Cloud Audit
@gebalamariusz
cloud-audit
Find AWS attack chains and get exact fixes.
Open-source CLI scanner that correlates findings into exploitable paths
and generates copy-paste remediation (AWS CLI + Terraform).
Detect exploitable attack paths - Get AWS CLI + Terraform fixes - Run locally, no SaaS required
👁 PyPI version
👁 Python versions
👁 CI
👁 License: MIT
👁 PyPI downloads
👁 Docker
👁 Featured in HelpNet Security
👁 Documentation
Documentation - Quick Start - CIS AWS v3.0 - SOC 2 - Attack Chains - MCP Server
Quick Start
pip install cloud-audit
cloud-audit scan
Uses your default AWS credentials and region. Try without an AWS account:
cloud-audit demo
What You Get
+------- Health Score -------+
| 42 / 100 | Risk exposure: $725K - $7.3M
+----------------------------+
+---- Attack Chains (3 detected) -----------------------------------+
| CRITICAL Internet-Exposed Admin Instance |
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
| Fix: Restrict security group (effort: LOW) |
| |
| CRITICAL CI/CD to Admin Takeover |
| github-deploy - OIDC no sub + admin policy |
| Fix: Add sub condition (effort: LOW) |
+--------------------------------------------------------------------+
Findings by severity: CRITICAL: 3 HIGH: 8 MEDIUM: 12 LOW: 5
80 checks across 18 AWS services. Every finding includes AWS CLI + Terraform remediation.
👁 cloud-audit demo video
Watch the 1-minute demo
If cloud-audit helped you find something you missed, consider giving it a star. It helps others discover the project.
Features
Attack Chain Detection
Other scanners give you a flat list of findings. cloud-audit correlates them into attack paths an attacker would actually exploit.
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
Examples from the 20 built-in rules:
| Chain | What it catches |
|---|---|
| Internet-Exposed Admin Instance | Public SG + admin IAM role + IMDSv1 = account takeover |
| CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
| SSRF to Credential Theft | Public instance + IMDSv1 + no VPC flow logs = invisible exfiltration |
Based on MITRE ATT&CK Cloud and Datadog pathfinding.cloud. See all 20 rules in the docs.
Copy-Paste Remediation
Every finding includes AWS CLI commands, Terraform HCL, and documentation links. Export all fixes as a runnable script:
cloud-audit scan --export-fixes fixes.sh
Scan Diff
Compare scans to track drift. Catches ClickOps changes, manual console edits, and regressions that IaC scanning misses.
cloud-audit diff yesterday.json today.json
Exit code 0 = no new findings, 1 = regression. See daily-scan-with-diff.yml for a CI/CD workflow.
CIS AWS v3.0 Compliance
Built-in compliance engine with per-control evidence, readiness scoring, and auditor-ready reports.
- CIS AWS v3.0 - 62 controls, 55 automated (89%)
- SOC 2 Type II - 43 criteria, 24 automated (56%)
Planned: BSI C5, ISO 27001, HIPAA, NIS2.
Breach Cost Estimation
Every finding includes a dollar-range risk estimate based on published breach data (IBM Cost of a Data Breach 2024, Verizon DBIR, enforcement actions). Attack chains use compound risk multipliers. Every estimate links to its source.
MCP Server for AI Agents
Ask Claude Code, Cursor, or VS Code Copilot to scan your AWS account:
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
6 tools: scan_aws, get_findings, get_attack_chains, get_remediation, get_health_score, list_checks. Free and standalone - no SaaS account needed.
How It Compares
| Feature | Prowler | Trivy | Checkov | cloud-audit |
|---|---|---|---|---|
| Checks | 576 | 517 | 2500+ | 80 |
| Attack chain detection | No | No | No | 20 rules |
| Remediation per finding | CIS only | No | Links | 100% (CLI + Terraform) |
| Breach cost estimation | No | No | No | Per finding + chain |
| CIS v3.0 compliance engine | Yes | No | No | 62 controls with evidence |
| SOC 2 Type II compliance | No | No | No | 43 criteria with evidence |
| MCP server (AI agents) | Paid ($99/mo) | No | No | Free, standalone |
cloud-audit has fewer checks than Prowler but deeper output per finding: remediation code, attack chain context, cost estimates, and compliance evidence. If you need exhaustive compliance coverage across multiple clouds, Prowler is the better choice. If you need a focused scan that shows how findings combine into real attack paths and tells you exactly how to fix each one, cloud-audit is built for that.
Feature snapshot as of March 2026. Verify against upstream docs for the latest details.
Reports
cloud-audit scan --format html --output report.html # Client-ready HTML
cloud-audit scan --format json --output report.json # Machine-readable
cloud-audit scan --format sarif --output results.sarif # GitHub Code Scanning
cloud-audit scan --format markdown --output report.md # PR comments
Format is auto-detected from file extension.
Installation
pip install cloud-audit # pip (recommended)
pipx install cloud-audit # pipx (isolated)
docker run ghcr.io/gebalamariusz/cloud-audit scan # Docker
Docker with credentials:
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan
Usage
cloud-audit scan -R # Show remediation
cloud-audit scan --profile prod --regions eu-central-1 # Specific profile/region
cloud-audit scan --regions all # All enabled regions
cloud-audit scan --min-severity high # Filter by severity
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
cloud-audit scan --quiet # Exit code only (CI/CD)
cloud-audit list-checks # List all checks
| Exit code | Meaning |
|---|---|
| 0 | No findings |
| 1 | Findings detected |
| 2 | Scan error |
CI/CD
- run: pip install cloud-audit
- run: cloud-audit scan --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
Ready-to-use workflows: basic scan, daily diff, post-deploy.
AWS Permissions
cloud-audit requires read-only access. Attach SecurityAudit:
aws iam attach-role-policy --role-name auditor --policy-arn arn:aws:iam::aws:policy/SecurityAudit
cloud-audit never modifies your infrastructure.
What It Checks
80 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, and Account.
Alternatives
- Prowler - 576+ checks, multi-cloud, full CIS coverage, auto-remediation. The most comprehensive open-source scanner.
- Trivy - Container, IaC, and cloud scanner. Strong on containers, growing cloud coverage.
- Steampipe - SQL-based cloud querying. Very flexible.
- AWS Security Hub - Native AWS service with continuous monitoring. Free 30-day trial.
Documentation
cloud-audit has grown beyond what a single README can cover. The full documentation is at haitmg.pl/cloud-audit and includes:
- Getting Started - installation, quick start, demo mode
- Compliance - CIS AWS v3.0 with all 62 controls, planned SOC 2, BSI C5, HIPAA, NIS2
- Attack Chains - all 20 rules with MITRE ATT&CK references
- MCP Server - full setup guide for Claude Code, Cursor, VS Code
- Configuration - config file, env vars, suppressions
- CI/CD - GitHub Actions, SARIF, pre-commit hooks
- Reports - HTML, JSON, SARIF, Markdown output formats
- All 80 Checks - full check reference by service
This README covers the essentials. For compliance framework details, advanced configuration, and per-check documentation, see the full docs.
What's Next
- SOC 2, BSI C5, HIPAA, NIS2 compliance frameworks
- Terraform drift detection
- Root cause grouping
Past releases: CHANGELOG.md
Development
git clone https://github.com/gebalamariusz/cloud-audit.git
cd cloud-audit
pip install -e ".[dev]"
pytest -v # tests
ruff check src/ tests/ # lint
ruff format --check src/ tests/ # format
mypy src/ # type check
See CONTRIBUTING.md for how to add a new check.
License
Server Config
{
"mcpServers": {
"cloud-audit": {
"command": "uvx",
"args": [
"--from",
"cloud-audit",
"cloud-audit-mcp"
]
}
}
}