cloud-audit
Open-source AWS security scanner. 94 checks across 23 AWS services, 31 attack chain rules, IAM privilege escalation detection (25 methods), What-If remediation simulator, security posture trends, AI-SPM (Bedrock + SageMaker), 6 compliance frameworks, breach cost estimation, and an MCP server for AI agents. Every finding includes a copy-paste fix.
Quick Start
Try without AWS credentials:
Why cloud-audit?
Most AWS security scanners give you a list of findings. cloud-audit goes further:
- Attack Chains - correlates individual findings into exploitable attack paths (31 rules based on MITRE ATT&CK)
- Root Cause Grouping - "fix 4 things, break 22 chains" prioritization
- What-If Simulator -
cloud-audit simulate --fix aws-vpc-002shows impact before you change anything - IAM Privilege Escalation - detects 25 escalation methods (PassRole, policy mutation, permission boundary bypass)
- AI-SPM - Bedrock model invocation logging, guardrails, SageMaker notebook security
- Security Trends -
cloud-audit trendtracks score, chains, and risk over time - Compliance Engine - maps findings to 6 frameworks (CIS AWS v3.0, SOC 2 + 4 Beta) with per-control evidence
- Breach Cost Estimation - puts dollar amounts on findings based on IBM/Verizon breach data
- 100% Remediation - every finding includes AWS CLI commands and Terraform HCL you can copy-paste
- MCP Server - ask Claude Code or Cursor to scan your AWS account
Who Uses This
- Small teams without a security team - attack chains show you which findings actually matter
- Consultants auditing client accounts - generate a professional report in one command:
cloud-audit scan --format html -o report.html - DevOps/SRE running pre-deploy checks - exit codes + SARIF for CI/CD gating
- Teams preparing for compliance audits - 6 frameworks including CIS AWS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, and NIS2