Cloud-Audit
Overview
Cloud-Audit is a Python-based command-line tool for comprehensive cloud security auditing across AWS, Azure, and Google Cloud Platform (GCP). It scans cloud infrastructure configurations against security best practices, generates detailed findings with severity ratings, and provides actionable remediation recommendations.
Created by Mariusz Gebala, Cloud-Audit enables security teams and DevOps engineers to identify misconfigurations, compliance violations, and security gaps across multi-cloud environments. It produces human-readable and machine-parseable reports suitable for compliance documentation and continuous security monitoring.
Release: 2026
Language: Python 3.8+
License: Open Source
Installation
Prerequisites
- Python 3.8+
- pip or Poetry
- AWS/Azure/GCP credentials configured locally
- Cloud CLI tools (optional): aws-cli, az-cli, gcloud
Install via pip
# Install from PyPI
pip install cloud-audit
# Verify installation
cloud-audit --versionInstall from Source
# Clone repository
git clone https://github.com/mariuszgebala/cloud-audit.git
cd cloud-audit
# Install with Poetry
poetry install
# Or with pip
pip install -e .
# Verify
poetry run cloud-audit --version
# Or
python -m cloud_audit --versionDocker Installation
# Pull Docker image
docker pull cloud-audit:latest
# Run audit in container
docker run --rm \
-v ~/.aws:/root/.aws \
-v ~/.azure:/root/.azure \
-v ~/.config/gcloud:/root/.config/gcloud \
cloud-audit:latest audit aws --format jsonConfiguration
Environment Setup
# AWS credentials (multiple methods)
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"
# Azure credentials
export AZURE_SUBSCRIPTION_ID="12345678-1234-1234-1234-123456789012"
export AZURE_CLIENT_ID="client_id"
export AZURE_CLIENT_SECRET="client_secret"
export AZURE_TENANT_ID="tenant_id"
# GCP credentials
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GCP_PROJECT_ID="my-project-id"Config File
# ~/.cloud-audit/config.yaml
---
global:
output_format: json
severity_threshold: medium
timeout: 300
parallel_checks: 4
providers:
aws:
regions:
- us-east-1
- us-west-2
- eu-west-1
check_compliance: true
compliance_frameworks:
- cis
- pci-dss
azure:
subscriptions: all
resource_groups: all
gcp:
projects:
- project-1
- project-2
include_inactive: false
severity_levels:
critical: alert
high: warn
medium: info
low: debugCore Commands
| Command | Purpose | Example |
|---|---|---|
cloud-audit audit | Run audit scan | cloud-audit audit aws |
cloud-audit audit aws | AWS-specific audit | cloud-audit audit aws --region us-east-1 |
cloud-audit audit azure | Azure-specific audit | cloud-audit audit azure --subscription all |
cloud-audit audit gcp | GCP-specific audit | cloud-audit audit gcp --project my-project |
cloud-audit list-checks | List available checks | cloud-audit list-checks aws |
cloud-audit export | Export findings | cloud-audit export report.json |
cloud-audit remediate | Apply fixes (dry-run) | cloud-audit remediate --dry-run |
cloud-audit compare | Compare scan results | cloud-audit compare scan1.json scan2.json |
cloud-audit config | Show configuration | cloud-audit config show |
AWS Auditing
Basic AWS Audit
# Scan all AWS resources
cloud-audit audit aws
# Scan specific region
cloud-audit audit aws --region us-east-1
# Scan multiple regions
cloud-audit audit aws --regions us-east-1,us-west-2,eu-west-1
# Scan specific service
cloud-audit audit aws --service ec2
# Scan with specific profile
cloud-audit audit aws --profile productionAWS Compliance Checks
# CIS AWS Foundations Benchmark
cloud-audit audit aws --compliance cis
# PCI-DSS compliance
cloud-audit audit aws --compliance pci-dss
# HIPAA compliance
cloud-audit audit aws --compliance hipaa
# SOC 2 compliance
cloud-audit audit aws --compliance soc2
# Custom framework
cloud-audit audit aws --custom-framework ~/frameworks/custom.jsonAWS-Specific Audits
# EC2 security audit
cloud-audit audit aws --service ec2 --checks security-groups,iam-roles,ebs-encryption
# S3 bucket audit
cloud-audit audit aws --service s3 --checks bucket-versioning,public-access,encryption,logging
# IAM audit
cloud-audit audit aws --service iam --checks policy-review,access-keys,mfa,root-account
# Network audit
cloud-audit audit aws --service vpc --checks nacls,security-groups,vpn,nat-gateway
# Database audit
cloud-audit audit aws --service rds,dynamodb --checks encryption,backup,multi-az,public-accessAWS Output Examples
# JSON output
cloud-audit audit aws --format json --output report.json
# HTML report
cloud-audit audit aws --format html --output report.html
# CSV for spreadsheets
cloud-audit audit aws --format csv --output findings.csv
# SARIF for SIEM integration
cloud-audit audit aws --format sarif --output findings.sarif
# Markdown for documentation
cloud-audit audit aws --format markdown --output AUDIT_REPORT.mdAzure Auditing
Basic Azure Audit
# Scan all Azure subscriptions
cloud-audit audit azure
# Scan specific subscription
cloud-audit audit azure --subscription my-subscription-id
# Scan specific resource group
cloud-audit audit azure --resource-group my-rg
# Scan multiple subscriptions
cloud-audit audit azure --subscriptions sub1,sub2,sub3
# Scan specific service
cloud-audit audit azure --service virtual-machinesAzure Compliance Checks
# Azure CIS Benchmark
cloud-audit audit azure --compliance azure-cis
# Microsoft Cloud Security Benchmark
cloud-audit audit azure --compliance mcsb
# PCI-DSS on Azure
cloud-audit audit azure --compliance pci-dss
# NIST 800-53
cloud-audit audit azure --compliance nist-800-53Azure Resource Audits
# Virtual Machines audit
cloud-audit audit azure --service virtual-machines \
--checks updates,encryption,network-config,antimalware
# Storage Accounts audit
cloud-audit audit azure --service storage \
--checks access-tier,encryption,firewall,public-access
# SQL Databases audit
cloud-audit audit azure --service sql \
--checks tde,audit-logging,firewall,access-control
# Key Vaults audit
cloud-audit audit azure --service keyvault \
--checks soft-delete,purge-protection,access-policiesGCP Auditing
Basic GCP Audit
# Scan current GCP project
cloud-audit audit gcp
# Scan specific project
cloud-audit audit gcp --project my-project-id
# Scan multiple projects
cloud-audit audit gcp --projects proj1,proj2,proj3
# Scan specific service
cloud-audit audit gcp --service compute
# Scan with organization
cloud-audit audit gcp --organization my-org-idGCP Compliance Checks
# Google Cloud CIS Benchmark
cloud-audit audit gcp --compliance gcp-cis
# NIST 800-53 on GCP
cloud-audit audit gcp --compliance nist-800-53
# PCI-DSS on GCP
cloud-audit audit gcp --compliance pci-dss
# SOC 2 on GCP
cloud-audit audit gcp --compliance soc2GCP Resource Audits
# Compute Engine audit
cloud-audit audit gcp --service compute \
--checks os-login,shielded-vm,encryption,firewall
# Cloud Storage audit
cloud-audit audit gcp --service storage \
--checks versioning,encryption,access-logs,public-access
# Cloud SQL audit
cloud-audit audit gcp --service cloudsql \
--checks backups,ssl,public-ip,audit-logging
# IAM audit
cloud-audit audit gcp --service iam \
--checks service-accounts,key-rotation,primitive-rolesReport Generation
Basic Reporting
# Generate JSON report with metadata
cloud-audit audit aws \
--output aws_audit_$(date +%Y%m%d).json \
--format json \
--include-metadata \
--include-remediation
# Create HTML executive summary
cloud-audit audit aws \
--output report.html \
--format html \
--template executive-summaryDetailed Report Examples
# Critical findings only
cloud-audit audit aws \
--severity critical \
--format markdown \
--output critical_findings.md
# Compliance-focused report
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output pci-dss-audit-report.pdf
# Remediation-focused report
cloud-audit audit aws \
--format markdown \
--include-remediation-scripts \
--output remediation-guide.mdExporting Findings
# Export to Jira format
cloud-audit audit aws \
--export jira \
--jira-project-key SEC \
--jira-api-token $JIRA_TOKEN \
--jira-url https://jira.example.com
# Export to GitHub Issues
cloud-audit audit aws \
--export github \
--github-repo myorg/myrepo \
--github-token $GITHUB_TOKEN
# Export to Slack
cloud-audit audit aws \
--export slack \
--slack-webhook-url $SLACK_WEBHOOK
# Export findings for SIEM
cloud-audit audit aws \
--export siem \
--siem-endpoint https://siem.example.com/apiRemediation
Dry-Run Mode
# Preview what would be fixed
cloud-audit audit aws --remediate --dry-run
# Dry-run with detailed output
cloud-audit audit aws \
--remediate \
--dry-run \
--verbose > remediation-preview.txtAutomated Remediation
# Remediate critical findings only
cloud-audit audit aws \
--remediate \
--severity critical
# Remediate with confirmation
cloud-audit audit aws \
--remediate \
--confirm
# Remediate specific checks
cloud-audit audit aws \
--remediate \
--checks s3-bucket-encryption,rds-encryption
# Remediate with rollback capability
cloud-audit audit aws \
--remediate \
--enable-rollback \
--backup-config remediation-backup.jsonRemediation Scripts
# Generate CloudFormation templates for remediation
cloud-audit audit aws \
--remediate \
--generate-cloudformation \
--output remediation.yaml
# Generate Terraform code
cloud-audit audit aws \
--remediate \
--generate-terraform \
--output remediation/main.tf
# Generate Ansible playbooks
cloud-audit audit aws \
--remediate \
--generate-ansible \
--output remediation.ymlContinuous Monitoring
Scheduled Audits
# Set up daily audit via cron
# Add to crontab: 0 2 * * * cloud-audit audit aws --output /var/reports/aws-audit-$(date +\%Y\%m\%d).json
# Scheduled audit with notifications
cloud-audit audit aws \
--schedule daily \
--output /var/reports/audit.json \
--notify-slack \
--notify-email admin@example.comAudit Comparison
# Compare two audit reports
cloud-audit compare \
audit-2024-01-15.json \
audit-2024-01-22.json \
--output comparison.json
# Show improvement/regression
cloud-audit compare \
baseline.json \
current.json \
--show-delta
# Generate trend report
cloud-audit trend \
baseline.json \
audit-week1.json \
audit-week2.json \
audit-week3.json \
--output trend-report.jsonIntegration Examples
CI/CD Pipeline Integration
# GitHub Actions
name: Cloud Security Audit
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Cloud-Audit
run: pip install cloud-audit
- name: Run AWS Audit
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: cloud-audit audit aws --format json --output report.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: audit-report
path: report.jsonGitLab CI Integration
cloud-audit:
stage: security
image: cloud-audit:latest
script:
- cloud-audit audit aws --format json --output report.json
artifacts:
paths:
- report.json
reports:
sast: report.json
only:
- schedulesJenkins Pipeline
pipeline {
agent any
stages {
stage('Cloud Audit') {
environment {
AWS_ACCESS_KEY_ID = credentials('aws-access-key')
AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
}
steps {
sh '''
python -m pip install cloud-audit
cloud-audit audit aws \
--format json \
--output ${WORKSPACE}/audit-report.json
'''
}
}
stage('Archive Report') {
steps {
archiveArtifacts artifacts: 'audit-report.json'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.json',
reportName: 'Cloud Audit Report'
])
}
}
}
}Advanced Usage
Custom Checks
# Define custom check file
cat > custom-checks.yaml << 'EOF'
checks:
- id: custom-tag-enforcement
name: Custom Tag Enforcement
service: ec2
resource: instance
rule: "has_tags(['Environment', 'Owner', 'CostCenter'])"
severity: high
- id: custom-naming-convention
name: Naming Convention Check
service: s3
resource: bucket
rule: "matches_pattern('^[a-z0-9-]*$')"
severity: medium
EOF
# Run audit with custom checks
cloud-audit audit aws --custom-checks custom-checks.yamlPolicy as Code
# audit-policy.yaml
---
policies:
production:
compliance_frameworks:
- cis
- pci-dss
severity_threshold: medium
auto_remediate:
enabled: false
development:
compliance_frameworks:
- cis
severity_threshold: high
auto_remediate:
enabled: true
safe_checks_only: true
# Use policy
cloud-audit audit aws --policy productionTroubleshooting
Authentication Issues
# Verify AWS credentials
aws sts get-caller-identity
# Verify Azure credentials
az account show
# Verify GCP credentials
gcloud auth list
gcloud config get-value projectPermission Issues
# Check required IAM permissions
cloud-audit check-permissions aws
# Test specific service access
cloud-audit audit aws --service ec2 --dry-runPerformance Issues
# Reduce parallel checks
cloud-audit audit aws --parallel-checks 1
# Limit regions scanned
cloud-audit audit aws --regions us-east-1
# Set timeout
cloud-audit audit aws --timeout 600Best Practices
Regular Auditing
- Schedule regular audits - Daily/weekly for production
- Archive reports - Keep historical records
- Track trends - Compare audits over time
- Review findings - Don’t just generate and ignore
- Act on recommendations - Prioritize critical issues
Multi-Cloud Strategy
#!/bin/bash
# Comprehensive multi-cloud audit
echo "AWS Audit..."
cloud-audit audit aws --output aws_report.json
echo "Azure Audit..."
cloud-audit audit azure --output azure_report.json
echo "GCP Audit..."
cloud-audit audit gcp --output gcp_report.json
echo "Generating consolidated report..."
cloud-audit consolidate \
aws_report.json \
azure_report.json \
gcp_report.json \
--output consolidated_report.jsonCompliance Tracking
# Monthly compliance summary
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output "pci-dss-$(date +%Y-%m).pdf"
# Generate compliance scorecard
cloud-audit compliance-score \
--frameworks cis,pci-dss,hipaa \
--output compliance-scorecard.csvResources
- GitHub Repository: https://github.com/mariuszgebala/cloud-audit
- Documentation: https://cloud-audit.readthedocs.io/
- Issue Tracker: https://github.com/mariuszgebala/cloud-audit/issues
- PyPI Package: https://pypi.org/project/cloud-audit/
Related Tools
- AWS Config (AWS-native)
- Azure Policy (Azure-native)
- Google Cloud Asset Inventory (GCP-native)
- CloudMapper (visualization)
- Prowler (AWS-specific)