Skip to main content

Local-first, read-only AWS audit CLI. Ten audit packs, one command, zero writes.

Project description

Kulshan

Read-only AWS audit CLI.

pip install kulshan
kulshan report

One command. One report. Zero writes to your AWS account.

PyPI License Python

Documentation | IAM Policy | Changelog


What Kulshan does

Ten read-only audit packs in one CLI. Cost anomalies, security posture, waste detection, DR gaps, drift, tag compliance, observability blind spots, quota headroom, and network topology - scored 0-100, exportable as HTML, JSON, SARIF, or CSV.

Reads your Cost Explorer data and your own CUR/Data Export Parquet files in place. No data leaves your machine. No SaaS account. No telemetry. Nothing to opt out of, because nothing exists.


What Kulshan does not do

  • Does not write to AWS. The IAM policy contains only Get, List, and Describe actions.
  • Does not phone home. No telemetry, no update checks, no analytics.
  • Does not require infrastructure. No databases, no containers, no SaaS.
  • Does not hold credentials. Uses the same credential chain as the AWS CLI.

Install

pip install kulshan

Python 3.9+. macOS, Linux, Windows. Optional extras: kulshan[pdf], kulshan[excel], kulshan[pptx], kulshan[mcp], kulshan[slm], or kulshan[all].


Credentials

If aws sts get-caller-identity works, Kulshan works.

aws login
kulshan report

Named profiles, environment variables, and role assumption all work:

kulshan --profile production report
kulshan --role-arn arn:aws:iam::123456789012:role/KulshanAudit report

Run kulshan doctor to verify connectivity and permissions without incurring any cost.


The 10 Audit Packs

Pack What it watches
cost Anomalies (z-score, IQR, MAD), commitment gaps, spend acceleration, forecasts
security IAM, encryption, network exposure, logging, public access, GuardDuty
sweep Orphaned volumes, unused EIPs, idle LBs, detached ENIs, empty repos
dr Backup coverage, single-AZ, single points of failure, missing replication
age EOL runtimes, expiring certs, stale AMIs, outdated engines
drift CloudFormation drift, IaC coverage, severity classification
tag Missing required tags, unattributed spend, key inconsistencies
pulse Alarm gaps, missing metric filters, blind spots
limit Quota headroom, at-limit services, scaling risk
topo CIDR overlaps, route integrity, peering issues, TGW misconfigs
kulshan report                                    # cost only (default, ~$0.15)
kulshan report --packs security,sweep             # specific packs (free APIs)
kulshan report --packs all --regions us-east-1    # full diagnostic

Automatic Environment Isolation

On first run, Kulshan identifies your AWS principal, creates an isolated local environment, and routes all data there. Different identities get separate environments. No flags required.

✓ Created environment readonlyrole-cedar
  Using readonlyrole-cedar · account 1234…5678

When CUR data reveals a payer account, the environment binds to that payer. Multiple identities accessing the same payer can be reconciled into a unified timeline:

kulshan workspace reconcile

Workspaces with multiple connections produce consolidated reports automatically - one scan, all connections, deduplicated findings, per-connection coverage metadata.


CUR / Data Export Investigation

Query your CUR Parquet files locally or from S3. No Athena, no Glue, no data warehouse. DuckDB queries in place.

kulshan cur validate --path ./cur/
kulshan investigate cost --path ./cur/ --month 2024-06
kulshan investigate ec2 --cur ./cur/ --month 2024-06
kulshan investigate cost --s3 s3://bucket/prefix/ --month 2024-06

Top movers by service, account, region, usage type. Period-over-period deltas. Resource-level contributors. Tag coverage. All outputs include provenance, evidence IDs, and human_review_required: true.


MCP Server

Kulshan exposes its findings to MCP-compatible agents (Claude Desktop, Cursor, Kiro, others). Deterministic evidence in, agent reasoning out.

kulshan mcp-serve
{
  "mcpServers": {
    "kulshan": { "command": "kulshan", "args": ["mcp-serve"] }
  }
}

Seven tools: kulshan_doctor, kulshan_report, kulshan_quick_security, kulshan_list_packs, kulshan_cur_validate, kulshan_investigate_ec2, kulshan_investigate_cost.


Output Formats

kulshan report -o report.html           # Self-contained HTML report
kulshan report --format json -o s.json  # Structured, machine-readable
kulshan report --format sarif -o r.sarif # GitHub Security tab
kulshan report --format csv -o f.csv    # Spreadsheet / JIRA import
kulshan convert -i scan.json -o r.html  # Re-render without re-scanning

Account IDs redacted by default. --show-pii for full IDs. Atomic writes prevent partial files.


CI/CD

kulshan report --packs security --format sarif -o results.sarif --yes --no-history

Exit code 1 when critical findings are present - use as a quality gate. SARIF uploads to GitHub Code Scanning. Full GitHub Actions and GitLab CI examples in docs/ci-cd.md.


Trust and Security

Read-only by construction, not read-only by default. There is no cleanup mode to leave off, no write path to enable. The published IAM policy contains zero actions that create, modify, or delete resources.

  • 147 read-only actions, zero write actions. Read every line.
  • Reports stay on your machine
  • No telemetry, no phone-home
  • Open source: Apache 2.0. IAM policy additionally CC BY 4.0.
  • Per-pack least-privilege policies at iam/per-check/
  • Compliance metadata: CIS, SOC 2, NIST 800-53, Well-Architected

Quick Reference

kulshan --version                       # Version
kulshan doctor                          # Check credentials and permissions
kulshan report                          # Cost baseline (default)
kulshan report --quick                  # Skip confirmation
kulshan report -o report.html           # HTML report
kulshan report --packs all --regions us-east-1 --deep  # Full deep scan
kulshan report --perf                   # Show API timing
kulshan history                         # Past scans
kulshan history --direct-only           # Current workspace only
kulshan workspace list                  # All environments
kulshan workspace reconcile             # Link shared-payer environments
kulshan shell                           # Interactive REPL
kulshan convert -i scan.json -o r.html  # Re-render

AWS API Cost

Cost pack: ~$0.15 (CE API at $0.01/request). All other packs use free APIs. Kulshan confirms before making CE calls. Use --yes in CI/CD.


About the Name

Kulshan is the Lummi name for the mountain known colonially as Mt. Baker, meaning "great white watcher." The mountain is visible from Mission, BC and is an active volcano in the Cascade Range. We acknowledge the Lummi and Nooksack peoples as the original namers of this mountain.


Maintained by

Mission FinOps - open-source AWS audit tooling.


License

Apache 2.0. Free and open source forever.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kulshan-0.3.3.tar.gz (307.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kulshan-0.3.3-py3-none-any.whl (396.5 kB view details)

Uploaded Python 3

File details

Details for the file kulshan-0.3.3.tar.gz.

File metadata

  • Download URL: kulshan-0.3.3.tar.gz
  • Upload date:
  • Size: 307.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kulshan-0.3.3.tar.gz
Algorithm Hash digest
SHA256 1b7767d4a0404286e8d82928b601552ad5cf66a3c66bdf78ae2440a7bd6aae5d
MD5 7356c05c27b92c4fce728ce2044c0e96
BLAKE2b-256 59b263e1304f69ccd7a91943f660f0715f209dc88d4ddbe88465f4608e1632f1

See more details on using hashes here.

Provenance

The following attestation bundles were made for kulshan-0.3.3.tar.gz:

Publisher: publish.yml on MissionFinOps/kulshan

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file kulshan-0.3.3-py3-none-any.whl.

File metadata

  • Download URL: kulshan-0.3.3-py3-none-any.whl
  • Upload date:
  • Size: 396.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kulshan-0.3.3-py3-none-any.whl
Algorithm Hash digest
SHA256 55eba7800786c8c6ee10335cb246a506820af0c1b5f6b16f20bdd802ab358c64
MD5 bfa4ffbffea87e302e594e69aa4d2261
BLAKE2b-256 77b6b9c8d8fc803c5bf9c5fab4d90ed55bde7934a2ef991236071b0df58ce568

See more details on using hashes here.

Provenance

The following attestation bundles were made for kulshan-0.3.3-py3-none-any.whl:

Publisher: publish.yml on MissionFinOps/kulshan

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page