Cloud-Audit: Fast, Open-Source AWS Security Scanner
▼ Summary
– Cloud-audit is a Python CLI tool that runs 45 curated security checks across 15 AWS services and provides a specific remediation command for each finding it generates.
– The tool’s main differentiator is its remediation output, which supplies ready-to-run AWS CLI or Terraform commands to fix issues, unlike scanners that only highlight problems.
– It focuses on a narrow set of checks that answer whether an attacker could exploit a misconfiguration, avoiding overwhelming output volume and covering common security, cost, and reliability issues.
– Scan results produce a health score based on severity-weighted deductions and can be output in multiple formats like SARIF, Markdown, and HTML for integration into CI/CD pipelines and client reports.
– The tool is free, actively developed with plans to expand checks and add features like scan comparison and Azure support, and integrates securely with GitHub Actions using OIDC authentication.
For security teams managing AWS environments, finding the right auditing tool can be challenging. Cloud-audit is a fast, open-source Python CLI tool that provides actionable security findings with ready-to-run remediation commands, bridging the gap between expensive enterprise platforms and generic scanners. Developed by Mariusz Gebala, it executes 45 curated checks across 15 core AWS services, mapping each finding to a CIS AWS Foundations Benchmark control and attaching a clear fix.
The tool’s primary advantage lies in its practical output. Instead of just flagging issues, it delivers specific remediation steps. Every finding includes either an AWS CLI command or a Terraform code snippet, complete with a link to the official AWS documentation for further context. Users can also employ a dedicated `–export-fixes` flag to generate a commented bash script containing all remediations. This script is designed with safety in mind, using `set -e`, and requires manual review and selective uncommenting before execution, preventing unintended changes.
The scope of checks is intentionally focused to avoid overwhelming noise. The selection targets configurations that a potential attacker could realistically exploit, answering a central question for each test: “would an attacker exploit this?” This philosophy keeps the output relevant and actionable. The checks cover critical misconfigurations such as root accounts without MFA, IAM policies using wildcards, S3 buckets lacking public access blocks, security groups open to the world on sensitive ports, and publicly accessible RDS instances. It also scans for disabled CloudTrail log validation, unauthenticated Lambda function URLs, and secrets stored as plain text in SSM parameters.
Beyond pure security, the scanner includes checks for cost optimization and reliability. These identify resources like unattached Elastic IP addresses, stopped EC2 instances, single-AZ RDS deployments, and S3 buckets without versioning enabled. After a scan, the tool calculates a health score out of 100. Critical findings deduct 20 points each, High findings deduct 10, Medium deduct 5, and Low deduct 2. Scores of 80+ are considered acceptable, 50-79 need attention, and below 50 require immediate action.
To fit into various workflows, Cloud-audit supports multiple output formats. It can generate SARIF for integration with GitHub Code Scanning and the Security tab, Markdown for automated pull request comments, and polished HTML reports for client deliverables. A configuration file allows teams to customize scans by setting minimum severity thresholds, specifying target AWS regions, and excluding certain checks per project.
Integration into CI/CD pipelines is streamlined, particularly for GitHub Actions. The documented workflow uses OIDC for authentication, which generates a short-lived credential for each run. This method enhances security by eliminating the need to store static AWS access keys in repository secrets.
The project is under active development with a robust suite of 168 tests. The public roadmap includes expanding the check count to 60, adding support for services like CloudFront, SNS, SQS, and Elasticsearch. A planned scan diff feature will allow teams to compare reports over time to track remediation progress. Future updates may also introduce a triage mode for suppressing accepted risks, support for Azure as a second cloud provider, and Slack notifications for scheduled scans. The tool is freely available on its GitHub repository.
(Source: HelpNet Security)
