Skip to main content

AWS cost & security audit — runs on your machine, nothing shared

Project description

StackSage

Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.

PyPI version Python 3.10+

StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.

Live demo report · Documentation · Pricing


Install

pip install stacksage

Quick start

Option 1 — local AWS credentials or SSO profile:

stacksage scan
stacksage scan --profile my-sso-profile

Option 2 — assume a cross-account read-only role:

stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly

StackSage opens the HTML report in your browser automatically when the scan completes.


Free tier

Run a full scan on any AWS account at no cost. The free tier shows your top 50 findings ranked by estimated monthly savings.

To unlock all findings, get a license key and set:

export STACKSAGE_LICENSE=your-key
stacksage scan

What it detects

Category Examples
Compute Idle/stopped EC2 instances, EC2 generation upgrade opportunities
Storage Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration
Database Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters
Serverless Overprovisioned Lambda functions, Graviton migration opportunities
S3 Buckets missing lifecycle rules, public buckets, missing encryption, access logging disabled, Intelligent-Tiering not configured
CDN & DNS Unused CloudFront distributions, unused Route53 hosted zones
Network Unused Elastic IPs, idle NAT Gateways, active NAT egress cost estimate, idle load balancers, missing DynamoDB VPC endpoint, missing S3 VPC endpoint
CloudWatch & Logs Log groups missing retention policies, large log groups with no metric filters
Security & IAM Root MFA disabled, root access keys present, weak IAM password policy
Cost Guardrails Missing AWS Budgets, missing Cost Anomaly Detection
Tagging Untagged resources, missing required tags

IAM setup

StackSage requires a read-only IAM policy. Minimum required permissions:

{
  "Effect": "Allow",
  "Action": [
    "ec2:Describe*",
    "rds:Describe*",
    "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
    "cloudwatch:GetMetricStatistics",
    "ce:GetCostAndUsage",
    "tag:GetResources",
    "pricing:GetProducts"
  ],
  "Resource": "*"
}

→ Full IAM setup guide at stacksageai.com/docs/iam-policy


CLI reference

StackSage has two commands:

Command Requires license? Use case
stacksage scan No Self-serve: run locally or in CI, free tier shows top 50 findings
stacksage audit Yes (STACKSAGE_LICENSE) Licensed: full findings + remediation plan, designed for CI pipelines

stacksage scan (no license needed)

stacksage scan [OPTIONS]

  Scan your AWS account — no license needed.

  Free tier (no STACKSAGE_LICENSE set):
    Full infrastructure scan. Top 50 findings by savings shown in the report.
    Security & posture checks always shown in full.
    Remediation plan not included.

  With license (STACKSAGE_LICENSE env var set):
    All findings visible, remediation plan included.

Options:
  --profile TEXT           AWS profile name (uses default profile if omitted)
  --role-arn TEXT          Assume this read-only IAM role ARN
  --external-id TEXT       ExternalId when assuming a role (optional)
  --regions TEXT           Comma-separated regions to scan (default: all enabled)
  --out DIRECTORY          Output directory (default: reports/)
  --use-cloudwatch         Enable CloudWatch utilization metrics (recommended)
  --use-cost-explorer      Include historical spend from Cost Explorer
  --check-tagging          Flag resources missing required tags
  --cw-days INTEGER        CloudWatch lookback days (default: 14)
  --cw-max-queries INT     Max CloudWatch queries per run (default: 500)
  --no-browser             Do not auto-open the HTML report
  --demo                   Run with synthetic data — no AWS calls needed
  --log-level TEXT         DEBUG|INFO|WARNING|ERROR (default: INFO)
  --quiet                  Suppress progress output
  --help                   Show this message and exit.

stacksage audit (license required)

stacksage audit [OPTIONS]

  Run a full licensed audit (STACKSAGE_LICENSE required).

  Designed for CI/CD pipelines and scheduled audits. All findings visible,
  full remediation plan included. Requires a license key.

Options:
  --profile TEXT          AWS profile name from ~/.aws/credentials or SSO config
  --role-arn TEXT         Assume this read-only IAM role ARN (overrides --profile)
  --external-id TEXT      ExternalId when assuming a role (optional)
  --regions TEXT          Comma-separated regions (default: all enabled)
  --out DIRECTORY         Output directory (default: reports/)
  --format [html|json]    Output format (default: html). Use json for pipelines.
  --use-cloudwatch        Enable CloudWatch utilization metrics
  --use-cost-explorer     Include historical spend from Cost Explorer
  --live                  Shorthand: enables --use-cloudwatch + --use-cost-explorer + --live-pricing
  --live-pricing          Use the AWS Pricing API for EC2 rates (default: static)
  --check-tagging         Flag resources missing required tags
  --cw-days INTEGER       CloudWatch lookback days (default: 14)
  --cw-max-queries INT    Max CloudWatch queries per run (default: 500)
  --demo                  Run with synthetic data — useful for testing the pipeline
  --log-level TEXT        DEBUG|INFO|WARNING|ERROR (default: INFO)
  --quiet                 Suppress progress output (errors only)
  --help                  Show this message and exit.

→ Full CLI reference at stacksageai.com/docs/cli-reference


Configuration (optional)

Create a stacksage.yml in your working directory to customise exclusions, thresholds, and filters:

thresholds:
  idle_cpu_percent: 5.0
  unused_days: 30

exclude:
  tags:
    - key: Environment
      value: production

→ Full configuration guide at stacksageai.com/docs/configuration


Troubleshooting

  • pricing:GetProducts denied — static pricing is used automatically, no action needed
  • Cost Explorer denied — historical spend section is omitted from the report
  • skipped-budget badges in the report — increase --cw-max-queries or narrow --regions

Full troubleshooting guide


Links

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stacksage-0.8.3.tar.gz (122.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

stacksage-0.8.3-py3-none-any.whl (130.6 kB view details)

Uploaded Python 3

File details

Details for the file stacksage-0.8.3.tar.gz.

File metadata

  • Download URL: stacksage-0.8.3.tar.gz
  • Upload date:
  • Size: 122.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for stacksage-0.8.3.tar.gz
Algorithm Hash digest
SHA256 6bfac62788a318bb769d22d785fd7ddb87e52ebf34949663019a7dbde80c8dfa
MD5 a99d6743ae976d77d7cf62b99a7afc77
BLAKE2b-256 e10c66a0dfd0c5afff266a8bb8229f0ccdc3358d19812b003c6cbc887cb993fc

See more details on using hashes here.

File details

Details for the file stacksage-0.8.3-py3-none-any.whl.

File metadata

  • Download URL: stacksage-0.8.3-py3-none-any.whl
  • Upload date:
  • Size: 130.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for stacksage-0.8.3-py3-none-any.whl
Algorithm Hash digest
SHA256 6a14f7a2341e813dc85789289f6a021186672051840eba67694e381c03a47385
MD5 472426b97951a6dc5d70613ac1414635
BLAKE2b-256 8029b72c0a479bf6709e0eae10a84a9218176bea8aa036f0ce3a8c7628dcadb1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page