Cloud Security Scanner: Open-Source AWS Vulnerability Detection Tool

Post Views: 6

Cloud-audit: A New Open-Source Security Scanner for AWS

A new open-source security scanner, Cloud-audit, has been released on GitHub, providing a fast and efficient way to conduct AWS security audits. Developed by Mariusz Gebala, the Python-based tool offers a unique approach by providing remediation guidance for each identified vulnerability.

Key Features

Cloud-audit runs 45 curated checks across 15 AWS services, including IAM, S3, EC2, and Lambda, among others. Each check is mapped to one of 16 CIS AWS Foundations Benchmark controls, ensuring comprehensive coverage of potential security risks. The tool’s severity distribution is categorized into Critical, High, Medium, and Low, with 6, 13, 16, and 10 checks respectively.

What sets Cloud-audit apart from other scanners is its remediation output. In addition to highlighting infrastructure issues, the tool provides ready-to-run commands in the form of AWS CLI instructions or Terraform code snippets. These commands are accompanied by links to relevant AWS documentation, enabling users to quickly address identified vulnerabilities.

Unique Approach

Gebala deliberately kept the check set narrow to focus on carefully selected, high-impact checks that potential attackers could exploit. The project documentation reflects this principle, with each check answering the question: “Would an attacker exploit this?” The security check set covers common misconfiguration categories, including root account MFA, IAM policies, S3 bucket access, and security groups.

Additional Features

Cloud-audit also includes cost and reliability checks, such as unattached Elastic IPs, stopped EC2 instances, and S3 buckets without versioning. The tool produces a health score starting at 100, with deductions for Critical, High, Medium, and Low findings. Scores above 80 are considered acceptable, while scores below 50 require immediate attention.

Output Formats and Configuration

The tool supports various output formats, including SARIF for GitHub Code Scanning, Markdown for automated PR comments, and HTML reports for client-facing deliverables. A configuration file allows teams to adjust scan granularity, setting minimum severity thresholds, targeted regions, and check exclusions per project.

Future Plans

Gebala plans to expand the check count to 60, covering additional services such as CloudFront, SNS, and Elasticsearch. A scan diff feature will also be introduced to track remediation progress over time. Other planned additions include a triage mode for generating suppression configurations, Azure support, and Slack notifications for scheduled scans.

Availability

Cloud-audit is available for free on GitHub, offering a valuable resource for security teams seeking to improve their AWS security posture. With its unique remediation guidance and narrow focus on high-impact checks, the tool is an attractive option for teams looking to streamline their security audits.

Note that