cloud-audit
English | 简体中文
Find AWS attack paths, IAM escalation routes, and the fixes that matter most.
Open-source, read-only AWS security scanner. It correlates findings into attack chains,
ranks fixes by how many chains they break, and ships an AWS CLI + Terraform fix with
every finding. No agent, no infrastructure, nothing written to your account.
Quick Start -
What You Get -
Installation -
What's Checked -
Documentation
## Quick Start
```bash
pip install cloud-audit
cloud-audit scan # uses your default AWS credentials and region
```
No AWS account handy? Run a full sample report offline:
```bash
cloud-audit demo
```
cloud-audit is **read-only**. It never modifies your infrastructure; `SecurityAudit` is enough ([permissions](#aws-permissions)).
## Example Output
```
+---- Attack Chains (5 detected) -----------------------------------+
| CRITICAL Internet-Exposed Admin Instance |
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
| CRITICAL IAM Privilege Escalation via iam:PassRole |
| ci-deploy-role - 3-step path to admin |
| CRITICAL CI/CD to Admin Takeover |
| github-deploy - OIDC without sub + admin policy |
+-------------------------------------------------------------------+
+---- Remediation Plan ---------------------------------------------+
| Fix 4 root causes, break 22 attack chains |
| Quick wins (effort LOW, 14 chains): |
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
| 2. Add OIDC sub condition -> breaks 6 chains |
+-------------------------------------------------------------------+
```
Preview a fix before you touch anything:
```bash
cloud-audit simulate --fix aws-vpc-002
# Score 34 -> 58 (+24) | Chains broken 8 of 22 | Findings resolved 11
```
## What You Get
- **Attack chains** // 31 rules correlate individual findings into exploitable paths (MITRE ATT&CK + pathfinding.cloud). [docs](https://haitmg.pl/cloud-audit/features/attack-chains/)
- **Root-cause fixes** // groups findings by shared cause and ranks them: "fix 4 things, break 22 chains," with a what-if `simulate` to preview impact. [docs](https://haitmg.pl/cloud-audit/features/simulate/)
- **IAM privilege escalation** // 64 methods across 9 categories, including lateral movement through the AssumeRole graph. [docs](https://haitmg.pl/cloud-audit/features/iam-escalation/)
- **Blast radius** // walk outward from any resource to see what an attacker reaches; export JSON to the live [visualizer](https://blast-audit.haitmg.pl/). [docs](https://haitmg.pl/cloud-audit/features/blast-radius/)
- **Proof Mode** // `scan --verify` checks each escalation path against the IAM policy simulator (read-only) and flags the ones the principal can actually perform. [docs](https://haitmg.pl/cloud-audit/features/proof-mode/)
- **Data perimeter** // resource-policy checks for confused-deputy and cross-org exposure, evaluating condition *values* (not just their presence). [docs](https://haitmg.pl/cloud-audit/features/data-perimeter/)
- **AgentCore security** // checks for Amazon Bedrock AgentCore AI agents: network mode, MMDSv2, memory encryption, gateway authorizer. [docs](https://haitmg.pl/cloud-audit/features/agentcore/)
- **Threat Feed** // 10 detectors for active-abuse patterns from 2025-2026 incidents, each with a primary-source citation. [docs](https://haitmg.pl/cloud-audit/features/threat-feed/)
- **Remediation on every finding** // copy-paste AWS CLI + reviewable Terraform you apply yourself; security findings also carry a USD breach-cost estimate with sources.
- **Trend & drift** // `cloud-audit diff` catches ClickOps drift between scans; `cloud-audit trend` tracks posture over time.
Drop a cloud-audit blast-radius --format json export into the open visualizer at
blast-audit.haitmg.pl - everything runs in your browser.
## Reports
```bash
cloud-audit scan --format html -o report.html # client-ready
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
cloud-audit scan --format json -o report.json # machine-readable
cloud-audit scan --format markdown -o report.md # PR comments
```
## CI/CD
```yaml
- run: pip install cloud-audit
- run: cloud-audit scan --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
```
`--quiet` exits with a code only: `0` clean, `1` findings, `2` error. Gate on severity with `--min-severity high`. Ready-made workflows: [basic scan](examples/github-actions.yml), [daily diff](examples/daily-scan-with-diff.yml), [post-deploy](examples/post-deploy-scan.yml).
## Installation
```bash
pip install cloud-audit # pip (recommended)
pipx install cloud-audit # isolated
docker run ghcr.io/gebalamariusz/cloud-audit scan # Docker
```
Docker with credentials:
```bash
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan
```
## AWS Permissions
Read-only. Attach the AWS-managed `SecurityAudit` policy (covers every check, including IAM escalation analysis):
```bash
aws iam attach-role-policy --role-name auditor \
--policy-arn arn:aws:iam::aws:policy/SecurityAudit
```
cloud-audit never modifies your infrastructure. `simulate` runs locally against scan data and makes no AWS calls.
## What's Checked
**110 checks across 25 AWS services** - IAM, S3, EC2, VPC, RDS, KMS, CloudTrail, GuardDuty, Lambda, Secrets Manager, Bedrock, SageMaker, Bedrock AgentCore, DynamoDB, and more. Run `cloud-audit list-checks`, or see the [full check reference](https://haitmg.pl/cloud-audit/checks/).
**6 compliance frameworks** via `scan --compliance `: CIS AWS v3.0 and SOC 2 Type II (stable), plus ISO 27001:2022, HIPAA, NIS2, and BSI C5:2020 (beta). [docs](https://haitmg.pl/cloud-audit/compliance/overview/)
**MCP server** for AI agents - 6 read-only tools (`scan_aws`, `get_findings`, `get_attack_chains`, `get_remediation`, `get_health_score`, `list_checks`):
```bash
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
```
Common flags and configuration
```bash
cloud-audit scan -R # show remediation inline
cloud-audit scan --profile prod --regions eu-central-1 # profile / region
cloud-audit scan --regions all # all enabled regions
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # cross-account
cloud-audit scan --export-fixes fixes.sh # export all fixes
```
Configure defaults in `.cloud-audit.yml` (regions, `min_severity`, `exclude_checks`, time-boxed `suppressions`). Environment variables (`CLOUD_AUDIT_REGIONS`, `CLOUD_AUDIT_MIN_SEVERITY`, ...) override the file; CLI flags override everything. See the [configuration guide](https://haitmg.pl/cloud-audit/configuration/config-file/).
## Documentation
Full documentation at **[haitmg.pl/cloud-audit](https://haitmg.pl/cloud-audit/)**: [getting started](https://haitmg.pl/cloud-audit/getting-started/installation/), [attack chains](https://haitmg.pl/cloud-audit/features/attack-chains/), [IAM escalation](https://haitmg.pl/cloud-audit/features/iam-escalation/), [blast radius](https://haitmg.pl/cloud-audit/features/blast-radius/), [Proof Mode](https://haitmg.pl/cloud-audit/features/proof-mode/), [data perimeter](https://haitmg.pl/cloud-audit/features/data-perimeter/), [AgentCore](https://haitmg.pl/cloud-audit/features/agentcore/), [compliance](https://haitmg.pl/cloud-audit/compliance/overview/), and the [full check reference](https://haitmg.pl/cloud-audit/checks/).
## Commercial Support
cloud-audit is free and stays free. If you want a human on the findings, the author offers professional services:
- **Scanner output review (free)** - send your cloud-audit / Prowler / Security Hub output, get a short written review of what actually matters and what to fix first
- **AWS security audit** - full account audit with a prioritized report and ready-to-apply fixes
- **Remediation support** - Terraform and IAM changes, verified against your workloads
- **Palo Alto VM-Series on AWS** - architecture and security review (GWLB/TGW, HA, routing)
Details: [haitmg.pl/cloud-audit-support](https://haitmg.pl/cloud-audit-support/?utm_source=github&utm_medium=readme) or email [kontakt@haitmg.pl](mailto:kontakt@haitmg.pl).
## Development
```bash
git clone https://github.com/gebalamariusz/cloud-audit.git
cd cloud-audit
pip install -e ".[dev]"
pytest -q && ruff check src/ tests/ && mypy src/
```
See [CONTRIBUTING.md](CONTRIBUTING.md) to add a check. Past releases in [CHANGELOG.md](CHANGELOG.md).
## License
[MIT](LICENSE) - Mariusz Gebala / [HAIT](https://haitmg.pl)