cloud-audit
Open-source AWS security scanner. 80 checks, 20 attack chain rules, CIS AWS v3.0 compliance, breach cost estimation, and an MCP server for AI agents. Every finding includes a copy-paste fix.
Quick Start
Try without AWS credentials:
Why cloud-audit?
Most AWS security scanners give you a list of findings. cloud-audit goes further:
- Attack Chains - correlates individual findings into exploitable attack paths (20 rules based on MITRE ATT&CK)
- Compliance Engine - maps findings to CIS AWS v3.0 controls with per-control evidence for auditors
- Breach Cost Estimation - puts dollar amounts on findings based on IBM/Verizon breach data
- 100% Remediation - every finding includes AWS CLI commands and Terraform HCL you can copy-paste
- MCP Server - ask Claude Code or Cursor to scan your AWS account
Who Uses This
- Small teams without a security team - attack chains show you which findings actually matter
- Consultants auditing client accounts - generate a professional report in one command:
cloud-audit scan --format html -o report.html - DevOps/SRE running pre-deploy checks - exit codes + SARIF for CI/CD gating
- Teams preparing for compliance audits - CIS AWS v3.0 with 62 controls mapped, SOC 2 and BSI C5 coming soon