitted from the report
186
+ - **`skipped-budget` badges in the report** — increase `--cw-max-queries` or narrow `--regions`
187
+
188
+ → [Full troubleshooting guide](https://stacksageai.com/docs/troubleshooting)
189
+
190
+ ---
191
+
192
+ ## Links
193
+
194
+ - [Website](https://stacksageai.com)
195
+ - [Documentation](https://stacksageai.com/docs)
196
+ - [Pricing & licensing](https://stacksageai.com/#pricing)
197
+ - [Live demo report](https://stacksageai.com/demo-report)