kosty 1.9.3

AWS Cost Optimization & Security Audit CLI Tool - Identify cost waste, security vulnerabilities, and compliance issues across 16 core AWS services

💰 Kosty - AWS Cost Optimization & Security Audit CLI Tool

Scan 30 AWS services. Find cost waste. Detect security gaps. One command.

Quick Start • Key Features • Service Coverage • Documentation

---

🎯 Quick Start

pip install kosty

# Full audit — cost + security across 30 services
kosty audit --output all

# External attack surface mapping
kosty public-exposure --output console

# IAM privilege escalation detection (21 patterns)
kosty iam check-privilege-escalation --deep

# Organization-wide scan
kosty audit --organization --max-workers 20 --output all

💡 Need expert help? Professional consulting available →

---

📊 Visual Dashboard

Upload your JSON report to the built-in dashboard for interactive charts, filtering, and cost breakdowns.

---

🚀 Key Features

🌐 Attack Surface Mapping

Map everything publicly exposed and evaluate protections — ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, and snapshots.

kosty public-exposure --output console

Each finding is classified:

• 🔴 Exposed & Unprotected — no protections, immediate action
• 🟡 Exposed & Partially Protected — gaps remain
• 🟢 Exposed & Protected — all protections verified

🔐 Security Audit

180+ checks across 30 services. Highlights:

• IAM Privilege Escalation — detects 21 known escalation patterns with optional --deep confirmation via SimulatePrincipalPolicy
• WAF Hardening — managed rules, rate limiting, bot control, logging, action mode
• API Gateway — WAF association, authorization, throttling, TLS 1.2, CloudFront bypass detection, request validation
• Foundational — CloudTrail, VPC Flow Logs, GuardDuty, AWS Config, KMS key rotation
• Data Protection — S3 encryption, RDS encryption, ElastiCache encryption, Secrets Manager rotation

kosty iam security-audit --deep
kosty waf audit
kosty apigateway security-audit

💰 Cost Optimization

Real dollar savings for 11 services — not just recommendations, actual monthly amounts:

Finding	Typical Savings
Stopped EC2 instances	$280/mo per m5.2xlarge
Oversized RDS instances	$700/mo per db.r5.4xlarge
Unused NAT Gateways	$33/mo each
Orphaned EBS volumes	$10/mo per 100GB
Load Balancers with no targets	$16/mo each
Unused secrets	$0.40/mo each

kosty audit --output json   # generates report with $ amounts
open dashboard/index.html   # visualize savings

---

📊 Service Coverage

30 services, organized by category:

Category	Services	Key Checks
Compute	EC2, Lambda	Oversized, idle, IMDSv1, outdated runtimes
Storage	S3, EBS, Snapshots	Public access, encryption, lifecycle, object lock
Database	RDS, DynamoDB	Public DBs, oversized, encryption, backups
Network	EIP, LB, NAT, SG, Route53, VPC	Unused resources, open ports, flow logs
Security	IAM, WAFv2, GuardDuty, KMS	Privilege escalation, MFA, key rotation, threat detection
Management	CloudWatch, Backup, CloudTrail, Config	Logging, audit trail, drift detection
Application	API Gateway	WAF, auth, throttling, TLS, CloudFront bypass
AI/ML	Bedrock	Invocation logging, budget limits
Secrets	Secrets Manager	Unused secrets, rotation
Messaging	SNS, SQS	Encryption at rest and in transit
Cache	ElastiCache	Encryption at rest and in transit
Certificates	ACM	Expiring certificates
Containers	ECS	Privileged task definitions
Patch Mgmt	SSM	Patch compliance

Full check list per service → docs/SERVICES.md

---

🔧 Installation

# PyPI (recommended)
pip install kosty

# Docker
docker run --rm -v ~/.aws:/home/nonroot/.aws:ro ghcr.io/kosty-cloud/kosty:latest audit

# From source
git clone https://github.com/kosty-cloud/kosty.git && cd kosty && pip install -e .

---

⚙️ Configuration

# kosty.yaml
default:
  regions: [us-east-1, eu-west-1]
  max_workers: 20

exclude:
  services: [route53]
  tags:
    - key: "kosty_ignore"
      value: "true"

profiles:
  production:
    role_arn: "arn:aws:iam::123456789012:role/AuditRole"
    regions: [us-east-1]
  staging:
    aws_profile: "staging-profile"
    regions: [eu-west-1]

kosty audit --profile production
kosty audit --profiles --output all    # all profiles in parallel

Full configuration guide → docs/CONFIGURATION.md

---

📖 Documentation

Guide	Description
Full Documentation	Complete user guide
Service Coverage	All 30 services and their checks
CLI Reference	Every command and option
Examples	Detailed usage examples
Configuration	YAML config, profiles, exclusions
Multi-Profile Guide	Parallel multi-customer audits
Release Notes	Version history

---

🤝 Contributing

1. Report Issues — Open an issue
2. Add Services — Follow the pattern in kosty/services/
3. Star the Repo — Show your support

---

💼 Professional Services

Free 30-minute assessment to discuss your AWS setup.

📅 Book a call · 📧 yassir@kosty.cloud · 🌐 kosty.cloud

---

📄 License

MIT License — see LICENSE

💰 Save money. Secure infrastructure. Ship faster.

⭐ Star this repo if Kosty saved you money