Skip to main content

AWS cost & security audit — runs on your machine, nothing shared

Project description

StackSage

Scan your AWS account for cost waste and security gaps — in 5 minutes, nothing leaves your machine.

PyPI version Python 3.10+

StackSage runs entirely on your machine. It connects to your AWS account with read-only credentials, detects cost waste and idle resources, estimates your savings, and generates a detailed HTML report — all locally, nothing shared.

Live demo report · Documentation · Pricing


Install

pip install stacksage

Quick start

Option 1 — local AWS credentials or SSO profile:

stacksage scan
stacksage scan --profile my-sso-profile

Option 2 — assume a cross-account read-only role:

stacksage scan --role-arn arn:aws:iam::123456789012:role/StackSageReadOnly

StackSage opens the HTML report in your browser automatically when the scan completes.


Free tier

Run a full scan on any AWS account at no cost. The free tier shows your top 50 findings ranked by estimated monthly savings.

To unlock all findings, get a license key and set:

export STACKSAGE_LICENSE=your-key
stacksage scan

What it detects

Category Examples
Compute Idle/stopped EC2 instances, EC2 generation upgrade opportunities
Storage Unattached EBS volumes, old/redundant snapshots, gp2→gp3 migration
Database Underutilized RDS instances, idle DynamoDB tables, idle ElastiCache clusters
Serverless Overprovisioned Lambda functions, Graviton migration opportunities
S3 Buckets missing lifecycle rules, public buckets, missing encryption, access logging disabled, Intelligent-Tiering not configured
CDN & DNS Unused CloudFront distributions, unused Route53 hosted zones
Network Unused Elastic IPs, idle NAT Gateways, active NAT egress cost estimate, idle load balancers, missing DynamoDB VPC endpoint, missing S3 VPC endpoint
CloudWatch & Logs Log groups missing retention policies, large log groups with no metric filters
Security & IAM Root MFA disabled, root access keys present, weak IAM password policy
Cost Guardrails Missing AWS Budgets, missing Cost Anomaly Detection
Tagging Untagged resources, missing required tags

IAM setup

StackSage requires a read-only IAM policy. Minimum required permissions:

{
  "Effect": "Allow",
  "Action": [
    "ec2:Describe*",
    "rds:Describe*",
    "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketTagging",
    "cloudwatch:GetMetricStatistics",
    "ce:GetCostAndUsage",
    "tag:GetResources",
    "pricing:GetProducts"
  ],
  "Resource": "*"
}

→ Full IAM setup guide at stacksageai.com/docs/iam-policy


CLI reference

StackSage has two commands:

Command Requires license? Use case
stacksage scan No Self-serve: run locally or in CI, free tier shows top 50 findings
stacksage audit Yes (STACKSAGE_LICENSE) Licensed: full findings + remediation plan, designed for CI pipelines

stacksage scan (no license needed)

stacksage scan [OPTIONS]

  Scan your AWS account — no license needed.

  Free tier (no STACKSAGE_LICENSE set):
    Full infrastructure scan. Top 50 findings by savings shown in the report.
    Security & posture checks always shown in full.
    Remediation plan not included.

  With license (STACKSAGE_LICENSE env var set):
    All findings visible, remediation plan included.

Options:
  --profile TEXT           AWS profile name (uses default profile if omitted)
  --role-arn TEXT          Assume this read-only IAM role ARN
  --external-id TEXT       ExternalId when assuming a role (optional)
  --regions TEXT           Comma-separated regions to scan (default: all enabled)
  --out DIRECTORY          Output directory (default: reports/)
  --use-cloudwatch         Enable CloudWatch utilization metrics (recommended)
  --use-cost-explorer      Include historical spend from Cost Explorer
  --check-tagging          Flag resources missing required tags
  --cw-days INTEGER        CloudWatch lookback days (default: 14)
  --cw-max-queries INT     Max CloudWatch queries per run (default: 500)
  --no-browser             Do not auto-open the HTML report
  --demo                   Run with synthetic data — no AWS calls needed
  --log-level TEXT         DEBUG|INFO|WARNING|ERROR (default: INFO)
  --quiet                  Suppress progress output
  --help                   Show this message and exit.

stacksage audit (license required)

stacksage audit [OPTIONS]

  Run a full licensed audit (STACKSAGE_LICENSE required).

  Designed for CI/CD pipelines and scheduled audits. All findings visible,
  full remediation plan included. Requires a license key.

Options:
  --profile TEXT          AWS profile name from ~/.aws/credentials or SSO config
  --role-arn TEXT         Assume this read-only IAM role ARN (overrides --profile)
  --external-id TEXT      ExternalId when assuming a role (optional)
  --regions TEXT          Comma-separated regions (default: all enabled)
  --out DIRECTORY         Output directory (default: reports/)
  --format [html|json]    Output format (default: html). Use json for pipelines.
  --use-cloudwatch        Enable CloudWatch utilization metrics
  --use-cost-explorer     Include historical spend from Cost Explorer
  --live                  Shorthand: enables --use-cloudwatch + --use-cost-explorer + --live-pricing
  --live-pricing          Use the AWS Pricing API for EC2 rates (default: static)
  --check-tagging         Flag resources missing required tags
  --cw-days INTEGER       CloudWatch lookback days (default: 14)
  --cw-max-queries INT    Max CloudWatch queries per run (default: 500)
  --demo                  Run with synthetic data — useful for testing the pipeline
  --log-level TEXT        DEBUG|INFO|WARNING|ERROR (default: INFO)
  --quiet                 Suppress progress output (errors only)
  --help                  Show this message and exit.

→ Full CLI reference at stacksageai.com/docs/cli-reference


Configuration (optional)

Create a stacksage.yml in your working directory to customise exclusions, thresholds, and filters:

thresholds:
  idle_cpu_percent: 5.0
  unused_days: 30

exclude:
  tags:
    - key: Environment
      value: production

→ Full configuration guide at stacksageai.com/docs/configuration


Troubleshooting

  • pricing:GetProducts denied — static pricing is used automatically, no action needed
  • Cost Explorer denied — historical spend section is omitted from the report
  • skipped-budget badges in the report — increase --cw-max-queries or narrow --regions

Full troubleshooting guide


Links

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

stacksage-0.8.4.tar.gz (124.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

stacksage-0.8.4-py3-none-any.whl (132.8 kB view details)

Uploaded Python 3

File details

Details for the file stacksage-0.8.4.tar.gz.

File metadata

  • Download URL: stacksage-0.8.4.tar.gz
  • Upload date:
  • Size: 124.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for stacksage-0.8.4.tar.gz
Algorithm Hash digest
SHA256 6a31d0cd464f5e0cd6f1b011bb2b30d6af7f1df918fdcc51e62f08c012007b1d
MD5 51ef779d65d673e2d771c5184221a1e3
BLAKE2b-256 229ea61bf3089d47b5338926832ed00cf16d81135aa91172f6976d8cbddd4a71

See more details on using hashes here.

File details

Details for the file stacksage-0.8.4-py3-none-any.whl.

File metadata

  • Download URL: stacksage-0.8.4-py3-none-any.whl
  • Upload date:
  • Size: 132.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.6

File hashes

Hashes for stacksage-0.8.4-py3-none-any.whl
Algorithm Hash digest
SHA256 a0708ba674823b63db5f4485d94f00506284d360c73b45e2a6208fa1578880fa
MD5 a7e36587bb5906e84453fe21cf13604c
BLAKE2b-256 cbc09cecf81c96321f58c168afe958d53508ecfc069a38a75a4589d5b02defc0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page