โ๏ธ Cloud Auditing by API and Configuration State
Intro: One of the most useful cloud-security lessons from older DevSecOps material is still true: in cloud environments, many of the best security reviews come from reading configuration state through APIs, not from aggressively probing live services.
Why this matters
For cloud accounts, many high-value findings come from questions like:
- which security groups are public?
- which identities are over-privileged?
- which storage resources are public or weakly encrypted?
- which KMS, backup, and logging settings drifted?
- which images or machine templates are stale?
Those are often answered faster by cloud APIs than by active scanning.
Legacy versus current tooling
| Older tool or pattern | Status | Current use |
|---|---|---|
| AWS Trusted Advisor | still useful | fast first-pass review in AWS estates |
| Scout2 | old AWS-focused name | translate to ScoutSuite for current multi-cloud posture reviews |
| one-cloud-only scripts | still useful in small estates | combine with broader posture tooling when scale grows |
| manual console-by-console review | painful but common | prefer repeatable CLI, API, or policy-driven review |
| cloud scanning as โnetwork pentestโ | often misleading | focus on configuration, access, data exposure, and drift |
Good current open-source choices
- Prowler
- ScoutSuite
- Checkov for IaC before deployment
- native cloud findings from AWS Config, Security Hub, Access Analyzer, GuardDuty, and equivalents on other clouds
Practical snippet โ raw AWS API inspection
aws ec2 describe-security-groups \
--query 'SecurityGroups[?IpPermissions[?contains(to_string(IpRanges[].CidrIp), `0.0.0.0/0`)]]].[GroupId,GroupName]' \
--output table
This is often more useful than a noisy generic port scanner when you are reviewing cloud exposure.
Practical snippet โ Prowler
prowler aws --profile audit-readonly --compliance cis_aws_1.5_0
Practical snippet โ ScoutSuite
scout.py aws --profile audit-readonly
Practical snippet โ legacy Scout2 note
Scout2 --profile audit-readonly
Keep this only for estates that still have old local runbooks referencing it. For current usage, prefer maintained ScoutSuite documentation and releases.
Practical review areas
Network posture
- public security groups;
- internet-facing load balancers;
- unmanaged egress;
- missing flow logs for critical segments.
Identity posture
- wildcard policies;
- stale access keys;
- missing MFA for sensitive console users;
- dangerous trust policies;
- missing service control or guardrail patterns.
Data protection
- weak or missing encryption;
- public buckets or containers;
- database backup gaps;
- overly broad KMS decrypt permissions.
Logging and response readiness
- CloudTrail or equivalent disabled or incomplete;
- missing DNS, flow, or access logs for critical tiers;
- no retention or external sink for high-value events.
What not to overlearn from older books
Older books sometimes show long-lived local credentials and simple CLI setup because they were teaching the basics.
For modern implementations prefer:
- short-lived identity where possible;
- read-only audit roles;
- automation-friendly service identities;
- no permanent developer admin credentials in shared audit scripts.
Related pages
- โ๏ธ Cloud Security Across AWS, Azure, and GCP
- ๐ง AWS Security Baseline and Top Misconfigurations
- ๐ค Ansible Security Baseline and Top 10 Misconfigurations
- ๐งฑ Terraform Security Scanning and Checkov
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.
v3.2 companion page
For provider-by-provider CLI patterns and a more operational audit loop, see ๐ฐ๏ธ Cloud Audit Cookbook by Provider.