Skip to main content

Read-only AWS compliance baseline scanner — 15 checks mapped to SOC 2 criteria, with the Terraform fix for every failure

Project description

vigilai-scan

Find out in 60 seconds why your AWS account would fail an enterprise security review.

15 read-only checks against the controls that SOC 2 auditors, enterprise procurement teams, and security questionnaires actually ask about — each mapped to its SOC 2 criterion, each with a concrete fix.

  FAIL  LOG-01  A multi-region CloudTrail trail is logging      [CRITICAL · SOC2 CC7.2]
  FAIL  NET-02  No security group opens SSH/RDP to the world    [CRITICAL · SOC2 CC6.6]
         SG(s) with 0.0.0.0/0 on admin ports: sg-0892…, sg-0b37…
  FAIL  S3-01   Account-level S3 public access block is on      [CRITICAL · SOC2 CC6.6]
  ...
  7 passed · 7 failed · 1 warnings

Run it

pip install vigilai-scan          # or: pipx run vigilai-scan
vigilai-scan                      # uses your default AWS profile
vigilai-scan --profile prod --region us-west-2
vigilai-scan --json > report.json # CI-friendly; exits 1 on any FAIL

Read-only, local, zero telemetry. Every AWS call is a Describe/List/Get. Nothing is modified, nothing leaves your machine. The safest way to run it is with the AWS-managed SecurityAudit policy. Audit the ~700 lines of source yourself — that's the point of it being open.

What it checks

ID Check SOC 2
IAM-01 Root account MFA CC6.1
IAM-02 No IAM users with console passwords (SSO roles instead) CC6.2
IAM-03 MFA on every human identity CC6.1
IAM-04 No access keys older than 90 days CC6.2
IAM-05 No AdministratorAccess attached directly to users CC6.3
S3-01 Account-level public access block CC6.6
S3-02 Default encryption on every bucket CC6.1
S3-03 Per-bucket public access blocks CC6.6
NET-01 Default security groups deny all traffic CC6.6
NET-02 No SSH/RDP open to 0.0.0.0/0 CC6.6
NET-03 VPC flow logs enabled CC7.3
NET-04 Peering routes scoped tighter than /24 CC6.6
KMS-01 Rotation on customer-managed keys CC6.1
LOG-01 Active multi-region CloudTrail CC7.2
LOG-02 EBS encryption-by-default CC6.1

The full baseline checklist

The scanner covers what's machine-checkable. The complete ~30-control checklist — including the process controls (access reviews, IR severity levels, vuln SLAs, change management) — is in CHECKLIST.md. It's the engineering half of compliance, free under CC BY 4.0.

The kit

Every failing check above has a ready-to-apply fix — a Terraform module or hardened template, plus the five corporate policies (Access Control, Change Management, Data Classification, Incident Response, Vulnerability Management) that enterprise reviewers ask for, pre-mapped to the code that enforces them.

⚡ Compliance Kit — $349 one-time. Versioned Terraform modules + policies + control-to-code mapping, delivered as a private git repo. Get it here.

🚀 Compliance Sprint — done with you in 14 days. We run the scan, deploy the fixes into your account, customize the policies, and hand you a filled-out security questionnaire answer bank. Book a free scan review.

FAQ

Why not just use Prowler / ScoutSuite? They're excellent and far more exhaustive — hundreds of findings across every service. This is deliberately the opposite: the 15 checks an enterprise security reviewer will actually probe first, with a fix attached to each. Run this to get deal-ready this week; run Prowler when you have a security team.

Will this get me SOC 2 certified? No tool does. This gets your technical controls to the baseline auditors expect, which is most of the engineering work and the part that blocks deals.

License: MIT (scanner), CC BY 4.0 (checklist).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vigilai_scan-0.1.0.tar.gz (14.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

vigilai_scan-0.1.0-py3-none-any.whl (14.9 kB view details)

Uploaded Python 3

File details

Details for the file vigilai_scan-0.1.0.tar.gz.

File metadata

  • Download URL: vigilai_scan-0.1.0.tar.gz
  • Upload date:
  • Size: 14.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for vigilai_scan-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e126d0ed800df009c7fb48c254929ab92cc087c4ea012f79d708be679a79600f
MD5 05d46485a26ef56e9e9d9d3b2bc345e2
BLAKE2b-256 4232f98f3dbe711f58eb874e3bbd3795362cbb560faa45d3467047f03dc1de6f

See more details on using hashes here.

File details

Details for the file vigilai_scan-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: vigilai_scan-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 14.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for vigilai_scan-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 15a231b4f7bda41de5dd78f17f20848ae9761e5c2c94bb15b6b61f3062fe6563
MD5 d928fff434cbd1089b64d685e055f3e3
BLAKE2b-256 f5fe96f2d07f03145c371756cfe3cbb6f98673699d6bff6b9d4f035079da084d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page