Cloud-Audit
Overview
Sección titulada «Overview»Cloud-Audit is a Python-based command-line tool for comprehensive cloud security auditing across AWS, Azure, and Google Cloud Platform (GCP). It scans cloud infrastructure configurations against security best practices, generates detailed findings with severity ratings, and provides actionable remediation recommendations.
Created by Mariusz Gebala, Cloud-Audit enables security teams and DevOps engineers to identify misconfigurations, compliance violations, and security gaps across multi-cloud environments. It produces human-readable and machine-parseable reports suitable for compliance documentation and continuous security monitoring.
Release: 2026
Language: Python 3.8+
License: Open Source
Installation
Sección titulada «Installation»Prerequisites
Sección titulada «Prerequisites»- Python 3.8+
- pip or Poetry
- AWS/Azure/GCP credentials configured locally
- Cloud CLI tools (optional): aws-cli, az-cli, gcloud
Install via pip
Sección titulada «Install via pip»# Install from PyPI
pip install cloud-audit
# Verify installation
cloud-audit --versionInstall from Source
Sección titulada «Install from Source»# Clone repository
git clone https://github.com/mariuszgebala/cloud-audit.git
cd cloud-audit
# Install with Poetry
poetry install
# Or with pip
pip install -e .
# Verify
poetry run cloud-audit --version
# Or
python -m cloud_audit --versionDocker Installation
Sección titulada «Docker Installation»# Pull Docker image
docker pull cloud-audit:latest
# Run audit in container
docker run --rm \
-v ~/.aws:/root/.aws \
-v ~/.azure:/root/.azure \
-v ~/.config/gcloud:/root/.config/gcloud \
cloud-audit:latest audit aws --format jsonConfiguration
Sección titulada «Configuration»Environment Setup
Sección titulada «Environment Setup»# AWS credentials (multiple methods)
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"
# Azure credentials
export AZURE_SUBSCRIPTION_ID="12345678-1234-1234-1234-123456789012"
export AZURE_CLIENT_ID="client_id"
export AZURE_CLIENT_SECRET="client_secret"
export AZURE_TENANT_ID="tenant_id"
# GCP credentials
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GCP_PROJECT_ID="my-project-id"Config File
Sección titulada «Config File»# ~/.cloud-audit/config.yaml
---
global:
output_format: json
severity_threshold: medium
timeout: 300
parallel_checks: 4
providers:
aws:
regions:
- us-east-1
- us-west-2
- eu-west-1
check_compliance: true
compliance_frameworks:
- cis
- pci-dss
azure:
subscriptions: all
resource_groups: all
gcp:
projects:
- project-1
- project-2
include_inactive: false
severity_levels:
critical: alert
high: warn
medium: info
low: debugCore Commands
Sección titulada «Core Commands»| Command | Purpose | Example |
|---|---|---|
cloud-audit audit | Run audit scan | cloud-audit audit aws |
cloud-audit audit aws | AWS-specific audit | cloud-audit audit aws --region us-east-1 |
cloud-audit audit azure | Azure-specific audit | cloud-audit audit azure --subscription all |
cloud-audit audit gcp | GCP-specific audit | cloud-audit audit gcp --project my-project |
cloud-audit list-checks | List available checks | cloud-audit list-checks aws |
cloud-audit export | Export findings | cloud-audit export report.json |
cloud-audit remediate | Apply fixes (dry-run) | cloud-audit remediate --dry-run |
cloud-audit compare | Compare scan results | cloud-audit compare scan1.json scan2.json |
cloud-audit config | Show configuration | cloud-audit config show |
AWS Auditing
Sección titulada «AWS Auditing»Basic AWS Audit
Sección titulada «Basic AWS Audit»# Scan all AWS resources
cloud-audit audit aws
# Scan specific region
cloud-audit audit aws --region us-east-1
# Scan multiple regions
cloud-audit audit aws --regions us-east-1,us-west-2,eu-west-1
# Scan specific service
cloud-audit audit aws --service ec2
# Scan with specific profile
cloud-audit audit aws --profile productionAWS Compliance Checks
Sección titulada «AWS Compliance Checks»# CIS AWS Foundations Benchmark
cloud-audit audit aws --compliance cis
# PCI-DSS compliance
cloud-audit audit aws --compliance pci-dss
# HIPAA compliance
cloud-audit audit aws --compliance hipaa
# SOC 2 compliance
cloud-audit audit aws --compliance soc2
# Custom framework
cloud-audit audit aws --custom-framework ~/frameworks/custom.jsonAWS-Specific Audits
Sección titulada «AWS-Specific Audits»# EC2 security audit
cloud-audit audit aws --service ec2 --checks security-groups,iam-roles,ebs-encryption
# S3 bucket audit
cloud-audit audit aws --service s3 --checks bucket-versioning,public-access,encryption,logging
# IAM audit
cloud-audit audit aws --service iam --checks policy-review,access-keys,mfa,root-account
# Network audit
cloud-audit audit aws --service vpc --checks nacls,security-groups,vpn,nat-gateway
# Database audit
cloud-audit audit aws --service rds,dynamodb --checks encryption,backup,multi-az,public-accessAWS Output Examples
Sección titulada «AWS Output Examples»# JSON output
cloud-audit audit aws --format json --output report.json
# HTML report
cloud-audit audit aws --format html --output report.html
# CSV for spreadsheets
cloud-audit audit aws --format csv --output findings.csv
# SARIF for SIEM integration
cloud-audit audit aws --format sarif --output findings.sarif
# Markdown for documentation
cloud-audit audit aws --format markdown --output AUDIT_REPORT.mdAzure Auditing
Sección titulada «Azure Auditing»Basic Azure Audit
Sección titulada «Basic Azure Audit»# Scan all Azure subscriptions
cloud-audit audit azure
# Scan specific subscription
cloud-audit audit azure --subscription my-subscription-id
# Scan specific resource group
cloud-audit audit azure --resource-group my-rg
# Scan multiple subscriptions
cloud-audit audit azure --subscriptions sub1,sub2,sub3
# Scan specific service
cloud-audit audit azure --service virtual-machinesAzure Compliance Checks
Sección titulada «Azure Compliance Checks»# Azure CIS Benchmark
cloud-audit audit azure --compliance azure-cis
# Microsoft Cloud Security Benchmark
cloud-audit audit azure --compliance mcsb
# PCI-DSS on Azure
cloud-audit audit azure --compliance pci-dss
# NIST 800-53
cloud-audit audit azure --compliance nist-800-53Azure Resource Audits
Sección titulada «Azure Resource Audits»# Virtual Machines audit
cloud-audit audit azure --service virtual-machines \
--checks updates,encryption,network-config,antimalware
# Storage Accounts audit
cloud-audit audit azure --service storage \
--checks access-tier,encryption,firewall,public-access
# SQL Databases audit
cloud-audit audit azure --service sql \
--checks tde,audit-logging,firewall,access-control
# Key Vaults audit
cloud-audit audit azure --service keyvault \
--checks soft-delete,purge-protection,access-policiesGCP Auditing
Sección titulada «GCP Auditing»Basic GCP Audit
Sección titulada «Basic GCP Audit»# Scan current GCP project
cloud-audit audit gcp
# Scan specific project
cloud-audit audit gcp --project my-project-id
# Scan multiple projects
cloud-audit audit gcp --projects proj1,proj2,proj3
# Scan specific service
cloud-audit audit gcp --service compute
# Scan with organization
cloud-audit audit gcp --organization my-org-idGCP Compliance Checks
Sección titulada «GCP Compliance Checks»# Google Cloud CIS Benchmark
cloud-audit audit gcp --compliance gcp-cis
# NIST 800-53 on GCP
cloud-audit audit gcp --compliance nist-800-53
# PCI-DSS on GCP
cloud-audit audit gcp --compliance pci-dss
# SOC 2 on GCP
cloud-audit audit gcp --compliance soc2GCP Resource Audits
Sección titulada «GCP Resource Audits»# Compute Engine audit
cloud-audit audit gcp --service compute \
--checks os-login,shielded-vm,encryption,firewall
# Cloud Storage audit
cloud-audit audit gcp --service storage \
--checks versioning,encryption,access-logs,public-access
# Cloud SQL audit
cloud-audit audit gcp --service cloudsql \
--checks backups,ssl,public-ip,audit-logging
# IAM audit
cloud-audit audit gcp --service iam \
--checks service-accounts,key-rotation,primitive-rolesReport Generation
Sección titulada «Report Generation»Basic Reporting
Sección titulada «Basic Reporting»# Generate JSON report with metadata
cloud-audit audit aws \
--output aws_audit_$(date +%Y%m%d).json \
--format json \
--include-metadata \
--include-remediation
# Create HTML executive summary
cloud-audit audit aws \
--output report.html \
--format html \
--template executive-summaryDetailed Report Examples
Sección titulada «Detailed Report Examples»# Critical findings only
cloud-audit audit aws \
--severity critical \
--format markdown \
--output critical_findings.md
# Compliance-focused report
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output pci-dss-audit-report.pdf
# Remediation-focused report
cloud-audit audit aws \
--format markdown \
--include-remediation-scripts \
--output remediation-guide.mdExporting Findings
Sección titulada «Exporting Findings»# Export to Jira format
cloud-audit audit aws \
--export jira \
--jira-project-key SEC \
--jira-api-token $JIRA_TOKEN \
--jira-url https://jira.example.com
# Export to GitHub Issues
cloud-audit audit aws \
--export github \
--github-repo myorg/myrepo \
--github-token $GITHUB_TOKEN
# Export to Slack
cloud-audit audit aws \
--export slack \
--slack-webhook-url $SLACK_WEBHOOK
# Export findings for SIEM
cloud-audit audit aws \
--export siem \
--siem-endpoint https://siem.example.com/apiRemediation
Sección titulada «Remediation»Dry-Run Mode
Sección titulada «Dry-Run Mode»# Preview what would be fixed
cloud-audit audit aws --remediate --dry-run
# Dry-run with detailed output
cloud-audit audit aws \
--remediate \
--dry-run \
--verbose > remediation-preview.txtAutomated Remediation
Sección titulada «Automated Remediation»# Remediate critical findings only
cloud-audit audit aws \
--remediate \
--severity critical
# Remediate with confirmation
cloud-audit audit aws \
--remediate \
--confirm
# Remediate specific checks
cloud-audit audit aws \
--remediate \
--checks s3-bucket-encryption,rds-encryption
# Remediate with rollback capability
cloud-audit audit aws \
--remediate \
--enable-rollback \
--backup-config remediation-backup.jsonRemediation Scripts
Sección titulada «Remediation Scripts»# Generate CloudFormation templates for remediation
cloud-audit audit aws \
--remediate \
--generate-cloudformation \
--output remediation.yaml
# Generate Terraform code
cloud-audit audit aws \
--remediate \
--generate-terraform \
--output remediation/main.tf
# Generate Ansible playbooks
cloud-audit audit aws \
--remediate \
--generate-ansible \
--output remediation.ymlContinuous Monitoring
Sección titulada «Continuous Monitoring»Scheduled Audits
Sección titulada «Scheduled Audits»# Set up daily audit via cron
# Add to crontab: 0 2 * * * cloud-audit audit aws --output /var/reports/aws-audit-$(date +\%Y\%m\%d).json
# Scheduled audit with notifications
cloud-audit audit aws \
--schedule daily \
--output /var/reports/audit.json \
--notify-slack \
--notify-email admin@example.comAudit Comparison
Sección titulada «Audit Comparison»# Compare two audit reports
cloud-audit compare \
audit-2024-01-15.json \
audit-2024-01-22.json \
--output comparison.json
# Show improvement/regression
cloud-audit compare \
baseline.json \
current.json \
--show-delta
# Generate trend report
cloud-audit trend \
baseline.json \
audit-week1.json \
audit-week2.json \
audit-week3.json \
--output trend-report.jsonIntegration Examples
Sección titulada «Integration Examples»CI/CD Pipeline Integration
Sección titulada «CI/CD Pipeline Integration»# GitHub Actions
name: Cloud Security Audit
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Cloud-Audit
run: pip install cloud-audit
- name: Run AWS Audit
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: cloud-audit audit aws --format json --output report.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: audit-report
path: report.jsonGitLab CI Integration
Sección titulada «GitLab CI Integration»cloud-audit:
stage: security
image: cloud-audit:latest
script:
- cloud-audit audit aws --format json --output report.json
artifacts:
paths:
- report.json
reports:
sast: report.json
only:
- schedulesJenkins Pipeline
Sección titulada «Jenkins Pipeline»pipeline {
agent any
stages {
stage('Cloud Audit') {
environment {
AWS_ACCESS_KEY_ID = credentials('aws-access-key')
AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
}
steps {
sh '''
python -m pip install cloud-audit
cloud-audit audit aws \
--format json \
--output ${WORKSPACE}/audit-report.json
'''
}
}
stage('Archive Report') {
steps {
archiveArtifacts artifacts: 'audit-report.json'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.json',
reportName: 'Cloud Audit Report'
])
}
}
}
}Advanced Usage
Sección titulada «Advanced Usage»Custom Checks
Sección titulada «Custom Checks»# Define custom check file
cat > custom-checks.yaml << 'EOF'
checks:
- id: custom-tag-enforcement
name: Custom Tag Enforcement
service: ec2
resource: instance
rule: "has_tags(['Environment', 'Owner', 'CostCenter'])"
severity: high
- id: custom-naming-convention
name: Naming Convention Check
service: s3
resource: bucket
rule: "matches_pattern('^[a-z0-9-]*$')"
severity: medium
EOF
# Run audit with custom checks
cloud-audit audit aws --custom-checks custom-checks.yamlPolicy as Code
Sección titulada «Policy as Code»# audit-policy.yaml
---
policies:
production:
compliance_frameworks:
- cis
- pci-dss
severity_threshold: medium
auto_remediate:
enabled: false
development:
compliance_frameworks:
- cis
severity_threshold: high
auto_remediate:
enabled: true
safe_checks_only: true
# Use policy
cloud-audit audit aws --policy productionTroubleshooting
Sección titulada «Troubleshooting»Authentication Issues
Sección titulada «Authentication Issues»# Verify AWS credentials
aws sts get-caller-identity
# Verify Azure credentials
az account show
# Verify GCP credentials
gcloud auth list
gcloud config get-value projectPermission Issues
Sección titulada «Permission Issues»# Check required IAM permissions
cloud-audit check-permissions aws
# Test specific service access
cloud-audit audit aws --service ec2 --dry-runPerformance Issues
Sección titulada «Performance Issues»# Reduce parallel checks
cloud-audit audit aws --parallel-checks 1
# Limit regions scanned
cloud-audit audit aws --regions us-east-1
# Set timeout
cloud-audit audit aws --timeout 600Best Practices
Sección titulada «Best Practices»Regular Auditing
Sección titulada «Regular Auditing»- Schedule regular audits - Daily/weekly for production
- Archive reports - Keep historical records
- Track trends - Compare audits over time
- Review findings - Don’t just generate and ignore
- Act on recommendations - Prioritize critical issues
Multi-Cloud Strategy
Sección titulada «Multi-Cloud Strategy»#!/bin/bash
# Comprehensive multi-cloud audit
echo "AWS Audit..."
cloud-audit audit aws --output aws_report.json
echo "Azure Audit..."
cloud-audit audit azure --output azure_report.json
echo "GCP Audit..."
cloud-audit audit gcp --output gcp_report.json
echo "Generating consolidated report..."
cloud-audit consolidate \
aws_report.json \
azure_report.json \
gcp_report.json \
--output consolidated_report.jsonCompliance Tracking
Sección titulada «Compliance Tracking»# Monthly compliance summary
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output "pci-dss-$(date +%Y-%m).pdf"
# Generate compliance scorecard
cloud-audit compliance-score \
--frameworks cis,pci-dss,hipaa \
--output compliance-scorecard.csvResources
Sección titulada «Resources»- GitHub Repository: https://github.com/mariuszgebala/cloud-audit
- Documentation: https://cloud-audit.readthedocs.io/
- Issue Tracker: https://github.com/mariuszgebala/cloud-audit/issues
- PyPI Package: https://pypi.org/project/cloud-audit/
Related Tools
Sección titulada «Related Tools»- AWS Config (AWS-native)
- Azure Policy (Azure-native)
- Google Cloud Asset Inventory (GCP-native)
- CloudMapper (visualization)
- Prowler (AWS-specific)