CloudScan

Open-source AWS security scanner that finds misconfigurations, maps infrastructure relationships, and tracks compliance posture.

Quick Start • Features • Security Checks • Compliance • CLI • API • Contributing

---

CloudScan scans your AWS infrastructure across 10 services, evaluates 60 security checks, and generates findings with remediation steps — all from a single binary. It includes a web dashboard for visualizing your security posture, an interactive infrastructure graph, and compliance tracking against CIS, PCI DSS, SOC 2, ISO 27001, and HIPAA.

Quick Start

Prerequisites

• Go 1.24+
• Node.js 18+ and pnpm (for frontend)
• AWS credentials configured (~/.aws/credentials, env vars, or IAM role)

Install from source

git clone https://github.com/prdp1137/cloudscan.git
cd cloudscan
make build

This builds the frontend and compiles everything into a single cloudscan binary.

Run a scan

# Scan using default AWS credentials
./cloudscan scan

# Scan a specific profile and region
./cloudscan scan --profile production --region us-east-1

# Output as JSON
./cloudscan scan --output json

Launch the dashboard

./cloudscan serve

Open http://localhost:8080 to view the dashboard.

Features

Security Scanning

• 60 security checks across S3, EC2, IAM, RDS, Lambda, CloudTrail, KMS, VPC, SNS, and SQS
• YAML-based check definitions with expression evaluation via expr-lang
• Severity levels: Critical, High, Medium, Low
• Remediation steps with AWS CLI and Terraform examples
• Multi-account scanning via AWS profiles
• Real-time scan progress with WebSocket updates

Web Dashboard

• Dashboard — Risk score, severity breakdown, latest scan status
• Findings — Filterable list by severity, status, service, and region
• Scans — Historical scan list with comparison between any two scans
• Infrastructure Graph — Interactive D3-powered visualization of resource relationships
• Compliance — Posture tracking across 5 frameworks with trend analysis
• Checks — Catalog of all available security checks

Infrastructure Graph

Resources are mapped into a relationship graph showing connections like attached_to, belongs_to, exposed_by, protects, and accessible_via. The graph is persisted with each scan and rendered as an interactive force-directed layout.

Compliance Frameworks

Framework	Controls
CIS AWS Foundations Benchmark	52
PCI DSS v4.0	12
SOC 2 Type II	17
ISO 27001:2022	13
HIPAA Security Rule	13

Export compliance reports as JSON or PDF.

Security Checks

Checks are defined as YAML files in checks/aws/ and organized by service:

checks/aws/
├── cloudtrail/    # CloudTrail logging & monitoring
├── ec2/           # EC2 instances, security groups, EBS
├── iam/           # IAM users, policies, MFA, access keys
├── kms/           # KMS key rotation & management
├── lambda/        # Lambda function security
├── rds/           # RDS encryption, public access, backups
├── s3/            # S3 bucket policies, encryption, public access
├── sns/           # SNS topic encryption & access
├── sqs/           # SQS queue encryption & access
└── vpc/           # VPC flow logs, default security groups

Writing custom checks

Each check is a YAML file with an expression-based evaluation:

name: s3-bucket-versioning
title: S3 Bucket Versioning Enabled
description: Ensures S3 buckets have versioning enabled for data protection
service: s3
severity: medium
compliance:
  cis_aws:
    - "2.1.3"
  pci_dss:
    - "10.5"
expression: |
  Versioning.Status == "Enabled"
remediation:
  cli: |
    aws s3api put-bucket-versioning \
      --bucket BUCKET_NAME \
      --versioning-configuration Status=Enabled
  terraform: |
    resource "aws_s3_bucket_versioning" "example" {
      bucket = aws_s3_bucket.example.id
      versioning_configuration {
        status = "Enabled"
      }
    }

CLI Reference

cloudscan scan

Run a security scan against your AWS infrastructure.

Flags:
  --profile    AWS profile name (default: default credentials chain)
  --region     AWS region to scan (default: all enabled regions)
  --output     Output format: table, json, csv (default: table)
  --db         SQLite database path (default: cloudscan.db)

cloudscan serve

Start the dashboard and API server.

Flags:
  --addr          Listen address (default: :8080)
  --cors-origin   CORS allowed origin
  --db            SQLite database path (default: cloudscan.db)
  --profile       AWS profile name
  --region        AWS region

cloudscan checks list

List all available security checks.

cloudscan checks validate

Validate YAML check definitions.

Flags:
  --verbose    Show per-check validation status

cloudscan checks coverage

Display check coverage metrics across services.

API

CloudScan exposes a REST API when running in server mode.

Method	Endpoint	Description
GET	/api/dashboard	Risk metrics and summary
GET	/api/scans	List all scans
POST	/api/scans	Trigger a new scan
GET	/api/scans/:id	Scan details
GET	/api/scans/:id/findings	Findings for a scan
GET	/api/scans/:id/graph	Resource graph for a scan
GET	/api/scans/:id/compare/:targetId	Compare two scans
GET	/api/findings	All findings (paginated, filterable)
GET	/api/graph	Latest resource graph
GET	/api/compliance	Compliance posture
GET	/api/compliance/trend	Compliance trend over time
GET	/api/compliance/export	Export report (JSON/PDF)
GET	/api/checks	Check catalog
GET	/api/checks/coverage	Coverage metrics
WS	/ws	Real-time scan progress

Architecture

cmd/cloudscan/         CLI entry point (Cobra)
internal/
├── cli/               Command implementations
├── engine/            Scan engine, check loader, service adapters
├── api/               REST API, WebSocket hub, static file server
├── store/             SQLite + GORM persistence
├── findings/          Finding model and output formatters
├── graph/             Resource relationship graph
├── compliance/        Framework definitions and aggregation
├── credentials/       AWS credential resolution
├── plugin/            Plugin system and PDF export
└── logging/           Structured logging
checks/aws/            YAML check definitions (60 checks)
web/                   React + TypeScript dashboard (Vite, Tailwind, D3)

Tech stack: Go, SQLite, React, TypeScript, Tailwind CSS, D3.js

Development

# Start the API server
go run ./cmd/cloudscan serve

# In another terminal, start the frontend dev server
cd web && pnpm install && pnpm dev

# Run tests
go test ./...

# Build production binary
make build

AWS Permissions

CloudScan uses read-only AWS API calls. The minimum IAM policy requires Get*, List*, and Describe* permissions for the services you want to scan. It validates credentials via sts:GetCallerIdentity on startup.

A broad read-only policy like ReadOnlyAccess will work, or you can scope it down to specific services.

Contributing

Contributions are welcome! Here are some ways to help:

• Add security checks — Create new YAML check definitions in checks/aws/
• Add service support — Implement new service fetchers and adapters
• Improve the dashboard — Enhance the React frontend
• Report bugs — Open an issue with reproduction steps

License

MIT