Skip to main content
Glama

Quick Start

pip install cloud-audit
cloud-audit scan          # uses your default AWS credentials and region

No AWS account handy? Run a full sample report offline:

cloud-audit demo

cloud-audit is read-only. It never modifies your infrastructure; SecurityAudit is enough (permissions).

Related MCP server: agent-bom

Example Output

+---- Attack Chains (5 detected) -----------------------------------+
|  CRITICAL  Internet-Exposed Admin Instance                        |
|            i-0abc123 - public SG + admin IAM role + IMDSv1        |
|  CRITICAL  IAM Privilege Escalation via iam:PassRole              |
|            ci-deploy-role - 3-step path to admin                  |
|  CRITICAL  CI/CD to Admin Takeover                                |
|            github-deploy - OIDC without sub + admin policy        |
+-------------------------------------------------------------------+

+---- Remediation Plan ---------------------------------------------+
|  Fix 4 root causes, break 22 attack chains                        |
|  Quick wins (effort LOW, 14 chains):                              |
|    1. Restrict SG ingress on sg-0abc123   -> breaks 8 chains      |
|    2. Add OIDC sub condition              -> breaks 6 chains      |
+-------------------------------------------------------------------+

Preview a fix before you touch anything:

cloud-audit simulate --fix aws-vpc-002
# Score 34 -> 58 (+24)  |  Chains broken 8 of 22  |  Findings resolved 11

What You Get

  • Attack chains // 31 rules correlate individual findings into exploitable paths (MITRE ATT&CK + pathfinding.cloud). docs

  • Root-cause fixes // groups findings by shared cause and ranks them: "fix 4 things, break 22 chains," with a what-if simulate to preview impact. docs

  • IAM privilege escalation // 64 methods across 9 categories, including lateral movement through the AssumeRole graph. docs

  • Blast radius // walk outward from any resource to see what an attacker reaches; export JSON to the live visualizer. docs

  • Proof Mode // scan --verify checks each escalation path against the IAM policy simulator (read-only) and flags the ones the principal can actually perform. docs

  • Data perimeter // resource-policy checks for confused-deputy and cross-org exposure, evaluating condition values (not just their presence). docs

  • AgentCore security // checks for Amazon Bedrock AgentCore AI agents: network mode, MMDSv2, memory encryption, gateway authorizer. docs

  • Threat Feed // 10 detectors for active-abuse patterns from 2025-2026 incidents, each with a primary-source citation. docs

  • Remediation on every finding // copy-paste AWS CLI + reviewable Terraform you apply yourself; security findings also carry a USD breach-cost estimate with sources.

  • Trend & drift // cloud-audit diff catches ClickOps drift between scans; cloud-audit trend tracks posture over time.

Reports

cloud-audit scan --format html  -o report.html    # client-ready
cloud-audit scan --format sarif -o results.sarif  # GitHub Code Scanning
cloud-audit scan --format json  -o report.json    # machine-readable
cloud-audit scan --format markdown -o report.md   # PR comments

CI/CD

- run: pip install cloud-audit
- run: cloud-audit scan --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: results.sarif

--quiet exits with a code only: 0 clean, 1 findings, 2 error. Gate on severity with --min-severity high. Ready-made workflows: basic scan, daily diff, post-deploy.

Installation

pip install cloud-audit                              # pip (recommended)
pipx install cloud-audit                             # isolated
docker run ghcr.io/gebalamariusz/cloud-audit scan   # Docker

Docker with credentials:

docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan

AWS Permissions

Read-only. Attach the AWS-managed SecurityAudit policy (covers every check, including IAM escalation analysis):

aws iam attach-role-policy --role-name auditor \
  --policy-arn arn:aws:iam::aws:policy/SecurityAudit

cloud-audit never modifies your infrastructure. simulate runs locally against scan data and makes no AWS calls.

What's Checked

110 checks across 25 AWS services - IAM, S3, EC2, VPC, RDS, KMS, CloudTrail, GuardDuty, Lambda, Secrets Manager, Bedrock, SageMaker, Bedrock AgentCore, DynamoDB, and more. Run cloud-audit list-checks, or see the full check reference.

6 compliance frameworks via scan --compliance <id>: CIS AWS v3.0 and SOC 2 Type II (stable), plus ISO 27001:2022, HIPAA, NIS2, and BSI C5:2020 (beta). docs

MCP server for AI agents - 6 read-only tools (scan_aws, get_findings, get_attack_chains, get_remediation, get_health_score, list_checks):

claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
cloud-audit scan -R                                      # show remediation inline
cloud-audit scan --profile prod --regions eu-central-1   # profile / region
cloud-audit scan --regions all                           # all enabled regions
cloud-audit scan --role-arn arn:aws:iam::...:role/audit  # cross-account
cloud-audit scan --export-fixes fixes.sh                 # export all fixes

Configure defaults in .cloud-audit.yml (regions, min_severity, exclude_checks, time-boxed suppressions). Environment variables (CLOUD_AUDIT_REGIONS, CLOUD_AUDIT_MIN_SEVERITY, ...) override the file; CLI flags override everything. See the configuration guide.

Documentation

Full documentation at haitmg.pl/cloud-audit: getting started, attack chains, IAM escalation, blast radius, Proof Mode, data perimeter, AgentCore, compliance, and the full check reference.

Commercial Support

cloud-audit is free and stays free. If you want a human on the findings, the author offers professional services:

  • Scanner output review (free) - send your cloud-audit / Prowler / Security Hub output, get a short written review of what actually matters and what to fix first

  • AWS security audit - full account audit with a prioritized report and ready-to-apply fixes

  • Remediation support - Terraform and IAM changes, verified against your workloads

  • Palo Alto VM-Series on AWS - architecture and security review (GWLB/TGW, HA, routing)

Details: haitmg.pl/cloud-audit-support or email kontakt@haitmg.pl.

Development

git clone https://github.com/gebalamariusz/cloud-audit.git
cd cloud-audit
pip install -e ".[dev]"
pytest -q && ruff check src/ tests/ && mypy src/

See CONTRIBUTING.md to add a check. Past releases in CHANGELOG.md.

License

MIT - Mariusz Gebala / HAIT

Install Server
A
license - permissive license
A
quality
B
maintenance

Maintenance

Maintainers
2hResponse time
4dRelease cycle
29Releases (12mo)
Commit activity

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/gebalamariusz/cloud-audit'

If you have feedback or need assistance with the MCP directory API, please join our Discord server