Cloud-Audit
Overview
섹션 제목: “Overview”Cloud-Audit is a Python-based command-line tool for comprehensive cloud security auditing across AWS, Azure, and Google Cloud Platform (GCP). It scans cloud infrastructure configurations against security best practices, generates detailed findings with severity ratings, and provides actionable remediation recommendations.
Created by Mariusz Gebala, Cloud-Audit enables security teams and DevOps engineers to identify misconfigurations, compliance violations, and security gaps across multi-cloud environments. It produces human-readable and machine-parseable reports suitable for compliance documentation and continuous security monitoring.
Release: 2026
Language: Python 3.8+
License: Open Source
Installation
섹션 제목: “Installation”Prerequisites
섹션 제목: “Prerequisites”- Python 3.8+
- pip or Poetry
- AWS/Azure/GCP credentials configured locally
- Cloud CLI tools (optional): aws-cli, az-cli, gcloud
Install via pip
섹션 제목: “Install via pip”# Install from PyPI
pip install cloud-audit
# Verify installation
cloud-audit --versionInstall from Source
섹션 제목: “Install from Source”# Clone repository
git clone https://github.com/mariuszgebala/cloud-audit.git
cd cloud-audit
# Install with Poetry
poetry install
# Or with pip
pip install -e .
# Verify
poetry run cloud-audit --version
# Or
python -m cloud_audit --versionDocker Installation
섹션 제목: “Docker Installation”# Pull Docker image
docker pull cloud-audit:latest
# Run audit in container
docker run --rm \
-v ~/.aws:/root/.aws \
-v ~/.azure:/root/.azure \
-v ~/.config/gcloud:/root/.config/gcloud \
cloud-audit:latest audit aws --format jsonConfiguration
섹션 제목: “Configuration”Environment Setup
섹션 제목: “Environment Setup”# AWS credentials (multiple methods)
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"
# Azure credentials
export AZURE_SUBSCRIPTION_ID="12345678-1234-1234-1234-123456789012"
export AZURE_CLIENT_ID="client_id"
export AZURE_CLIENT_SECRET="client_secret"
export AZURE_TENANT_ID="tenant_id"
# GCP credentials
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
export GCP_PROJECT_ID="my-project-id"Config File
섹션 제목: “Config File”# ~/.cloud-audit/config.yaml
---
global:
output_format: json
severity_threshold: medium
timeout: 300
parallel_checks: 4
providers:
aws:
regions:
- us-east-1
- us-west-2
- eu-west-1
check_compliance: true
compliance_frameworks:
- cis
- pci-dss
azure:
subscriptions: all
resource_groups: all
gcp:
projects:
- project-1
- project-2
include_inactive: false
severity_levels:
critical: alert
high: warn
medium: info
low: debugCore Commands
섹션 제목: “Core Commands”| Command | Purpose | Example |
|---|---|---|
cloud-audit audit | Run audit scan | cloud-audit audit aws |
cloud-audit audit aws | AWS-specific audit | cloud-audit audit aws --region us-east-1 |
cloud-audit audit azure | Azure-specific audit | cloud-audit audit azure --subscription all |
cloud-audit audit gcp | GCP-specific audit | cloud-audit audit gcp --project my-project |
cloud-audit list-checks | List available checks | cloud-audit list-checks aws |
cloud-audit export | Export findings | cloud-audit export report.json |
cloud-audit remediate | Apply fixes (dry-run) | cloud-audit remediate --dry-run |
cloud-audit compare | Compare scan results | cloud-audit compare scan1.json scan2.json |
cloud-audit config | Show configuration | cloud-audit config show |
AWS Auditing
섹션 제목: “AWS Auditing”Basic AWS Audit
섹션 제목: “Basic AWS Audit”# Scan all AWS resources
cloud-audit audit aws
# Scan specific region
cloud-audit audit aws --region us-east-1
# Scan multiple regions
cloud-audit audit aws --regions us-east-1,us-west-2,eu-west-1
# Scan specific service
cloud-audit audit aws --service ec2
# Scan with specific profile
cloud-audit audit aws --profile productionAWS Compliance Checks
섹션 제목: “AWS Compliance Checks”# CIS AWS Foundations Benchmark
cloud-audit audit aws --compliance cis
# PCI-DSS compliance
cloud-audit audit aws --compliance pci-dss
# HIPAA compliance
cloud-audit audit aws --compliance hipaa
# SOC 2 compliance
cloud-audit audit aws --compliance soc2
# Custom framework
cloud-audit audit aws --custom-framework ~/frameworks/custom.jsonAWS-Specific Audits
섹션 제목: “AWS-Specific Audits”# EC2 security audit
cloud-audit audit aws --service ec2 --checks security-groups,iam-roles,ebs-encryption
# S3 bucket audit
cloud-audit audit aws --service s3 --checks bucket-versioning,public-access,encryption,logging
# IAM audit
cloud-audit audit aws --service iam --checks policy-review,access-keys,mfa,root-account
# Network audit
cloud-audit audit aws --service vpc --checks nacls,security-groups,vpn,nat-gateway
# Database audit
cloud-audit audit aws --service rds,dynamodb --checks encryption,backup,multi-az,public-accessAWS Output Examples
섹션 제목: “AWS Output Examples”# JSON output
cloud-audit audit aws --format json --output report.json
# HTML report
cloud-audit audit aws --format html --output report.html
# CSV for spreadsheets
cloud-audit audit aws --format csv --output findings.csv
# SARIF for SIEM integration
cloud-audit audit aws --format sarif --output findings.sarif
# Markdown for documentation
cloud-audit audit aws --format markdown --output AUDIT_REPORT.mdAzure Auditing
섹션 제목: “Azure Auditing”Basic Azure Audit
섹션 제목: “Basic Azure Audit”# Scan all Azure subscriptions
cloud-audit audit azure
# Scan specific subscription
cloud-audit audit azure --subscription my-subscription-id
# Scan specific resource group
cloud-audit audit azure --resource-group my-rg
# Scan multiple subscriptions
cloud-audit audit azure --subscriptions sub1,sub2,sub3
# Scan specific service
cloud-audit audit azure --service virtual-machinesAzure Compliance Checks
섹션 제목: “Azure Compliance Checks”# Azure CIS Benchmark
cloud-audit audit azure --compliance azure-cis
# Microsoft Cloud Security Benchmark
cloud-audit audit azure --compliance mcsb
# PCI-DSS on Azure
cloud-audit audit azure --compliance pci-dss
# NIST 800-53
cloud-audit audit azure --compliance nist-800-53Azure Resource Audits
섹션 제목: “Azure Resource Audits”# Virtual Machines audit
cloud-audit audit azure --service virtual-machines \
--checks updates,encryption,network-config,antimalware
# Storage Accounts audit
cloud-audit audit azure --service storage \
--checks access-tier,encryption,firewall,public-access
# SQL Databases audit
cloud-audit audit azure --service sql \
--checks tde,audit-logging,firewall,access-control
# Key Vaults audit
cloud-audit audit azure --service keyvault \
--checks soft-delete,purge-protection,access-policiesGCP Auditing
섹션 제목: “GCP Auditing”Basic GCP Audit
섹션 제목: “Basic GCP Audit”# Scan current GCP project
cloud-audit audit gcp
# Scan specific project
cloud-audit audit gcp --project my-project-id
# Scan multiple projects
cloud-audit audit gcp --projects proj1,proj2,proj3
# Scan specific service
cloud-audit audit gcp --service compute
# Scan with organization
cloud-audit audit gcp --organization my-org-idGCP Compliance Checks
섹션 제목: “GCP Compliance Checks”# Google Cloud CIS Benchmark
cloud-audit audit gcp --compliance gcp-cis
# NIST 800-53 on GCP
cloud-audit audit gcp --compliance nist-800-53
# PCI-DSS on GCP
cloud-audit audit gcp --compliance pci-dss
# SOC 2 on GCP
cloud-audit audit gcp --compliance soc2GCP Resource Audits
섹션 제목: “GCP Resource Audits”# Compute Engine audit
cloud-audit audit gcp --service compute \
--checks os-login,shielded-vm,encryption,firewall
# Cloud Storage audit
cloud-audit audit gcp --service storage \
--checks versioning,encryption,access-logs,public-access
# Cloud SQL audit
cloud-audit audit gcp --service cloudsql \
--checks backups,ssl,public-ip,audit-logging
# IAM audit
cloud-audit audit gcp --service iam \
--checks service-accounts,key-rotation,primitive-rolesReport Generation
섹션 제목: “Report Generation”Basic Reporting
섹션 제목: “Basic Reporting”# Generate JSON report with metadata
cloud-audit audit aws \
--output aws_audit_$(date +%Y%m%d).json \
--format json \
--include-metadata \
--include-remediation
# Create HTML executive summary
cloud-audit audit aws \
--output report.html \
--format html \
--template executive-summaryDetailed Report Examples
섹션 제목: “Detailed Report Examples”# Critical findings only
cloud-audit audit aws \
--severity critical \
--format markdown \
--output critical_findings.md
# Compliance-focused report
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output pci-dss-audit-report.pdf
# Remediation-focused report
cloud-audit audit aws \
--format markdown \
--include-remediation-scripts \
--output remediation-guide.mdExporting Findings
섹션 제목: “Exporting Findings”# Export to Jira format
cloud-audit audit aws \
--export jira \
--jira-project-key SEC \
--jira-api-token $JIRA_TOKEN \
--jira-url https://jira.example.com
# Export to GitHub Issues
cloud-audit audit aws \
--export github \
--github-repo myorg/myrepo \
--github-token $GITHUB_TOKEN
# Export to Slack
cloud-audit audit aws \
--export slack \
--slack-webhook-url $SLACK_WEBHOOK
# Export findings for SIEM
cloud-audit audit aws \
--export siem \
--siem-endpoint https://siem.example.com/apiRemediation
섹션 제목: “Remediation”Dry-Run Mode
섹션 제목: “Dry-Run Mode”# Preview what would be fixed
cloud-audit audit aws --remediate --dry-run
# Dry-run with detailed output
cloud-audit audit aws \
--remediate \
--dry-run \
--verbose > remediation-preview.txtAutomated Remediation
섹션 제목: “Automated Remediation”# Remediate critical findings only
cloud-audit audit aws \
--remediate \
--severity critical
# Remediate with confirmation
cloud-audit audit aws \
--remediate \
--confirm
# Remediate specific checks
cloud-audit audit aws \
--remediate \
--checks s3-bucket-encryption,rds-encryption
# Remediate with rollback capability
cloud-audit audit aws \
--remediate \
--enable-rollback \
--backup-config remediation-backup.jsonRemediation Scripts
섹션 제목: “Remediation Scripts”# Generate CloudFormation templates for remediation
cloud-audit audit aws \
--remediate \
--generate-cloudformation \
--output remediation.yaml
# Generate Terraform code
cloud-audit audit aws \
--remediate \
--generate-terraform \
--output remediation/main.tf
# Generate Ansible playbooks
cloud-audit audit aws \
--remediate \
--generate-ansible \
--output remediation.ymlContinuous Monitoring
섹션 제목: “Continuous Monitoring”Scheduled Audits
섹션 제목: “Scheduled Audits”# Set up daily audit via cron
# Add to crontab: 0 2 * * * cloud-audit audit aws --output /var/reports/aws-audit-$(date +\%Y\%m\%d).json
# Scheduled audit with notifications
cloud-audit audit aws \
--schedule daily \
--output /var/reports/audit.json \
--notify-slack \
--notify-email admin@example.comAudit Comparison
섹션 제목: “Audit Comparison”# Compare two audit reports
cloud-audit compare \
audit-2024-01-15.json \
audit-2024-01-22.json \
--output comparison.json
# Show improvement/regression
cloud-audit compare \
baseline.json \
current.json \
--show-delta
# Generate trend report
cloud-audit trend \
baseline.json \
audit-week1.json \
audit-week2.json \
audit-week3.json \
--output trend-report.jsonIntegration Examples
섹션 제목: “Integration Examples”CI/CD Pipeline Integration
섹션 제목: “CI/CD Pipeline Integration”# GitHub Actions
name: Cloud Security Audit
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Cloud-Audit
run: pip install cloud-audit
- name: Run AWS Audit
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: cloud-audit audit aws --format json --output report.json
- name: Upload Report
uses: actions/upload-artifact@v3
with:
name: audit-report
path: report.jsonGitLab CI Integration
섹션 제목: “GitLab CI Integration”cloud-audit:
stage: security
image: cloud-audit:latest
script:
- cloud-audit audit aws --format json --output report.json
artifacts:
paths:
- report.json
reports:
sast: report.json
only:
- schedulesJenkins Pipeline
섹션 제목: “Jenkins Pipeline”pipeline {
agent any
stages {
stage('Cloud Audit') {
environment {
AWS_ACCESS_KEY_ID = credentials('aws-access-key')
AWS_SECRET_ACCESS_KEY = credentials('aws-secret-key')
}
steps {
sh '''
python -m pip install cloud-audit
cloud-audit audit aws \
--format json \
--output ${WORKSPACE}/audit-report.json
'''
}
}
stage('Archive Report') {
steps {
archiveArtifacts artifacts: 'audit-report.json'
publishHTML([
reportDir: '.',
reportFiles: 'audit-report.json',
reportName: 'Cloud Audit Report'
])
}
}
}
}Advanced Usage
섹션 제목: “Advanced Usage”Custom Checks
섹션 제목: “Custom Checks”# Define custom check file
cat > custom-checks.yaml << 'EOF'
checks:
- id: custom-tag-enforcement
name: Custom Tag Enforcement
service: ec2
resource: instance
rule: "has_tags(['Environment', 'Owner', 'CostCenter'])"
severity: high
- id: custom-naming-convention
name: Naming Convention Check
service: s3
resource: bucket
rule: "matches_pattern('^[a-z0-9-]*$')"
severity: medium
EOF
# Run audit with custom checks
cloud-audit audit aws --custom-checks custom-checks.yamlPolicy as Code
섹션 제목: “Policy as Code”# audit-policy.yaml
---
policies:
production:
compliance_frameworks:
- cis
- pci-dss
severity_threshold: medium
auto_remediate:
enabled: false
development:
compliance_frameworks:
- cis
severity_threshold: high
auto_remediate:
enabled: true
safe_checks_only: true
# Use policy
cloud-audit audit aws --policy productionTroubleshooting
섹션 제목: “Troubleshooting”Authentication Issues
섹션 제목: “Authentication Issues”# Verify AWS credentials
aws sts get-caller-identity
# Verify Azure credentials
az account show
# Verify GCP credentials
gcloud auth list
gcloud config get-value projectPermission Issues
섹션 제목: “Permission Issues”# Check required IAM permissions
cloud-audit check-permissions aws
# Test specific service access
cloud-audit audit aws --service ec2 --dry-runPerformance Issues
섹션 제목: “Performance Issues”# Reduce parallel checks
cloud-audit audit aws --parallel-checks 1
# Limit regions scanned
cloud-audit audit aws --regions us-east-1
# Set timeout
cloud-audit audit aws --timeout 600Best Practices
섹션 제목: “Best Practices”Regular Auditing
섹션 제목: “Regular Auditing”- Schedule regular audits - Daily/weekly for production
- Archive reports - Keep historical records
- Track trends - Compare audits over time
- Review findings - Don’t just generate and ignore
- Act on recommendations - Prioritize critical issues
Multi-Cloud Strategy
섹션 제목: “Multi-Cloud Strategy”#!/bin/bash
# Comprehensive multi-cloud audit
echo "AWS Audit..."
cloud-audit audit aws --output aws_report.json
echo "Azure Audit..."
cloud-audit audit azure --output azure_report.json
echo "GCP Audit..."
cloud-audit audit gcp --output gcp_report.json
echo "Generating consolidated report..."
cloud-audit consolidate \
aws_report.json \
azure_report.json \
gcp_report.json \
--output consolidated_report.jsonCompliance Tracking
섹션 제목: “Compliance Tracking”# Monthly compliance summary
cloud-audit audit aws \
--compliance pci-dss \
--format pdf \
--output "pci-dss-$(date +%Y-%m).pdf"
# Generate compliance scorecard
cloud-audit compliance-score \
--frameworks cis,pci-dss,hipaa \
--output compliance-scorecard.csvResources
섹션 제목: “Resources”- GitHub Repository: https://github.com/mariuszgebala/cloud-audit
- Documentation: https://cloud-audit.readthedocs.io/
- Issue Tracker: https://github.com/mariuszgebala/cloud-audit/issues
- PyPI Package: https://pypi.org/project/cloud-audit/
Related Tools
섹션 제목: “Related Tools”- AWS Config (AWS-native)
- Azure Policy (Azure-native)
- Google Cloud Asset Inventory (GCP-native)
- CloudMapper (visualization)
- Prowler (AWS-specific)