Connects Claude to the cloud-audit scanner, which walks AWS environments to find attack chains and IAM privilege escalation paths. You get tools to run full scans, generate blast radius graphs from a seed resource (EC2 instance, IAM role, Lambda, S3 bucket), detect active threat patterns from recent incidents, and simulate fixes before applying them. The blast radius command runs offline against saved scan data and outputs tree, Mermaid, or JSON formats you can drop into the live visualizer. Useful when you're triaging findings and need to answer "what can an attacker reach if this one resource is compromised" or "which fix collapses the most exposure." The threat feed checks for cryptomining, leaked credential scanners, and CVE patterns tied to 2025-2026 campaigns with research references attached.
Find AWS attack paths, IAM escalation routes, and the fixes that matter most.
Open-source, read-only AWS security scanner. It correlates findings into attack chains, ranks fixes by how many chains they break, and ships an AWS CLI + Terraform fix with every finding. No agent, no infrastructure, nothing written to your account.
Quick Start - What You Get - Installation - What's Checked - Documentation
pip install cloud-audit
cloud-audit scan # uses your default AWS credentials and region
No AWS account handy? Run a full sample report offline:
cloud-audit demo
cloud-audit is read-only. It never modifies your infrastructure; SecurityAudit is enough (permissions).
+---- Attack Chains (5 detected) -----------------------------------+
| CRITICAL Internet-Exposed Admin Instance |
| i-0abc123 - public SG + admin IAM role + IMDSv1 |
| CRITICAL IAM Privilege Escalation via iam:PassRole |
| ci-deploy-role - 3-step path to admin |
| CRITICAL CI/CD to Admin Takeover |
| github-deploy - OIDC without sub + admin policy |
+-------------------------------------------------------------------+
+---- Remediation Plan ---------------------------------------------+
| Fix 4 root causes, break 22 attack chains |
| Quick wins (effort LOW, 14 chains): |
| 1. Restrict SG ingress on sg-0abc123 -> breaks 8 chains |
| 2. Add OIDC sub condition -> breaks 6 chains |
+-------------------------------------------------------------------+
Preview a fix before you touch anything:
cloud-audit simulate --fix aws-vpc-002
# Score 34 -> 58 (+24) | Chains broken 8 of 22 | Findings resolved 11
simulate to preview impact. docsscan --verify checks each escalation path against the IAM policy simulator (read-only) and flags the ones the principal can actually perform. docscloud-audit diff catches ClickOps drift between scans; cloud-audit trend tracks posture over time.
Drop a cloud-audit blast-radius --format json export into the open visualizer at
blast-audit.haitmg.pl - everything runs in your browser.
cloud-audit scan --format html -o report.html # client-ready
cloud-audit scan --format sarif -o results.sarif # GitHub Code Scanning
cloud-audit scan --format json -o report.json # machine-readable
cloud-audit scan --format markdown -o report.md # PR comments
- run: pip install cloud-audit
- run: cloud-audit scan --format sarif --output results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
--quiet exits with a code only: 0 clean, 1 findings, 2 error. Gate on severity with --min-severity high. Ready-made workflows: basic scan, daily diff, post-deploy.
pip install cloud-audit # pip (recommended)
pipx install cloud-audit # isolated
docker run ghcr.io/gebalamariusz/cloud-audit scan # Docker
Docker with credentials:
docker run -v ~/.aws:/home/cloudaudit/.aws:ro ghcr.io/gebalamariusz/cloud-audit scan
Read-only. Attach the AWS-managed SecurityAudit policy (covers every check, including IAM escalation analysis):
aws iam attach-role-policy --role-name auditor \
--policy-arn arn:aws:iam::aws:policy/SecurityAudit
cloud-audit never modifies your infrastructure. simulate runs locally against scan data and makes no AWS calls.
110 checks across 25 AWS services - IAM, S3, EC2, VPC, RDS, KMS, CloudTrail, GuardDuty, Lambda, Secrets Manager, Bedrock, SageMaker, Bedrock AgentCore, DynamoDB, and more. Run cloud-audit list-checks, or see the full check reference.
6 compliance frameworks via scan --compliance <id>: CIS AWS v3.0 and SOC 2 Type II (stable), plus ISO 27001:2022, HIPAA, NIS2, and BSI C5:2020 (beta). docs
MCP server for AI agents - 6 read-only tools (scan_aws, get_findings, get_attack_chains, get_remediation, get_health_score, list_checks):
claude mcp add cloud-audit -- uvx --from cloud-audit cloud-audit-mcp
cloud-audit scan -R # show remediation inline
cloud-audit scan --profile prod --regions eu-central-1 # profile / region
cloud-audit scan --regions all # all enabled regions
cloud-audit scan --role-arn arn:aws:iam::...:role/audit # cross-account
cloud-audit scan --export-fixes fixes.sh # export all fixes
Configure defaults in .cloud-audit.yml (regions, min_severity, exclude_checks, time-boxed suppressions). Environment variables (CLOUD_AUDIT_REGIONS, CLOUD_AUDIT_MIN_SEVERITY, ...) override the file; CLI flags override everything. See the configuration guide.
Full documentation at haitmg.pl/cloud-audit: getting started, attack chains, IAM escalation, blast radius, Proof Mode, data perimeter, AgentCore, compliance, and the full check reference.
cloud-audit is free and stays free. If you want a human on the findings, the author offers professional services:
Details: haitmg.pl/cloud-audit-support or email kontakt@haitmg.pl.
git clone https://github.com/gebalamariusz/cloud-audit.git
cd cloud-audit
pip install -e ".[dev]"
pytest -q && ruff check src/ tests/ && mypy src/
See CONTRIBUTING.md to add a check. Past releases in CHANGELOG.md.
silenceper/mcp-k8s
azure/containerization-assist
io.github.evozim/aws-builder
reza-gholizade/k8s-mcp-server
flux159/mcp-server-kubernetes