I decided to create this tool for more pragmatic reasons. First, I've been at AWS for several years now, and security has always been a major issue in many companies I've worked for. Second, even if you're a specialist with a memory like a movie's mind, you can't manually check every corner of your environment to realistically assess whether a real problem exists. Third, existing scanners are great, but they're full of noise, and I suspect you know what such an "audit" looks like. You open a report, see that your account has 300+ findings, review the first ten, which turn out to be insignificant, and then dismiss the report. Here, I wanted to focus on truly realistic scenarios (although I suspect there's still a lot to refine).
That's why I didn't focus on an incredible number of checks, but rather on the correlation between them. Something like a vulnerability based on findings (Public Security Group with port 22 -> IMDSv1 -> IAM Roles on EC2 with high access), which individually might not seem dangerous, but when combined, they create a real opportunity for attackers. Taking a bit of inspiration from other scanners, I've also added an option to automatically fix the issue (of course, this is just a hint on how to do it, but it's always more convenient to get a ready-made Terraform snippet instead of searching for fixes in the documentation).
I still have a lot of ideas for developing this, so I'd like to show you what it looks like now and would love to hear your feedback on whether you think it makes sense or whether tools like Prowler have already completely covered this sector in terms of security. I've recently added CIS 3.0 and SOC 2 compliance reports. This isn't SaaS—it's completely open source with the simplest possible installation. Documentation is available on the repo.
If you have any questions or ideas, I would be extremely grateful for each one.
I decided to create this tool for more pragmatic reasons. First, I've been at AWS for several years now, and security has always been a major issue in many companies I've worked for. Second, even if you're a specialist with a memory like a movie's mind, you can't manually check every corner of your environment to realistically assess whether a real problem exists. Third, existing scanners are great, but they're full of noise, and I suspect you know what such an "audit" looks like. You open a report, see that your account has 300+ findings, review the first ten, which turn out to be insignificant, and then dismiss the report. Here, I wanted to focus on truly realistic scenarios (although I suspect there's still a lot to refine).
That's why I didn't focus on an incredible number of checks, but rather on the correlation between them. Something like a vulnerability based on findings (Public Security Group with port 22 -> IMDSv1 -> IAM Roles on EC2 with high access), which individually might not seem dangerous, but when combined, they create a real opportunity for attackers. Taking a bit of inspiration from other scanners, I've also added an option to automatically fix the issue (of course, this is just a hint on how to do it, but it's always more convenient to get a ready-made Terraform snippet instead of searching for fixes in the documentation).
I still have a lot of ideas for developing this, so I'd like to show you what it looks like now and would love to hear your feedback on whether you think it makes sense or whether tools like Prowler have already completely covered this sector in terms of security. I've recently added CIS 3.0 and SOC 2 compliance reports. This isn't SaaS—it's completely open source with the simplest possible installation. Documentation is available on the repo.
If you have any questions or ideas, I would be extremely grateful for each one.