A free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts.
Project description
aws-audit — the AWS security checklist I run on client accounts
A free, read-only AWS security & cost audit CLI. Point it at an account and it runs the
same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized
findings report. It only makes Describe/List/Get calls — nothing is ever created,
modified, or deleted, and no data leaves your machine.
$ aws-audit
AWS Security Audit · aws-audit
Account 123456789012 · regions: us-east-1
────────────────────────────────────────────────────────────────
CRITICAL [IAM-1] Root account MFA — FAIL
Root account does NOT have MFA enabled.
fix: Enable a hardware or virtual MFA device on the root user and stop using root.
HIGH [IAM-2] Long-lived IAM access keys — FAIL
2 active access key(s) older than 90 days.
affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)
fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).
...
1 fail · 3 warn · 18 pass
Want this done for you — and the issues fixed? → https://services.itsdavidg.co
Install
pipx install aws-audit-checklist # recommended
# or
pip install aws-audit-checklist
Usage
aws-audit # uses your default AWS credential chain + region
aws-audit --profile myprofile # a named profile
aws-audit --all-regions # run regional checks in every enabled region
aws-audit --markdown report.md # export a Markdown report
aws-audit --json # machine-readable output
aws-audit --strict # exit non-zero if anything FAILs (CI gate)
You only need read-only credentials. A built-in AWS managed policy like
SecurityAudit or ReadOnlyAccess is more than enough. Checks you lack permission for are
reported as "could-not-check" rather than failing the run.
What it checks (30-point checklist)
| Area | Examples |
|---|---|
| Identity (IAM) | root MFA, access keys > 90 days, console users without MFA, password policy |
| Network | security groups exposing SSH/RDP to 0.0.0.0/0 |
| Data | S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups |
| Logging | multi-region CloudTrail, GuardDuty, AWS Config |
| Cost signals | unattached EBS volumes, unused Elastic IPs |
The full human-readable checklist (with the items not yet automated — incident runbooks, multi-AZ, IaC, off-account backups) is here: the 30-point AWS Security Checklist PDF.
Why this exists
I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running this same checklist by hand on every account, so I open-sourced the automatable parts. If you want the whole thing done for you — including the manual items and actually fixing what it finds, with a guarantee — that's my AWS Complete Security Audit.
License
MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws_audit_checklist-0.1.0.tar.gz.
File metadata
- Download URL: aws_audit_checklist-0.1.0.tar.gz
- Upload date:
- Size: 11.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
79db76e299f3eeda0faa072e800ebcf88549b51bee77c0ae7d1406d810bb38cb
|
|
| MD5 |
3d95debe32fe37ba75f615555aab7ca5
|
|
| BLAKE2b-256 |
71f295d7c91184e8323ed60a3873a1f680deab9d8e0164c59a05bcda2028a68f
|
File details
Details for the file aws_audit_checklist-0.1.0-py3-none-any.whl.
File metadata
- Download URL: aws_audit_checklist-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6dfdabcd529f9899b0d5122eeb43135dd21f5b3991f73e32e3da8d4d4f303f23
|
|
| MD5 |
5c47c70f0f60cde6657c7d73c4b2b048
|
|
| BLAKE2b-256 |
8dc7abfd3ce55b9960f2e0ba10f84e551cc24a42fef6204b4507d55190f14e7f
|