cloud-audit
The cloud-audit MCP server enables AI agents to perform AWS security auditing through six tools:
scan_aws— Scan AWS accounts for misconfigurations across 18+ services, detect attack chains, and estimate breach costs. Supports AWS CLI profile, regions, and severity filters.get_findings— Retrieve findings from the latest scan, filterable by severity (critical/high/medium/low) and AWS service prefix. Each finding includes check ID, severity, affected resource, description, and estimated breach cost.get_attack_chains— Fetch correlated findings that form exploitable end-to-end attack paths, each with a narrative, priority fix recommendation, and breach cost estimate.get_remediation— Get copy-paste ready AWS CLI commands and Terraform HCL snippets to fix a specific security check by ID.get_health_score— Retrieve a 0–100 security health score with finding counts by severity, attack chain count, and total estimated risk exposure in USD.list_checks— List all 80 available security checks organized by service/category, no AWS credentials required.
Enables scanning of AWS accounts to detect security vulnerabilities and multi-step attack chains, providing breach cost estimations and remediation guidance via AWS CLI commands and Terraform HCL.
Quick Start
pip install cloud-audit
cloud-audit scanUses your default AWS credentials and region. Try without an AWS account:
cloud-audit demoWhy It's Different
Most scanners give you findings. cloud-audit helps you decide what to fix first.
+---- Attack Chains (5 detected) -----------------------------------+
| CRITICAL Internet-Exposed Admin Instance |
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
| |
| CRITICAL IAM Privilege Escalation via iam:PassRole |
| ci-deploy-role - 3-step path to admin |
| |
| CRITICAL CI/CD to Admin Takeover |
| github-deploy - OIDC no sub + admin policy |
+--------------------------------------------------------------------+
+---- Remediation Plan -------------------------------------------+
| Fix 4 root causes, break 22 attack chains |
| |
| Quick Wins (effort: LOW, chains broken: 14): |
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
| 2. Add OIDC sub condition -> breaks 6 chains |
+--------------------------------------------------------------------+Other tools give you 200 findings sorted by severity. cloud-audit groups them by root cause, shows which single fixes collapse the most attack paths, and lets you simulate the impact before you touch anything:
cloud-audit simulate --fix aws-vpc-002
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 1194 checks across 23 AWS services. Every finding includes copy-paste AWS CLI + Terraform remediation.
What's New in 2.0
Feature | What it does |
IAM Privilege Escalation | 61 escalation methods across 9 categories, including lateral movement detection via AssumeRole graph traversal. PMapper has been dead since 2022 -- this is its open-source replacement, and it covers paths PMapper never did. |
What-If Simulator |
|
Root Cause Grouping | "Fix 4 things, break 22 chains." Groups findings by shared root cause and ranks by impact. |
Security Posture Trend |
|
AI-SPM | First open-source Bedrock + SageMaker scanner. 5 checks, 3 attack chains (model theft, LLMjacking, data poisoning). |
Features
Attack Chain Detection
31 rules correlate individual findings into exploitable attack paths.
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02Chain | What it catches |
IAM Privilege Escalation | iam:PassRole + lambda:Create + iam:Attach = 3-step path to admin |
Internet-Exposed Admin | Public SG + admin IAM role + IMDSv1 = account takeover |
CI/CD to Admin Takeover | OIDC without sub condition + admin policy = pipeline hijack |
LLMjacking | Bedrock no logging + no guardrails = undetected model abuse |
Based on MITRE ATT&CK Cloud and pathfinding.cloud. See all 31 rules.
Remediation + Simulator
Every finding includes AWS CLI, Terraform HCL, and docs links. Export all fixes:
cloud-audit scan --export-fixes fixes.shSimulate before applying:
cloud-audit simulate --fix aws-vpc-002
# Score: 34 -> 58 (+24) | Chains broken: 8 of 22 | Findings resolved: 11
cloud-audit simulate --fix aws-vpc-002,aws-ct-001,aws-iam-007
# Score: 34 -> 82 (+48) | Chains broken: 19 of 22Trend Tracking
cloud-audit diff yesterday.json today.json # Catches ClickOps drift
cloud-audit trend # Posture over time6 Compliance Frameworks
CIS AWS v3.0 - 62 controls, 55 automated (89%)
SOC 2 Type II - 43 criteria, 24 automated (56%)
BSI C5:2020
Beta- 134 criteria, 57 automated/partialISO 27001:2022
Beta- 93 controls, 47 automated/partialHIPAA Security Rule
Beta- 47 specs, 29 automated/partialNIS2 Directive
Beta- 43 measures, 33 automated/partial
Breach Cost Estimation
Every finding and chain includes a dollar-range risk estimate based on IBM/Verizon breach data, with source links.
MCP Server for AI Agents
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp6 tools: scan_aws, get_findings, get_attack_chains, get_remediation, get_health_score, list_checks. Free and standalone.
How It Compares
Prowler is the AWS security standard: 572 checks across 83 services, 41 compliance frameworks (CIS, PCI-DSS, HIPAA, SOC2, NIST 800, ISO 27001, GDPR, FedRAMP, NIS2, MITRE ATT&CK and more), 55 auto-remediation fixers, and graph-based attack path analysis in the Prowler App (Cartography + Neo4j). It also covers Azure, GCP, Kubernetes, M365, and 10+ other providers.
cloud-audit is AWS-only and intentionally narrower (94 curated checks). It goes deep where Prowler goes wide: attack chain correlation and IAM escalation detection run in the free CLI with zero infrastructure, every finding ships with reviewable Terraform + AWS CLI remediation, and scan diff / drift tracking is built into the CLI.
Feature | Prowler | cloud-audit |
AWS checks | 572 across 83 services | 94 across 23 services |
Compliance frameworks (AWS) | 41 (CIS, PCI-DSS, HIPAA, SOC2, NIST, ISO 27001, GDPR, FedRAMP, NIS2, ...) | 6 (CIS v3.0, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2) |
Auto-remediation | 55 fixers across 17 AWS services (direct API calls) | 94/94 findings with CLI + Terraform output (reviewable, you apply) |
Attack path / graph analysis | Prowler App (Cartography + graph queries) | CLI-native (31 rules, no infra) |
IAM privilege escalation graph | Prowler App | CLI-native (61 methods + AssumeRole graph) |
What-If remediation simulator | No | Yes |
AI/ML security checks (Bedrock + SageMaker) | ~20 checks | 5 checks + 3 attack chain rules |
Scan diff / drift tracking | Prowler App | Built-in CLI ( |
Breach cost estimates (USD) | No | Per-finding + per-chain |
MCP Server | Free | Free |
Multi-cloud | AWS + 13 others | AWS only |
License | Apache 2.0 | MIT |
Use Prowler for compliance breadth, multi-cloud coverage, and graph-based attack path analysis. Use cloud-audit for fast CLI-native attack chain detection, reviewable Terraform remediation, and CI/CD drift tracking. They are complementary, not competitors - a common setup is Prowler for quarterly compliance evidence plus cloud-audit daily in CI/CD.
Prowler stats verified from github.com/prowler-cloud/prowler (April 2026). cloud-audit snapshot as of v2.0.1.
Reports
cloud-audit scan --format html -o report.html # Client-ready HTML
cloud-audit scan --format json -o report.json # Machine-readable
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
cloud-audit scan --format markdown -o report.md # PR commentsInstallation
pip install cloud-audit # pip (recommended)
pipx install cloud-audit # pipx (isolated)
docker run ghcr.io/gebalamariusz/cloud-audit scan # DockerDocker with credentials:
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scanUsage
cloud-audit scan -R # Show remediation
cloud-audit scan --profile prod --regions eu-central-1 # Specific profile/region
cloud-audit scan --regions all # All enabled regions
cloud-audit scan --min-severity high # Filter by severity
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # Cross-account
cloud-audit scan --quiet # Exit code only (CI/CD)
cloud-audit simulate --fix aws-vpc-002 # What-If simulator
cloud-audit trend # Posture over time
cloud-audit list-checks # List all checksExit code | Meaning |
0 | No findings |
1 | Findings detected |
2 | Scan error |
Create .cloud-audit.yml in your project root:
provider: aws
regions:
- eu-central-1
- eu-west-1
min_severity: medium
exclude_checks:
- aws-eip-001
suppressions:
- check_id: aws-vpc-001
resource_id: vpc-abc123
reason: "Legacy VPC, migration planned for Q3"
accepted_by: "jane@example.com"
expires: "2026-09-30"
- check_id: "aws-cw-*"
reason: "CloudWatch alarms managed by separate team"
accepted_by: "ops@example.com"Variable | Example |
|
|
|
|
|
|
|
|
Precedence: CLI flags > env vars > config file > defaults.
CI/CD
- run: pip install cloud-audit
- run: cloud-audit scan --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifReady-to-use workflows: basic scan, daily diff, post-deploy.
AWS Permissions
cloud-audit requires read-only access. Attach SecurityAudit (covers all checks including IAM escalation analysis):
aws iam attach-role-policy --role-name auditor --policy-arn arn:aws:iam::aws:policy/SecurityAuditcloud-audit never modifies your infrastructure. The simulate command runs locally against scan data -- it does not call AWS APIs.
What It Checks
94 checks across IAM, S3, EC2, VPC, RDS, EIP, EFS, CloudTrail, GuardDuty, KMS, CloudWatch, Lambda, ECS, SSM, Secrets Manager, AWS Config, Security Hub, Account, AWS Backup, Amazon Inspector, AWS WAF, Amazon Bedrock, and Amazon SageMaker.
See all 94 checks by service or run cloud-audit list-checks locally.
Documentation
Full docs at haitmg.pl/cloud-audit:
Getting Started - installation, quick start, demo mode
Attack Chains - all 31 rules with MITRE ATT&CK references
IAM Escalation - 61 methods, 9 categories (action-based + lateral AssumeRole graph)
What-If Simulator - simulate remediation impact
Compliance - 6 frameworks: CIS, SOC 2, BSI C5, ISO 27001, HIPAA, NIS2
All 94 Checks - full check reference by service
What's Next
Multi-account scanning (AWS Organizations)
SCP + permission boundary evaluation in IAM escalation
Terraform drift detection
Past releases: CHANGELOG.md
Development
git clone https://github.com/gebalamariusz/cloud-audit.git
cd cloud-audit
pip install -e ".[dev]"
pytest -v # 496 tests
ruff check src/ tests/ # lint
mypy src/ # type checkSee CONTRIBUTING.md for how to add a new check.
License
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/gebalamariusz/cloud-audit'
If you have feedback or need assistance with the MCP directory API, please join our Discord server