Running AWS security audits without a dedicated security team typically means choosing between enterprise platforms with per-check billing and generic open-source scanners that produce findings with no remediation guidance. Cloud-audit, a Python CLI tool published on GitHub by Mariusz Gebala, takes a narrower scope and attaches a fix to every finding it generates.
The tool runs 45 curated checks across 15 AWS services, including IAM, S3, EC2, VPC, RDS, Lambda, ECS, CloudTrail, GuardDuty, KMS, SSM, Secrets Manager, CloudWatch, and AWS Config. Each finding maps to one of 16 CIS AWS Foundations Benchmark controls. Severity distribution across the check set breaks down to 6 Critical, 13 High, 16 Medium, and 10 Low checks.
What the remediation output looks like
Gebala says the remediation output is the main differentiator. “Most AWS scanners highlight infrastructure issues,” he said. “What sets my tool apart from others is that, in addition to pointing out problems, it also provides ready-to-run commands.” Those commands appear as AWS CLI instructions or Terraform code snippets, each accompanied by a link to the relevant AWS documentation. A separate --export-fixes flag writes all remediations to a commented bash script using set -e, designed to be reviewed and selectively uncommented before execution.
The check set was deliberately kept narrow, Gebala explained. He wanted to focus on carefully selected checks across the 15 supported services to avoid the output volume that many scanners produce, concentrating on what potential attackers could exploit. The project documentation reflects the same principle, stating that every check answers one question: “would an attacker exploit this?”
Checks covered and scoring
The security check set covers common misconfiguration categories: root account without MFA, IAM policies with wildcard actions and resources, S3 buckets without public access blocks, security groups open to 0.0.0.0/0 on sensitive ports, publicly accessible RDS instances, CloudTrail with log validation disabled, Lambda function URLs with no authentication, ECS tasks running in privileged mode, and SSM parameters storing secrets as plain strings.
The tool also includes cost and reliability checks, covering items such as unattached Elastic IPs, stopped EC2 instances, single-AZ RDS deployments, and S3 buckets without versioning.
Scan results produce a health score starting at 100. Critical findings deduct 20 points each, High findings deduct 10, Medium findings deduct 5, and Low findings deduct 2. The project documentation places scores of 80 and above in acceptable range, 50 to 79 as needing attention, and below 50 as requiring immediate action.
Output formats and CI/CD integration
Gebala pointed to the range of output formats as a practical consideration for different audiences: SARIF for GitHub Code Scanning, Markdown for automated PR comments, and HTML reports for client-facing deliverables. A configuration file allows teams to adjust scan granularity, setting minimum severity thresholds, targeted regions, and check exclusions per project.
The SARIF output feeds results into the GitHub Security tab. The documented GitHub Actions workflow uses OIDC authentication, generating a short-lived token per workflow run and avoiding the need to store static AWS keys in repository secrets.
Roadmap and download
The author says the codebase includes 168 tests and remains under active development. Planned additions include expanding the check count to 60 with coverage for CloudFront, SNS, SQS, and Elasticsearch, along with a scan diff feature for comparing two reports to track remediation progress over time.
Gebala also plans a triage mode that generates suppression configurations for risks accepted by design, Azure support as a second cloud provider, and Slack notifications for scheduled scans.
Cloud-audit is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
