stacksage 0.7.5__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- stacksage-0.7.5/MANIFEST.in +32 -0
- stacksage-0.7.5/PKG-INFO +225 -0
- stacksage-0.7.5/README.md +132 -0
- stacksage-0.7.5/README.pypi.md +197 -0
- stacksage-0.7.5/TROUBLESHOOTING.md +182 -0
- stacksage-0.7.5/pyproject.toml +55 -0
- stacksage-0.7.5/requirements.txt +10 -0
- stacksage-0.7.5/setup.cfg +4 -0
- stacksage-0.7.5/stacksage/__init__.py +1 -0
- stacksage-0.7.5/stacksage/ai/__init__.py +1 -0
- stacksage-0.7.5/stacksage/ai/summarizer.py +49 -0
- stacksage-0.7.5/stacksage/analyzer/__init__.py +1 -0
- stacksage-0.7.5/stacksage/analyzer/analysis.py +468 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/__init__.py +72 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/architecture.py +1102 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/cdn.py +247 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/cloudwatch.py +263 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/dynamodb.py +185 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/ebs.py +642 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/ec2.py +628 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/elasticache.py +234 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/guardrails.py +234 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/network.py +815 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/posture.py +1082 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/rds.py +517 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/s3.py +54 -0
- stacksage-0.7.5/stacksage/analyzer/detectors/tagging.py +136 -0
- stacksage-0.7.5/stacksage/analyzer/evidence.py +234 -0
- stacksage-0.7.5/stacksage/analyzer/metrics.py +251 -0
- stacksage-0.7.5/stacksage/cli/__init__.py +1 -0
- stacksage-0.7.5/stacksage/cli/cli.py +807 -0
- stacksage-0.7.5/stacksage/cli/free_tier.py +82 -0
- stacksage-0.7.5/stacksage/cli/logging_util.py +27 -0
- stacksage-0.7.5/stacksage/cli/report_gen.py +835 -0
- stacksage-0.7.5/stacksage/cli/telemetry.py +115 -0
- stacksage-0.7.5/stacksage/config.py +313 -0
- stacksage-0.7.5/stacksage/costs.py +237 -0
- stacksage-0.7.5/stacksage/licensing.py +213 -0
- stacksage-0.7.5/stacksage/pricing.py +526 -0
- stacksage-0.7.5/stacksage/scanner/__init__.py +1 -0
- stacksage-0.7.5/stacksage/scanner/aws_scanner.py +966 -0
- stacksage-0.7.5/stacksage/templates/report.html.jinja +1148 -0
- stacksage-0.7.5/stacksage.egg-info/PKG-INFO +225 -0
- stacksage-0.7.5/stacksage.egg-info/SOURCES.txt +46 -0
- stacksage-0.7.5/stacksage.egg-info/dependency_links.txt +1 -0
- stacksage-0.7.5/stacksage.egg-info/entry_points.txt +2 -0
- stacksage-0.7.5/stacksage.egg-info/requires.txt +5 -0
- stacksage-0.7.5/stacksage.egg-info/top_level.txt +1 -0
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# MANIFEST.in — controls what gets included in the sdist (source distribution).
|
|
2
|
+
# The wheel is built via build_wheel.sh which compiles + strips .py for key modules.
|
|
3
|
+
|
|
4
|
+
# Include essential project files
|
|
5
|
+
include README.md
|
|
6
|
+
include README.pypi.md
|
|
7
|
+
include TROUBLESHOOTING.md
|
|
8
|
+
include requirements.txt
|
|
9
|
+
include pyproject.toml
|
|
10
|
+
|
|
11
|
+
# Include all package source (sdist only — wheel build script strips the sensitive ones)
|
|
12
|
+
recursive-include stacksage *.py
|
|
13
|
+
recursive-include stacksage *.jinja2
|
|
14
|
+
recursive-include stacksage *.html
|
|
15
|
+
recursive-include stacksage *.css
|
|
16
|
+
recursive-include stacksage *.js
|
|
17
|
+
recursive-include stacksage/templates *
|
|
18
|
+
|
|
19
|
+
# Explicitly exclude compiled artefacts from sdist (they're platform-specific)
|
|
20
|
+
recursive-exclude stacksage *.so
|
|
21
|
+
recursive-exclude stacksage *.pyc
|
|
22
|
+
recursive-exclude stacksage *.c
|
|
23
|
+
recursive-exclude stacksage __pycache__
|
|
24
|
+
|
|
25
|
+
# Exclude test + dev files from distributions
|
|
26
|
+
recursive-exclude tests *
|
|
27
|
+
recursive-exclude docs *
|
|
28
|
+
recursive-exclude scripts *
|
|
29
|
+
exclude Dockerfile
|
|
30
|
+
exclude Dockerfile.trial
|
|
31
|
+
exclude .pre-commit-config.yaml
|
|
32
|
+
exclude pytest.ini
|
stacksage-0.7.5/PKG-INFO
ADDED
|
@@ -0,0 +1,225 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: stacksage
|
|
3
|
+
Version: 0.7.5
|
|
4
|
+
Summary: AWS cost & security audit — runs on your machine, nothing shared
|
|
5
|
+
License-Expression: LicenseRef-Commercial
|
|
6
|
+
Project-URL: Homepage, https://stacksageai.com
|
|
7
|
+
Project-URL: Documentation, https://stacksageai.com/docs
|
|
8
|
+
Project-URL: Changelog, https://stacksageai.com/docs
|
|
9
|
+
Keywords: aws,cloud,cost,audit,security,finops,optimization,cloud-cost
|
|
10
|
+
Classifier: Development Status :: 4 - Beta
|
|
11
|
+
Classifier: Intended Audience :: Developers
|
|
12
|
+
Classifier: Intended Audience :: System Administrators
|
|
13
|
+
Classifier: Operating System :: OS Independent
|
|
14
|
+
Classifier: Programming Language :: Python :: 3
|
|
15
|
+
Classifier: Programming Language :: Python :: 3.10
|
|
16
|
+
Classifier: Programming Language :: Python :: 3.11
|
|
17
|
+
Classifier: Programming Language :: Python :: 3.12
|
|
18
|
+
Classifier: Topic :: System :: Systems Administration
|
|
19
|
+
Classifier: Topic :: Office/Business :: Financial
|
|
20
|
+
Classifier: Topic :: Internet
|
|
21
|
+
Requires-Python: >=3.10
|
|
22
|
+
Description-Content-Type: text/markdown
|
|
23
|
+
Requires-Dist: boto3>=1.28.0
|
|
24
|
+
Requires-Dist: click>=8.1.0
|
|
25
|
+
Requires-Dist: jinja2>=3.1.0
|
|
26
|
+
Requires-Dist: pyyaml>=6.0.0
|
|
27
|
+
Requires-Dist: cryptography>=41.0.0
|
|
28
|
+
|
|
29
|
+
# StackSage
|
|
30
|
+
|
|
31
|
+
**Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.**
|
|
32
|
+
|
|
33
|
+
[](https://pypi.org/project/stacksage/)
|
|
34
|
+
[](https://www.python.org)
|
|
35
|
+
|
|
36
|
+
StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.
|
|
37
|
+
|
|
38
|
+
→ **[Live demo report](https://stacksageai.com/demo-report)** · [Documentation](https://stacksageai.com/docs) · [Pricing](https://stacksageai.com/#pricing)
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## Install
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
pip install stacksage
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
---
|
|
49
|
+
|
|
50
|
+
## Quick start
|
|
51
|
+
|
|
52
|
+
**Option 1 — local AWS credentials or SSO profile:**
|
|
53
|
+
|
|
54
|
+
```bash
|
|
55
|
+
stacksage scan
|
|
56
|
+
stacksage scan --profile my-sso-profile
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**Option 2 — assume a cross-account read-only role:**
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
StackSage opens the HTML report in your browser automatically when the scan completes.
|
|
66
|
+
|
|
67
|
+
---
|
|
68
|
+
|
|
69
|
+
## Free tier
|
|
70
|
+
|
|
71
|
+
Run a full scan on any AWS account at no cost. The free tier shows your **top 50 findings ranked by estimated monthly savings**.
|
|
72
|
+
|
|
73
|
+
To unlock all findings, [get a license key](https://stacksageai.com/#pricing) and set:
|
|
74
|
+
|
|
75
|
+
```bash
|
|
76
|
+
export STACKSAGE_LICENSE=your-key
|
|
77
|
+
stacksage scan
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
---
|
|
81
|
+
|
|
82
|
+
## What it detects
|
|
83
|
+
|
|
84
|
+
| Category | Examples |
|
|
85
|
+
|---|---|
|
|
86
|
+
| **Compute** | Idle/stopped EC2 instances, EC2 generation upgrade opportunities |
|
|
87
|
+
| **Storage** | Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration |
|
|
88
|
+
| **Database** | Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters |
|
|
89
|
+
| **Serverless** | Overprovisioned Lambda functions, Graviton migration opportunities |
|
|
90
|
+
| **S3** | Buckets missing lifecycle rules, public buckets, missing encryption |
|
|
91
|
+
| **CDN & DNS** | Unused CloudFront distributions, unused Route53 hosted zones |
|
|
92
|
+
| **Network** | Unused Elastic IPs, idle NAT Gateways, idle load balancers, missing S3 VPC endpoints |
|
|
93
|
+
| **CloudWatch & Logs** | Log groups missing retention policies |
|
|
94
|
+
| **Security & IAM** | Root MFA disabled, root access keys present, weak IAM password policy |
|
|
95
|
+
| **Cost Guardrails** | Missing AWS Budgets, missing Cost Anomaly Detection |
|
|
96
|
+
| **Tagging** | Untagged resources, missing required tags |
|
|
97
|
+
|
|
98
|
+
---
|
|
99
|
+
|
|
100
|
+
## IAM setup
|
|
101
|
+
|
|
102
|
+
StackSage requires a read-only IAM policy. Minimum required permissions:
|
|
103
|
+
|
|
104
|
+
```json
|
|
105
|
+
{
|
|
106
|
+
"Effect": "Allow",
|
|
107
|
+
"Action": [
|
|
108
|
+
"ec2:Describe*",
|
|
109
|
+
"rds:Describe*",
|
|
110
|
+
"s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
|
|
111
|
+
"cloudwatch:GetMetricStatistics",
|
|
112
|
+
"ce:GetCostAndUsage",
|
|
113
|
+
"tag:GetResources",
|
|
114
|
+
"pricing:GetProducts"
|
|
115
|
+
],
|
|
116
|
+
"Resource": "*"
|
|
117
|
+
}
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
→ Full IAM setup guide at [stacksageai.com/docs/iam-policy](https://stacksageai.com/docs/iam-policy)
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
## CLI reference
|
|
125
|
+
|
|
126
|
+
StackSage has two commands:
|
|
127
|
+
|
|
128
|
+
| Command | Requires license? | Use case |
|
|
129
|
+
|---|---|---|
|
|
130
|
+
| `stacksage scan` | **No** | Self-serve: run locally or in CI, free tier shows top 50 findings |
|
|
131
|
+
| `stacksage audit` | **Yes** (`STACKSAGE_LICENSE`) | Licensed: full findings + remediation plan, designed for CI pipelines |
|
|
132
|
+
|
|
133
|
+
### `stacksage scan` (no license needed)
|
|
134
|
+
|
|
135
|
+
```
|
|
136
|
+
stacksage scan [OPTIONS]
|
|
137
|
+
|
|
138
|
+
Scan your AWS account — no license needed.
|
|
139
|
+
|
|
140
|
+
Free tier (no STACKSAGE_LICENSE set):
|
|
141
|
+
Full infrastructure scan. Top 50 findings by savings shown in the report.
|
|
142
|
+
Security & posture checks always shown in full.
|
|
143
|
+
Remediation plan not included.
|
|
144
|
+
|
|
145
|
+
With license (STACKSAGE_LICENSE env var set):
|
|
146
|
+
All findings visible, remediation plan included.
|
|
147
|
+
|
|
148
|
+
Options:
|
|
149
|
+
--profile TEXT AWS profile name (uses default profile if omitted)
|
|
150
|
+
--role-arn TEXT Assume this read-only IAM role ARN
|
|
151
|
+
--regions TEXT Comma-separated regions to scan (default: all enabled)
|
|
152
|
+
--out DIRECTORY Output directory (default: reports/)
|
|
153
|
+
--use-cloudwatch Enable CloudWatch utilization metrics (recommended)
|
|
154
|
+
--use-cost-explorer Include historical spend from Cost Explorer
|
|
155
|
+
--check-tagging Flag resources missing required tags
|
|
156
|
+
--cw-days INTEGER CloudWatch lookback days (default: 14)
|
|
157
|
+
--cw-max-queries INT Max CloudWatch queries per run (default: 500)
|
|
158
|
+
--no-browser Do not auto-open the HTML report
|
|
159
|
+
--demo Run with synthetic data — no AWS calls needed
|
|
160
|
+
--log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
|
|
161
|
+
--help Show this message and exit.
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
### `stacksage audit` (license required)
|
|
165
|
+
|
|
166
|
+
```
|
|
167
|
+
stacksage audit [OPTIONS]
|
|
168
|
+
|
|
169
|
+
Run a full licensed audit (STACKSAGE_LICENSE required).
|
|
170
|
+
|
|
171
|
+
Designed for CI/CD pipelines and scheduled audits. All findings visible,
|
|
172
|
+
full remediation plan included. Requires a license key.
|
|
173
|
+
|
|
174
|
+
Options:
|
|
175
|
+
--role-arn TEXT Assume this read-only IAM role ARN
|
|
176
|
+
--regions TEXT Comma-separated regions (default: all enabled)
|
|
177
|
+
--out DIRECTORY Output directory (default: reports/)
|
|
178
|
+
--use-cloudwatch Enable CloudWatch utilization metrics
|
|
179
|
+
--use-cost-explorer Include historical spend from Cost Explorer
|
|
180
|
+
--check-tagging Flag resources missing required tags
|
|
181
|
+
--cw-days INTEGER CloudWatch lookback days (default: 14)
|
|
182
|
+
--cw-max-queries INT Max CloudWatch queries per run (default: 500)
|
|
183
|
+
--log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
|
|
184
|
+
--help Show this message and exit.
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
→ Full CLI reference at [stacksageai.com/docs/cli-reference](https://stacksageai.com/docs/cli-reference)
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
## Configuration (optional)
|
|
192
|
+
|
|
193
|
+
Create a `stacksage.yml` in your working directory to customise exclusions, thresholds, and filters:
|
|
194
|
+
|
|
195
|
+
```yaml
|
|
196
|
+
thresholds:
|
|
197
|
+
idle_cpu_percent: 5.0
|
|
198
|
+
unused_days: 30
|
|
199
|
+
|
|
200
|
+
exclude:
|
|
201
|
+
tags:
|
|
202
|
+
- key: Environment
|
|
203
|
+
value: production
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
→ Full configuration guide at [stacksageai.com/docs/configuration](https://stacksageai.com/docs/configuration)
|
|
207
|
+
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
## Troubleshooting
|
|
211
|
+
|
|
212
|
+
- **`pricing:GetProducts` denied** — static pricing is used automatically, no action needed
|
|
213
|
+
- **Cost Explorer denied** — historical spend section is omitted from the report
|
|
214
|
+
- **`skipped-budget` badges in the report** — increase `--cw-max-queries` or narrow `--regions`
|
|
215
|
+
|
|
216
|
+
→ [Full troubleshooting guide](https://stacksageai.com/docs/troubleshooting)
|
|
217
|
+
|
|
218
|
+
---
|
|
219
|
+
|
|
220
|
+
## Links
|
|
221
|
+
|
|
222
|
+
- [Website](https://stacksageai.com)
|
|
223
|
+
- [Documentation](https://stacksageai.com/docs)
|
|
224
|
+
- [Pricing & licensing](https://stacksageai.com/#pricing)
|
|
225
|
+
- [Live demo report](https://stacksageai.com/demo-report)
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
# StackSage Cloud Cost Audit (MVP)
|
|
2
|
+
|
|
3
|
+
Run an end-to-end AWS cost audit: scan resources, analyze waste, estimate savings, and generate a human-readable report.
|
|
4
|
+
|
|
5
|
+
## Quick start
|
|
6
|
+
|
|
7
|
+
Requirements:
|
|
8
|
+
- Python 3.10+
|
|
9
|
+
- AWS credentials or a read-only role (see `docs/read-only-policy.json`)
|
|
10
|
+
- (Optional) `stacksage.yml` for custom configuration
|
|
11
|
+
|
|
12
|
+
Install deps (MVP uses boto3, jinja2, click):
|
|
13
|
+
|
|
14
|
+
```zsh
|
|
15
|
+
# optional: create venv
|
|
16
|
+
python -m venv .venv && source .venv/bin/activate
|
|
17
|
+
pip install boto3 jinja2 click pyyaml
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
### Configuration (Optional)
|
|
21
|
+
|
|
22
|
+
StackSage supports optional configuration via `stacksage.yml` in your repository root:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
cp stacksage.yml.example stacksage.yml
|
|
26
|
+
# Edit stacksage.yml to customize exclusions, thresholds, and filters
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
See [docs/configuration.md](docs/configuration.md) for full configuration guide.
|
|
30
|
+
|
|
31
|
+
### Full audit
|
|
32
|
+
|
|
33
|
+
```zsh
|
|
34
|
+
python -m stacksage.cli.cli audit --role-arn YOUR_ROLE_ARN --out reports --format html
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
Optional region selection:
|
|
38
|
+
```zsh
|
|
39
|
+
python -m stacksage.cli.cli audit --regions us-east-1,eu-west-1 --out reports --format html
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
### Scan only
|
|
43
|
+
|
|
44
|
+
```zsh
|
|
45
|
+
python -m stacksage.cli.cli scan --role-arn YOUR_ROLE_ARN --out reports
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### Analyze only
|
|
49
|
+
|
|
50
|
+
```zsh
|
|
51
|
+
python -m stacksage.cli.cli analyze --in-file reports/scan_raw.json --out reports/findings.json
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
### Report only
|
|
55
|
+
|
|
56
|
+
```zsh
|
|
57
|
+
python -m stacksage.cli.cli report --findings reports/findings.json --out reports
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
## CLI options
|
|
61
|
+
- `--role-arn` Assume a read-only role (optional; uses local creds if omitted)
|
|
62
|
+
- `--out` Output directory (`reports` by default)
|
|
63
|
+
- `--format` `html|json` for audit output
|
|
64
|
+
- `--regions` Comma-separated AWS regions (default: all enabled)
|
|
65
|
+
- `--cw-days` CloudWatch metrics lookback days (default: 14)
|
|
66
|
+
- `--cw-max-queries` Max CloudWatch metric queries per run (budget). Budget exhaustion lowers confidence and flags findings as skipped-budget.
|
|
67
|
+
- `--log-level` Logging level: `DEBUG|INFO|WARNING|ERROR` (default: `INFO`). Logs are structured JSON.
|
|
68
|
+
|
|
69
|
+
## Files
|
|
70
|
+
- `run_scan.py` Scan-only entrypoint (writes `reports/scan_raw.json` with metadata)
|
|
71
|
+
- `stacksage/scanner/aws_scanner.py` Scans EC2/EBS/RDS per region; S3 globally
|
|
72
|
+
- `stacksage/analyzer/analysis.py` Analyzes raw scan data and produces findings
|
|
73
|
+
- CloudWatch helper `cw_avg`: retry/backoff (up to 2 retries) and error classification (`throttle`, `not_authorized`, `no_data`, `other`).
|
|
74
|
+
- Provenance includes CloudWatch counters: `cloudwatch_queries_attempted`, `cloudwatch_queries_used`, `cloudwatch_queries_remaining`.
|
|
75
|
+
- Skipped-budget behavior: detectors set `metric_status=skipped_budget`, `confidence=0.4`, and clear explanation.
|
|
76
|
+
- `stacksage/pricing.py` Static pricing and helper functions
|
|
77
|
+
- `stacksage/cli/cli.py` CLI with `audit`, `scan`, `analyze`, `report`
|
|
78
|
+
- `stacksage/cli/report_gen.py` Generates HTML report from findings JSON
|
|
79
|
+
- `stacksage/templates/report.html.jinja` HTML template (shows metadata, top savings, counts)
|
|
80
|
+
- `docs/read-only-policy.json` IAM policy to grant read-only access
|
|
81
|
+
- `docs/schema.md` Data shapes for resources/findings
|
|
82
|
+
- `docs/function_signatures.md` Signatures for planning/testing
|
|
83
|
+
- `docs/TODOs.md` Roadmap and tasks
|
|
84
|
+
|
|
85
|
+
## IAM Read-Only Policy
|
|
86
|
+
Provide customers with `docs/read-only-policy.json`. It includes actions:
|
|
87
|
+
- `ec2:Describe*`
|
|
88
|
+
- `s3:ListAllMyBuckets`, `s3:GetBucketLocation`
|
|
89
|
+
- `rds:Describe*`
|
|
90
|
+
- `cloudwatch:GetMetricStatistics` (Phase-1 offline analyzer does not call CloudWatch; keep for future utilization insights)
|
|
91
|
+
- When enabled, StackSage uses only aggregate metrics (Averages) and a bounded query budget.
|
|
92
|
+
- `pricing:GetProducts` (optional; remove if using only static pricing)
|
|
93
|
+
- `ce:GetCostAndUsage`, `ce:GetDimensionValues` (for historical cost summary)
|
|
94
|
+
- `tag:GetResources`
|
|
95
|
+
- `iam:GetRole`
|
|
96
|
+
(Remove unused log event permissions if present.)
|
|
97
|
+
|
|
98
|
+
Recommendations:
|
|
99
|
+
- Keep `cloudwatch:GetMetricStatistics` for utilization metrics.
|
|
100
|
+
- If customers have SCPs, ensure `ec2:Describe*` and `rds:Describe*` are allowed in all target regions.
|
|
101
|
+
- If historical spend is desired, include Cost Explorer permissions (`ce:GetCostAndUsage`).
|
|
102
|
+
|
|
103
|
+
## Development notes
|
|
104
|
+
|
|
105
|
+
- Install dev tooling + enable local git hooks (recommended):
|
|
106
|
+
|
|
107
|
+
```zsh
|
|
108
|
+
./scripts/setup_dev.sh
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
This installs both `pre-commit` and `pre-push` hooks, so ruff/black/isort run on every commit and push.
|
|
112
|
+
|
|
113
|
+
- Protecting `main` (recommended): enable GitHub branch protection for `main` and require the **CI** workflow checks to pass before merge. This prevents direct pushes and ensures linting/tests gate changes.
|
|
114
|
+
|
|
115
|
+
- Multi-region scanning is supported; omit `--regions` to scan all enabled regions.
|
|
116
|
+
- Findings include both estimated monthly cost and savings where applicable.
|
|
117
|
+
- Analyzer operates offline in Phase-1 and uses only scanner outputs (no live AWS calls).
|
|
118
|
+
- Optional real pricing: set `STACKSAGE_PRICING_MODE=api` to use AWS Pricing API for EC2.
|
|
119
|
+
- Optional CloudWatch live-mode: enable `--use-cloudwatch` or `--live`. Budget enforced via `--cw-max-queries`.
|
|
120
|
+
- Provenance counters are also written to `reports/run_provenance.json` when HTML report is generated.
|
|
121
|
+
- Error classification from CloudWatch is attached to findings (`metrics_error`).
|
|
122
|
+
- Optional historical costs: if `ce:GetCostAndUsage` is allowed, audit includes last 30-day spend summary.
|
|
123
|
+
- Reports include an AI executive summary (heuristic, offline) and CSV export of findings.
|
|
124
|
+
|
|
125
|
+
## Troubleshooting
|
|
126
|
+
- If `pricing:GetProducts` is denied, static pricing is used.
|
|
127
|
+
- If Cost Explorer is denied, the report will omit historical spend.
|
|
128
|
+
- For IAM setup, see `docs/customer-iam-role-setup.md`. Use `--log-level DEBUG` for detailed structured logs.
|
|
129
|
+
- If you see `skipped-budget` badges in the report, consider increasing `--cw-max-queries` or narrowing regions.
|
|
130
|
+
|
|
131
|
+
### Refreshing auditor/source credentials
|
|
132
|
+
- See `docs/refresh-auditor-creds.md` for step-by-step instructions to mint fresh auditor/source credentials (IAM user or CloudShell), export them to your shell or `.env`, and re-run `scripts/run_audit.sh` with a preflight identity check.
|
|
@@ -0,0 +1,197 @@
|
|
|
1
|
+
# StackSage
|
|
2
|
+
|
|
3
|
+
**Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.**
|
|
4
|
+
|
|
5
|
+
[](https://pypi.org/project/stacksage/)
|
|
6
|
+
[](https://www.python.org)
|
|
7
|
+
|
|
8
|
+
StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.
|
|
9
|
+
|
|
10
|
+
→ **[Live demo report](https://stacksageai.com/demo-report)** · [Documentation](https://stacksageai.com/docs) · [Pricing](https://stacksageai.com/#pricing)
|
|
11
|
+
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
## Install
|
|
15
|
+
|
|
16
|
+
```bash
|
|
17
|
+
pip install stacksage
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
## Quick start
|
|
23
|
+
|
|
24
|
+
**Option 1 — local AWS credentials or SSO profile:**
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
stacksage scan
|
|
28
|
+
stacksage scan --profile my-sso-profile
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
**Option 2 — assume a cross-account read-only role:**
|
|
32
|
+
|
|
33
|
+
```bash
|
|
34
|
+
stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
StackSage opens the HTML report in your browser automatically when the scan completes.
|
|
38
|
+
|
|
39
|
+
---
|
|
40
|
+
|
|
41
|
+
## Free tier
|
|
42
|
+
|
|
43
|
+
Run a full scan on any AWS account at no cost. The free tier shows your **top 50 findings ranked by estimated monthly savings**.
|
|
44
|
+
|
|
45
|
+
To unlock all findings, [get a license key](https://stacksageai.com/#pricing) and set:
|
|
46
|
+
|
|
47
|
+
```bash
|
|
48
|
+
export STACKSAGE_LICENSE=your-key
|
|
49
|
+
stacksage scan
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
## What it detects
|
|
55
|
+
|
|
56
|
+
| Category | Examples |
|
|
57
|
+
|---|---|
|
|
58
|
+
| **Compute** | Idle/stopped EC2 instances, EC2 generation upgrade opportunities |
|
|
59
|
+
| **Storage** | Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration |
|
|
60
|
+
| **Database** | Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters |
|
|
61
|
+
| **Serverless** | Overprovisioned Lambda functions, Graviton migration opportunities |
|
|
62
|
+
| **S3** | Buckets missing lifecycle rules, public buckets, missing encryption |
|
|
63
|
+
| **CDN & DNS** | Unused CloudFront distributions, unused Route53 hosted zones |
|
|
64
|
+
| **Network** | Unused Elastic IPs, idle NAT Gateways, idle load balancers, missing S3 VPC endpoints |
|
|
65
|
+
| **CloudWatch & Logs** | Log groups missing retention policies |
|
|
66
|
+
| **Security & IAM** | Root MFA disabled, root access keys present, weak IAM password policy |
|
|
67
|
+
| **Cost Guardrails** | Missing AWS Budgets, missing Cost Anomaly Detection |
|
|
68
|
+
| **Tagging** | Untagged resources, missing required tags |
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## IAM setup
|
|
73
|
+
|
|
74
|
+
StackSage requires a read-only IAM policy. Minimum required permissions:
|
|
75
|
+
|
|
76
|
+
```json
|
|
77
|
+
{
|
|
78
|
+
"Effect": "Allow",
|
|
79
|
+
"Action": [
|
|
80
|
+
"ec2:Describe*",
|
|
81
|
+
"rds:Describe*",
|
|
82
|
+
"s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
|
|
83
|
+
"cloudwatch:GetMetricStatistics",
|
|
84
|
+
"ce:GetCostAndUsage",
|
|
85
|
+
"tag:GetResources",
|
|
86
|
+
"pricing:GetProducts"
|
|
87
|
+
],
|
|
88
|
+
"Resource": "*"
|
|
89
|
+
}
|
|
90
|
+
```
|
|
91
|
+
|
|
92
|
+
→ Full IAM setup guide at [stacksageai.com/docs/iam-policy](https://stacksageai.com/docs/iam-policy)
|
|
93
|
+
|
|
94
|
+
---
|
|
95
|
+
|
|
96
|
+
## CLI reference
|
|
97
|
+
|
|
98
|
+
StackSage has two commands:
|
|
99
|
+
|
|
100
|
+
| Command | Requires license? | Use case |
|
|
101
|
+
|---|---|---|
|
|
102
|
+
| `stacksage scan` | **No** | Self-serve: run locally or in CI, free tier shows top 50 findings |
|
|
103
|
+
| `stacksage audit` | **Yes** (`STACKSAGE_LICENSE`) | Licensed: full findings + remediation plan, designed for CI pipelines |
|
|
104
|
+
|
|
105
|
+
### `stacksage scan` (no license needed)
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
stacksage scan [OPTIONS]
|
|
109
|
+
|
|
110
|
+
Scan your AWS account — no license needed.
|
|
111
|
+
|
|
112
|
+
Free tier (no STACKSAGE_LICENSE set):
|
|
113
|
+
Full infrastructure scan. Top 50 findings by savings shown in the report.
|
|
114
|
+
Security & posture checks always shown in full.
|
|
115
|
+
Remediation plan not included.
|
|
116
|
+
|
|
117
|
+
With license (STACKSAGE_LICENSE env var set):
|
|
118
|
+
All findings visible, remediation plan included.
|
|
119
|
+
|
|
120
|
+
Options:
|
|
121
|
+
--profile TEXT AWS profile name (uses default profile if omitted)
|
|
122
|
+
--role-arn TEXT Assume this read-only IAM role ARN
|
|
123
|
+
--regions TEXT Comma-separated regions to scan (default: all enabled)
|
|
124
|
+
--out DIRECTORY Output directory (default: reports/)
|
|
125
|
+
--use-cloudwatch Enable CloudWatch utilization metrics (recommended)
|
|
126
|
+
--use-cost-explorer Include historical spend from Cost Explorer
|
|
127
|
+
--check-tagging Flag resources missing required tags
|
|
128
|
+
--cw-days INTEGER CloudWatch lookback days (default: 14)
|
|
129
|
+
--cw-max-queries INT Max CloudWatch queries per run (default: 500)
|
|
130
|
+
--no-browser Do not auto-open the HTML report
|
|
131
|
+
--demo Run with synthetic data — no AWS calls needed
|
|
132
|
+
--log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
|
|
133
|
+
--help Show this message and exit.
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
### `stacksage audit` (license required)
|
|
137
|
+
|
|
138
|
+
```
|
|
139
|
+
stacksage audit [OPTIONS]
|
|
140
|
+
|
|
141
|
+
Run a full licensed audit (STACKSAGE_LICENSE required).
|
|
142
|
+
|
|
143
|
+
Designed for CI/CD pipelines and scheduled audits. All findings visible,
|
|
144
|
+
full remediation plan included. Requires a license key.
|
|
145
|
+
|
|
146
|
+
Options:
|
|
147
|
+
--role-arn TEXT Assume this read-only IAM role ARN
|
|
148
|
+
--regions TEXT Comma-separated regions (default: all enabled)
|
|
149
|
+
--out DIRECTORY Output directory (default: reports/)
|
|
150
|
+
--use-cloudwatch Enable CloudWatch utilization metrics
|
|
151
|
+
--use-cost-explorer Include historical spend from Cost Explorer
|
|
152
|
+
--check-tagging Flag resources missing required tags
|
|
153
|
+
--cw-days INTEGER CloudWatch lookback days (default: 14)
|
|
154
|
+
--cw-max-queries INT Max CloudWatch queries per run (default: 500)
|
|
155
|
+
--log-level TEXT DEBUG|INFO|WARNING|ERROR (default: INFO)
|
|
156
|
+
--help Show this message and exit.
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
→ Full CLI reference at [stacksageai.com/docs/cli-reference](https://stacksageai.com/docs/cli-reference)
|
|
160
|
+
|
|
161
|
+
---
|
|
162
|
+
|
|
163
|
+
## Configuration (optional)
|
|
164
|
+
|
|
165
|
+
Create a `stacksage.yml` in your working directory to customise exclusions, thresholds, and filters:
|
|
166
|
+
|
|
167
|
+
```yaml
|
|
168
|
+
thresholds:
|
|
169
|
+
idle_cpu_percent: 5.0
|
|
170
|
+
unused_days: 30
|
|
171
|
+
|
|
172
|
+
exclude:
|
|
173
|
+
tags:
|
|
174
|
+
- key: Environment
|
|
175
|
+
value: production
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
→ Full configuration guide at [stacksageai.com/docs/configuration](https://stacksageai.com/docs/configuration)
|
|
179
|
+
|
|
180
|
+
---
|
|
181
|
+
|
|
182
|
+
## Troubleshooting
|
|
183
|
+
|
|
184
|
+
- **`pricing:GetProducts` denied** — static pricing is used automatically, no action needed
|
|
185
|
+
- **Cost Explorer denied** — historical spend section is omitted from the report
|
|
186
|
+
- **`skipped-budget` badges in the report** — increase `--cw-max-queries` or narrow `--regions`
|
|
187
|
+
|
|
188
|
+
→ [Full troubleshooting guide](https://stacksageai.com/docs/troubleshooting)
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
## Links
|
|
193
|
+
|
|
194
|
+
- [Website](https://stacksageai.com)
|
|
195
|
+
- [Documentation](https://stacksageai.com/docs)
|
|
196
|
+
- [Pricing & licensing](https://stacksageai.com/#pricing)
|
|
197
|
+
- [Live demo report](https://stacksageai.com/demo-report)
|