GitHub - davidgomezbravo/aws-audit: Free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts. · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

davidgomezbravo

aws-audit

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>1 Commit<br>1 Commit

aws_audit

aws_audit

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

pyproject.toml

pyproject.toml

View all files

Repository files navigation

aws-audit — the AWS security checklist I run on client accounts

A free, read-only AWS security & cost audit CLI. Point it at an account and it runs the<br>same 30-point checklist a fractional CTO uses before a paid audit, then prints a prioritized<br>findings report. It only makes Describe/List/Get calls — nothing is ever created,<br>modified, or deleted, and no data leaves your machine.

$ aws-audit

AWS Security Audit · aws-audit<br>Account 123456789012 · regions: us-east-1<br>────────────────────────────────────────────────────────────────

CRITICAL [IAM-1] Root account MFA — FAIL<br>Root account does NOT have MFA enabled.<br>fix: Enable a hardware or virtual MFA device on the root user and stop using root.

HIGH [IAM-2] Long-lived IAM access keys — FAIL<br>2 active access key(s) older than 90 days.<br>affected: deploy-bot:7Q4A (412d), ci-user:9F1C (203d)<br>fix: Rotate or delete keys older than 90 days; prefer IAM Identity Center (SSO).<br>...<br>1 fail · 3 warn · 18 pass

Want this done for you — and the issues fixed? → https://services.itsdavidg.co

Install

pipx install aws-audit-checklist # recommended<br># or<br>pip install aws-audit-checklist

Usage

aws-audit # uses your default AWS credential chain + region<br>aws-audit --profile myprofile # a named profile<br>aws-audit --all-regions # run regional checks in every enabled region<br>aws-audit --markdown report.md # export a Markdown report<br>aws-audit --json # machine-readable output<br>aws-audit --strict # exit non-zero if anything FAILs (CI gate)

You only need read-only credentials. A built-in AWS managed policy like<br>SecurityAudit or ReadOnlyAccess is more than enough. Checks you lack permission for are<br>reported as "could-not-check" rather than failing the run.

What it checks (30-point checklist)

Area<br>Examples

Identity (IAM)<br>root MFA, access keys > 90 days, console users without MFA, password policy

Network<br>security groups exposing SSH/RDP to 0.0.0.0/0

Data<br>S3 public buckets & default encryption, EBS encryption-by-default, RDS public/encrypted/backups

Logging<br>multi-region CloudTrail, GuardDuty, AWS Config

Cost signals<br>unattached EBS volumes, unused Elastic IPs

The full human-readable checklist (with the items not yet automated — incident runbooks,<br>multi-AZ, IaC, off-account backups) is here:<br>the 30-point AWS Security Checklist PDF .

Why this exists

I'm David Gomez — I do fractional-CTO work and run AWS security/cost audits. I kept running<br>this same checklist by hand on every account, so I open-sourced the automatable parts. If you<br>want the whole thing done for you — including the manual items and actually fixing what it<br>finds, with a guarantee — that's my AWS Complete Security Audit.

License

MIT. Use it freely. No warranty — it's a helper, not a substitute for a real review.

About

Free, read-only AWS security audit CLI — the 30-point checklist a fractional CTO runs on client accounts.

services.itsdavidg.co

Topics

cli

aws

devops

security-audit

boto3

aws-security

cloud-security

finops

Resources

Readme

License

MIT license

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Python<br>100.0%

You can’t perform that action at this time.