Read-only AWS compliance baseline scanner — 15 checks mapped to SOC 2 criteria, with the Terraform fix for every failure
Project description
vigilai-scan
Find out in 60 seconds why your AWS account would fail an enterprise security review.
15 read-only checks against the controls that SOC 2 auditors, enterprise procurement teams, and security questionnaires actually ask about — each mapped to its SOC 2 criterion, each with a concrete fix.
FAIL LOG-01 A multi-region CloudTrail trail is logging [CRITICAL · SOC2 CC7.2]
FAIL NET-02 No security group opens SSH/RDP to the world [CRITICAL · SOC2 CC6.6]
SG(s) with 0.0.0.0/0 on admin ports: sg-0892…, sg-0b37…
FAIL S3-01 Account-level S3 public access block is on [CRITICAL · SOC2 CC6.6]
...
7 passed · 7 failed · 1 warnings
Run it
pip install vigilai-scan # or: pipx run vigilai-scan
vigilai-scan # uses your default AWS profile
vigilai-scan --profile prod --region us-west-2
vigilai-scan --json > report.json # CI-friendly; exits 1 on any FAIL
Read-only, local, zero telemetry. Every AWS call is a Describe/List/Get. Nothing is modified, nothing leaves your machine. The safest way to run it is with the AWS-managed SecurityAudit policy. Audit the ~700 lines of source yourself — that's the point of it being open.
What it checks
| ID | Check | SOC 2 |
|---|---|---|
| IAM-01 | Root account MFA | CC6.1 |
| IAM-02 | No IAM users with console passwords (SSO roles instead) | CC6.2 |
| IAM-03 | MFA on every human identity | CC6.1 |
| IAM-04 | No access keys older than 90 days | CC6.2 |
| IAM-05 | No AdministratorAccess attached directly to users |
CC6.3 |
| S3-01 | Account-level public access block | CC6.6 |
| S3-02 | Default encryption on every bucket | CC6.1 |
| S3-03 | Per-bucket public access blocks | CC6.6 |
| NET-01 | Default security groups deny all traffic | CC6.6 |
| NET-02 | No SSH/RDP open to 0.0.0.0/0 | CC6.6 |
| NET-03 | VPC flow logs enabled | CC7.3 |
| NET-04 | Peering routes scoped tighter than /24 | CC6.6 |
| KMS-01 | Rotation on customer-managed keys | CC6.1 |
| LOG-01 | Active multi-region CloudTrail | CC7.2 |
| LOG-02 | EBS encryption-by-default | CC6.1 |
The full baseline checklist
The scanner covers what's machine-checkable. The complete ~30-control checklist — including the process controls (access reviews, IR severity levels, vuln SLAs, change management) — is in CHECKLIST.md. It's the engineering half of compliance, free under CC BY 4.0.
The kit
Every failing check above has a ready-to-apply fix — a Terraform module or hardened template, plus the five corporate policies (Access Control, Change Management, Data Classification, Incident Response, Vulnerability Management) that enterprise reviewers ask for, pre-mapped to the code that enforces them.
⚡ Compliance Kit — $349 one-time. Versioned Terraform modules + policies + control-to-code mapping, delivered as a private git repo. Get it here.
🚀 Compliance Sprint — done with you in 14 days. We run the scan, deploy the fixes into your account, customize the policies, and hand you a filled-out security questionnaire answer bank. Book a free scan review.
FAQ
Why not just use Prowler / ScoutSuite? They're excellent and far more exhaustive — hundreds of findings across every service. This is deliberately the opposite: the 15 checks an enterprise security reviewer will actually probe first, with a fix attached to each. Run this to get deal-ready this week; run Prowler when you have a security team.
Will this get me SOC 2 certified? No tool does. This gets your technical controls to the baseline auditors expect, which is most of the engineering work and the part that blocks deals.
License: MIT (scanner), CC BY 4.0 (checklist).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vigilai_scan-0.1.0.tar.gz.
File metadata
- Download URL: vigilai_scan-0.1.0.tar.gz
- Upload date:
- Size: 14.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e126d0ed800df009c7fb48c254929ab92cc087c4ea012f79d708be679a79600f
|
|
| MD5 |
05d46485a26ef56e9e9d9d3b2bc345e2
|
|
| BLAKE2b-256 |
4232f98f3dbe711f58eb874e3bbd3795362cbb560faa45d3467047f03dc1de6f
|
File details
Details for the file vigilai_scan-0.1.0-py3-none-any.whl.
File metadata
- Download URL: vigilai_scan-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
15a231b4f7bda41de5dd78f17f20848ae9761e5c2c94bb15b6b61f3062fe6563
|
|
| MD5 |
d928fff434cbd1089b64d685e055f3e3
|
|
| BLAKE2b-256 |
f5fe96f2d07f03145c371756cfe3cbb6f98673699d6bff6b9d4f035079da084d
|