gebalamariusz/cloud-audit

v2.0.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo Vulnerability Scanning

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit aws aws-audit aws-security cis-benchmarks cli

+13 more

cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

auth rbac

Summary

AI summary

New IAM privilege escalation detection, What-If remediation simulator, root cause grouping, security posture trend tracking, and AI‑SPM checks.

Full changelog

What's New in v2.0.0

IAM Privilege Escalation Detection

25 escalation methods across 6 categories. First maintained open-source replacement for PMapper (dead since 2022). Detects PassRole abuse, policy self-mutation, credential access, Lambda code modification, trust policy abuse, and permission boundary bypass.

What-If Remediation Simulator

cloud-audit simulate --fix aws-vpc-002
# Score: 34 -> 58 (+24)  |  Chains broken: 8 of 22  |  Findings resolved: 11

See the impact of a fix before you apply it. No AWS API calls — runs locally on scan data.

Root Cause Grouping

"Fix 4 things, break 22 chains" — groups findings by root cause and ranks by chain-breaking impact. Quick Wins section shows LOW-effort fixes that break CRITICAL chains.

Security Posture Trend

cloud-audit trend

Tracks health score, attack chains, and risk exposure over time. History auto-saved after each scan.

AI-SPM (Bedrock + SageMaker)

5 new checks: model invocation logging, guardrails, notebook root access, notebook internet access, endpoint encryption. 3 new attack chains: AI Model Theft, LLMjacking, AI Data Poisoning.

Also

Remediation CLI now injects real account ID (no more ACCOUNT_ID placeholders)
Terraform snippets completed with IAM roles, S3 buckets, KMS keys
Compliance Beta labels (CIS + SOC 2 stable, 4 others beta)
Cached get_account_id() (1 STS call instead of 10+)
Windows cp1250 Unicode compatibility fix

94 checks | 23 services | 31 attack chains | 496 tests

Full changelog: CHANGELOG.md

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Related tools

Earlier breaking changes

v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.