β :) Please Star this Repo if You Enjoy It! β
##Features
- π Parallel Scanning: ThreadPoolExecutor-based concurrent scanning for 5-10x speed improvement
- π Pagination Support: Handles AWS accounts with thousands of resources
- βοΈ Configurable Workers: Adjust thread pool size based on your environment
- π Real-time Progress: Verbose mode shows live scanning progress
- π Retry Logic: Exponential backoff for robust API calls
- πͺ£ S3 Buckets: Public access, encryption, versioning, MFA delete for sensitive buckets
- π€ IAM Policies: Root MFA, password policies, unused access keys (90+ days)
- π EC2 Security Groups: Public access rules, IPv6 support, overly permissive configurations
- ποΈ RDS Instances: Public accessibility, encryption, Multi-AZ configuration
- π CloudTrail: Trail existence, log validation, encryption
- πΎ EBS Volumes: Encryption status, attached vs unattached volumes
- π KMS Keys: Key rotation status, policy validation, AWS-managed vs customer-managed
- π VPC Flow Logs: Flow log configuration for network monitoring
- π Secrets Manager: Rotation status, unused secrets, replication compliance
- β‘ Lambda Functions: Deprecated runtimes, public URLs, overly permissive policies
- π― Risk Scoring: 0-100 scoring with severity-based deductions (A-F grades)
- π Structured Output: JSON with metadata for automation pipelines
- π HTML Reports: Human-readable web format with color-coded findings
- π Statistics: Top risky resources, average risk scores, scan duration
- π CI/CD Integration: Configurable exit codes for automation
- π·οΈ Tag-based Filtering: Skip resources based on environment tags
- π Detailed Remediation: Step-by-step fix instructions with AWS CLI commands
- π Compliance Mapping: CIS AWS, PCI-DSS, HIPAA, SOC2 framework alignment
- βοΈ Configurable Severity: Adjust fail-on-critical behavior for CI/CD
- π§ Service Filtering: Skip specific services for targeted scans
- Python 3.7+ (tested on 3.7, 3.8, 3.9, 3.10, 3.11)
- AWS Credentials configured (via AWS CLI, environment variables, or IAM role)
- Read-only permissions for the services being scanned
# Clone the repository
git clone https://github.com/your-org/cloudguard-enhanced.git
cd cloudguard-enhanced
# Install dependencies
pip install -r requirements.txt
# Run basic scan
python cg.py# Build Docker image
docker build -t cloudguard-enhanced .
# Run scan with AWS credentials
docker run -v ~/.aws:/root/.aws cloudguard-enhanced# Basic scan with defaults
python cg.py
# High-performance scan for large accounts
python cg.py --workers 16 --verbose
# CI/CD integration with structured output
python cg.py --fail-on-critical --json security-report.json# Custom AWS profile and region
python cg.py --profile production --region us-west-2
# Skip specific services for faster scans
python cg.py --skip-services lambda secrets --workers 12
# Output to stdout for CI/CD pipelines
python cg.py --json - --html - --fail-on-critical
# Development environment scan
python cg.py --skip-services rds kms --json dev-report.json| Option | Description | Default |
|---|---|---|
--profile |
AWS CLI profile name | default |
--region |
AWS region to scan | us-east-1 |
--json |
JSON output file path (use - for stdout) |
cloudguard_report.json |
--html |
HTML output file path (use - for stdout) |
cloudguard_report.html |
--workers |
Number of parallel workers | 8 |
--verbose |
Enable verbose logging | False |
--skip-services |
Skip specific services | None |
--fail-on-critical |
Exit with error code if critical findings found | False |
| Account Size | Resources | Sequential Time | Parallel Time | Improvement |
|---|---|---|---|---|
| Small | < 100 | ~30s | ~30s | 1x |
| Medium | 100-1K | ~5 min | ~1-2 min | 3-5x |
| Large | 1K-10K | ~30 min | ~5-10 min | 5-6x |
| Enterprise | 10K+ | ~2 hours | ~15-30 min | 8-10x |
- Sequential: 10 services Γ 30s each = 5 minutes
- Parallel (8 workers): ~1-2 minutes total
- Large accounts: 5-10x speed improvement
The security score (0-100) is calculated based on findings:
| Severity | Points Deducted | Response Time |
|---|---|---|
| π¨ Critical | -15 points | Immediate attention required |
| -10 points | Fix within 24-48 hours | |
| π Medium | -5 points | Fix within 1 week |
| βΉοΈ Low | -2 points | Fix within 1 month |
- π’ A (90-100): Excellent security posture
- π‘ B (80-89): Good security with minor issues
- π C (70-79): Acceptable with some concerns
- π΄ D (60-69): Poor security requiring attention
- β« F (0-59): Critical security issues
{
"timestamp": "2024-01-15T10:30:00Z",
"score": {
"score": 85,
"grade": "B",
"counts": {
"CRITICAL": 0,
"HIGH": 2,
"MEDIUM": 5,
"LOW": 3
},
"total": 10
},
"findings": [...],
"metadata": {
"scanner_version": "2.0.0",
"total_findings": 10,
"severity_breakdown": {...},
"scan_duration": 45.2
},
"statistics": {
"average_risk_score": 65.5,
"top_5_risky": [...]
}
}name: Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run security scan
run: |
python cg.py --fail-on-critical --json security-report.json
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Upload security report
uses: actions/upload-artifact@v3
with:
name: security-report
path: security-report.jsonpipeline {
agent any
stages {
stage('Security Scan') {
steps {
sh 'python cg.py --workers 12 --json security-report.json'
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'cloudguard_report.html',
reportName: 'Security Report'
])
}
}
}
post {
failure {
emailext (
subject: "Security Scan Failed - ${env.JOB_NAME}",
body: "Critical security findings detected in ${env.BUILD_URL}",
to: "[email protected]"
)
}
}
}security_scan:
stage: security
image: python:3.11
before_script:
- pip install -r requirements.txt
script:
- python cg.py --fail-on-critical --json security-report.json
artifacts:
reports:
junit: security-report.json
paths:
- security-report.json
- cloudguard_report.html
only:
- main
- developCreate an IAM policy with the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketAcl",
"s3:GetBucketEncryption",
"s3:GetBucketVersioning",
"s3:GetPublicAccessBlock",
"s3:GetBucketTagging",
"iam:ListUsers",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DescribeFlowLogs",
"rds:DescribeDBInstances",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"lambda:ListFunctions",
"lambda:GetFunctionUrlConfig",
"lambda:GetPolicy",
"kms:ListKeys",
"kms:DescribeKey",
"kms:GetKeyRotationStatus",
"kms:GetKeyPolicy",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}graph TB
A[CloudGuard Scanner] --> B[Parallel Execution]
B --> C[S3 Scanner]
B --> D[IAM Scanner]
B --> E[EC2 Scanner]
B --> F[RDS Scanner]
B --> G[Lambda Scanner]
B --> H[KMS Scanner]
B --> I[Secrets Scanner]
C --> J[Findings Aggregator]
D --> J
E --> J
F --> J
G --> J
H --> J
I --> J
J --> K[Risk Calculator]
J --> L[Report Generator]
K --> M[JSON Report]
K --> N[HTML Report]
L --> M
L --> N
M --> O[CI/CD Integration]
N --> O
# Run unit tests
python -m pytest tests/
# Run with coverage
python -m pytest --cov=cg tests/# Test against AWS account (requires credentials)
python -m pytest tests/integration/ --aws-profile test-profile# Benchmark large account scanning
python tests/benchmark.py --account-size large --workers 16- Multi-region scanning in single execution
- Custom compliance frameworks (SOC2, ISO27001)
- Automated remediation with dry-run mode
- Slack/Teams integration for critical findings
- Azure support for multi-cloud environments
- GCP support for comprehensive cloud security
- Real-time monitoring with continuous scanning
- Machine learning for anomaly detection
- Web dashboard for security posture visualization
- API endpoints for programmatic access
- Custom rule engine for organization-specific checks
- Compliance reporting with executive summaries
We welcome contributions! Please see our Contributing Guide for details.
# Fork and clone the repository
git clone https://github.com/your-username/cloudguard-enhanced.git
cd cloudguard-enhanced
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install development dependencies
pip install -r requirements-dev.txt
# Run pre-commit hooks
pre-commit install- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License - see the LICENSE file for details.
- AWS Security Best Practices for compliance guidelines
- CIS AWS Foundations Benchmark for security controls
- Open source community for feedback and contributions
- π§ Email: [email protected]
- π Issues: GitHub Issues
- π Documentation: Wiki
