Skip to content

gebalamariusz/cloud-audit

v0.4.0 Breaking

This release includes breaking changes for platform teams planning a safe upgrade.

Published 3mo Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit aws aws-audit aws-security cis-benchmarks cli
+13 more
cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

auth rbac deps

Summary

AI summary

Added 15 new AWS checks across Lambda, ECS, SSM, and Secrets Manager.

Full changelog

What's New

15 new checks across 4 new AWS services, bringing the total to 42 curated checks.

New Check Modules

Lambda (3 checks)

  • aws-lambda-001 - Public function URL without authentication (HIGH)
  • aws-lambda-002 - Deprecated/EOL runtime without security patches (MEDIUM)
  • aws-lambda-003 - Potential secrets in environment variables (HIGH)

ECS (3 checks)

  • aws-ecs-001 - Privileged containers with root host access (CRITICAL)
  • aws-ecs-002 - Missing log configuration on containers (HIGH)
  • aws-ecs-003 - ECS Exec enabled in production (MEDIUM)

SSM (2 checks)

  • aws-ssm-001 - Running EC2 instances not managed by Systems Manager (MEDIUM)
  • aws-ssm-002 - Secret-like parameters stored as String instead of SecureString (HIGH)

Secrets Manager (2 checks)

  • aws-sm-001 - Secrets without automatic rotation (MEDIUM)
  • aws-sm-002 - Unused secrets costing $0.40/month (LOW)

Extended Existing Checks

  • aws-iam-005 - Overly permissive IAM policies (Action: *, Resource: *) (CRITICAL)
  • aws-iam-006 - Weak account password policy (CIS 1.8) (MEDIUM)
  • aws-s3-004 - S3 buckets without lifecycle rules (LOW, cost)
  • aws-s3-005 - S3 buckets without access logging (MEDIUM)
  • aws-ec2-004 - EC2 instances with IMDSv1 enabled, vulnerable to SSRF (HIGH)

Other

  • Version now reads from package metadata (single source of truth)
  • 96 moto tests, all passing
  • 15 CIS Benchmark controls mapped
pip install cloud-audit==0.4.0
cloud-audit scan -R
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

Sign up free

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Earlier breaking changes

  • v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.

Beta — feedback welcome: [email protected]