All Checks
cloud-audit runs 94 checks across 23 AWS services.
By Category
- Security: 85 checks
- Cost: 4 checks
- Reliability: 5 checks
By Service
| Service | Checks | Check IDs |
|---|---|---|
| IAM | 19 | aws-iam-001 through aws-iam-019 |
| CloudWatch | 16 | aws-cw-001 through aws-cw-016 |
| CloudTrail | 8 | aws-ct-001 through aws-ct-008 |
| S3 | 7 | aws-s3-001 through aws-s3-007 |
| EC2 | 6 | aws-ec2-001 through aws-ec2-006 |
| VPC | 6 | aws-vpc-001 through aws-vpc-006 |
| RDS | 4 | aws-rds-001 through aws-rds-004 |
| Lambda | 3 | aws-lambda-001 through aws-lambda-003 |
| SSM | 3 | aws-ssm-001 through aws-ssm-003 |
| ECS | 3 | aws-ecs-001 through aws-ecs-003 |
| SageMaker | 3 | aws-sagemaker-001 through aws-sagemaker-003 |
| GuardDuty | 2 | aws-gd-001, aws-gd-002 |
| Config | 2 | aws-cfg-001, aws-cfg-002 |
| KMS | 2 | aws-kms-001, aws-kms-002 |
| Secrets Manager | 2 | aws-sm-001, aws-sm-002 |
| Bedrock | 2 | aws-bedrock-001, aws-bedrock-002 |
| Backup | 1 | aws-backup-001 |
| Inspector | 1 | aws-inspector-001 |
| WAF | 1 | aws-waf-001 |
| Account | 1 | aws-account-001 |
| EFS | 1 | aws-efs-001 |
| EIP | 1 | aws-eip-001 |
| Security Hub | 1 | aws-sh-001 |
New in v2.0.0
| Check ID | Service | Description |
|---|---|---|
| aws-iam-018 | IAM | IAM privilege escalation paths detected |
| aws-bedrock-001 | Bedrock | Model invocation logging disabled |
| aws-bedrock-002 | Bedrock | Guardrails not configured |
| aws-sagemaker-001 | SageMaker | Notebook instance root access enabled |
| aws-sagemaker-002 | SageMaker | Notebook instance direct internet access |
| aws-sagemaker-003 | SageMaker | Training data encryption disabled |
Design Philosophy
Every check answers one question: would an attacker exploit this?
If not, the check does not exist. cloud-audit optimizes for signal over noise. 94 curated checks that matter are more useful than 500 generic checks that cause alert fatigue.
List Checks via CLI
bash
cloud-audit list-checks
cloud-audit list-checks --categories security