gebalamariusz/cloud-audit

v0.9.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 2mo Vulnerability Scanning

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit aws aws-audit aws-security cis-benchmarks cli

+13 more

cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

auth rbac

Summary

AI summary

Introduces Attack Chains – 16 correlated attack‑path rules that turn flat findings into prioritized narratives.

Full changelog

Attack Chains - the first open-source CLI with compound risk detection

cloud-audit v0.9.0 introduces Attack Chains - 16 rules that correlate individual findings into multi-step attack paths an attacker would actually exploit. Instead of 200 flat findings, see 3-5 exploitable attack chains with clear narratives and priority fixes.

What are Attack Chains?

Other scanners give you a flat list of findings. cloud-audit connects the dots - when your EC2 instance has a public security group AND an admin IAM role AND uses IMDSv1, that's not three separate findings - that's a single attack path to full account takeover.

Internet --> Public SG --> EC2 Instance --> IMDS (v1) --> Admin Credentials
                                                              |
                                                    Full AWS Account Takeover

16 attack chain rules across 4 tiers

Tier 1 - Internet Exposure + Privilege (6 rules)

AC-01: Internet-Exposed Admin Instance
AC-02: SSRF to Credential Theft
AC-05: Public Lambda with Admin Access
AC-07: CI/CD to Admin Takeover (OIDC)
AC-23: CI/CD Data Exfiltration
AC-24: CI/CD Lateral Movement

Tier 2 - Missing Controls (6 rules)

AC-09: Unmonitored Admin Access
AC-10: Completely Blind Admin
AC-11: Zero Security Visibility
AC-12: Admin Without MFA
AC-13: Wide Open and Unmonitored Network
AC-14: No Network Security Layers

Tier 3 - Data Protection (1 rule)

AC-17: Exposed Database Without Audit Trail

Tier 4 - Container and Secrets (3 rules)

AC-19: Container Breakout Path
AC-20: Unmonitored Container Access
AC-21: Secrets in Plaintext Across Services

Rules based on MITRE ATT&CK Cloud Matrix, Datadog pathfinding.cloud, and AWS CIRT Threat Catalog.

Other changes

New check: aws-iam-007 - OIDC trust policy without sub condition (CRITICAL)
New check: aws-ec2-006 - EBS default encryption disabled (MEDIUM)
Enhanced HTML report: executive summary, priority grouping (Fix Now / Fix This Week / Plan for Sprint), CIS pass/fail indicators, logo
Docker Hub: images now published to both ghcr.io/gebalamariusz/cloud-audit and haitmg/cloud-audit
47 checks, 16 attack chains, 246 tests

Install / Upgrade

pip install --upgrade cloud-audit

Or Docker:

docker pull haitmg/cloud-audit:0.9.0
docker pull ghcr.io/gebalamariusz/cloud-audit:0.9.0

Full changelog

See CHANGELOG.md for details.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Related tools

Earlier breaking changes

v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.