Skip to main content

A free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts.

Project description

aws-audit — the AWS security checklist I run on client accounts

A free, read-only AWS security & cost audit CLI. Point it at an account and it runs the same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized findings report. It only makes Describe/List/Get calls — nothing is ever created, modified, or deleted, and no data leaves your machine.

$ aws-audit

  AWS Security Audit  ·  aws-audit
  Account 123456789012  ·  regions: us-east-1
  ────────────────────────────────────────────────────────────────

   CRITICAL  [IAM-1] Root account MFA  — FAIL
      Root account does NOT have MFA enabled.
      fix: Enable a hardware or virtual MFA device on the root user and stop using root.

   HIGH  [IAM-2] Long-lived IAM access keys  — FAIL
      2 active access key(s) older than 90 days.
      affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)
      fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).
  ...
  1 fail  ·  3 warn  ·  18 pass

  Want this done for you — and the issues fixed? → https://services.itsdavidg.co

Install

pipx install aws-audit-checklist     # recommended
# or
pip install aws-audit-checklist

Usage

aws-audit                       # uses your default AWS credential chain + region
aws-audit --profile myprofile   # a named profile
aws-audit --all-regions         # run regional checks in every enabled region
aws-audit --markdown report.md  # export a Markdown report
aws-audit --json                # machine-readable output
aws-audit --strict              # exit non-zero if anything FAILs (CI gate)

You only need read-only credentials. A built-in AWS managed policy like SecurityAudit or ReadOnlyAccess is more than enough. Checks you lack permission for are reported as "could-not-check" rather than failing the run.

What it checks (30-point checklist)

Area Examples
Identity (IAM) root MFA, access keys > 90 days, console users without MFA, password policy
Network security groups exposing SSH/RDP to 0.0.0.0/0
Data S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups
Logging multi-region CloudTrail, GuardDuty, AWS Config
Cost signals unattached EBS volumes, unused Elastic IPs

The full human-readable checklist (with the items not yet automated — incident runbooks, multi-AZ, IaC, off-account backups) is here: the 30-point AWS Security Checklist PDF.

Why this exists

I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running this same checklist by hand on every account, so I open-sourced the automatable parts. If you want the whole thing done for you — including the manual items and actually fixing what it finds, with a guarantee — that's my AWS Complete Security Audit.

License

MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws_audit_checklist-0.1.0.tar.gz (11.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

aws_audit_checklist-0.1.0-py3-none-any.whl (11.4 kB view details)

Uploaded Python 3

File details

Details for the file aws_audit_checklist-0.1.0.tar.gz.

File metadata

  • Download URL: aws_audit_checklist-0.1.0.tar.gz
  • Upload date:
  • Size: 11.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for aws_audit_checklist-0.1.0.tar.gz
Algorithm Hash digest
SHA256 79db76e299f3eeda0faa072e800ebcf88549b51bee77c0ae7d1406d810bb38cb
MD5 3d95debe32fe37ba75f615555aab7ca5
BLAKE2b-256 71f295d7c91184e8323ed60a3873a1f680deab9d8e0164c59a05bcda2028a68f

See more details on using hashes here.

File details

Details for the file aws_audit_checklist-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for aws_audit_checklist-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6dfdabcd529f9899b0d5122eeb43135dd21f5b3991f73e32e3da8d4d4f303f23
MD5 5c47c70f0f60cde6657c7d73c4b2b048
BLAKE2b-256 8dc7abfd3ce55b9960f2e0ba10f84e551cc24a42fef6204b4507d55190f14e7f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page