Scan 30 AWS services. Find cost waste. Detect security gaps. One command.
Quick Start • Key Features • Service Coverage • Documentation
pip install kosty
# Full audit — cost + security across 30 services
kosty audit --output all
# External attack surface mapping
kosty public-exposure --output console
# IAM privilege escalation detection (21 patterns)
kosty iam check-privilege-escalation --deep
# Organization-wide scan
kosty audit --organization --max-workers 20 --output all💡 Need expert help? Professional consulting available →
Upload your JSON report to the built-in dashboard for interactive charts, filtering, and cost breakdowns.
Map everything publicly exposed and evaluate protections — ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, and snapshots.
kosty public-exposure --output consoleEach finding is classified:
- 🔴 Exposed & Unprotected — no protections, immediate action
- 🟡 Exposed & Partially Protected — gaps remain
- 🟢 Exposed & Protected — all protections verified
180+ checks across 30 services. Highlights:
- IAM Privilege Escalation — detects 21 known escalation patterns with optional
--deepconfirmation via SimulatePrincipalPolicy - WAF Hardening — managed rules, rate limiting, bot control, logging, action mode
- API Gateway — WAF association, authorization, throttling, TLS 1.2, CloudFront bypass detection, request validation
- Foundational — CloudTrail, VPC Flow Logs, GuardDuty, AWS Config, KMS key rotation
- Data Protection — S3 encryption, RDS encryption, ElastiCache encryption, Secrets Manager rotation
kosty iam security-audit --deep
kosty waf audit
kosty apigateway security-auditReal dollar savings for 11 services — not just recommendations, actual monthly amounts:
| Finding | Typical Savings |
|---|---|
| Stopped EC2 instances | $280/mo per m5.2xlarge |
| Oversized RDS instances | $700/mo per db.r5.4xlarge |
| Unused NAT Gateways | $33/mo each |
| Orphaned EBS volumes | $10/mo per 100GB |
| Load Balancers with no targets | $16/mo each |
| Unused secrets | $0.40/mo each |
kosty audit --output json # generates report with $ amounts
open dashboard/index.html # visualize savings30 services, organized by category:
| Category | Services | Key Checks |
|---|---|---|
| Compute | EC2, Lambda | Oversized, idle, IMDSv1, outdated runtimes |
| Storage | S3, EBS, Snapshots | Public access, encryption, lifecycle, object lock |
| Database | RDS, DynamoDB | Public DBs, oversized, encryption, backups |
| Network | EIP, LB, NAT, SG, Route53, VPC | Unused resources, open ports, flow logs |
| Security | IAM, WAFv2, GuardDuty, KMS | Privilege escalation, MFA, key rotation, threat detection |
| Management | CloudWatch, Backup, CloudTrail, Config | Logging, audit trail, drift detection |
| Application | API Gateway | WAF, auth, throttling, TLS, CloudFront bypass |
| AI/ML | Bedrock | Invocation logging, budget limits |
| Secrets | Secrets Manager | Unused secrets, rotation |
| Messaging | SNS, SQS | Encryption at rest and in transit |
| Cache | ElastiCache | Encryption at rest and in transit |
| Certificates | ACM | Expiring certificates |
| Containers | ECS | Privileged task definitions |
| Patch Mgmt | SSM | Patch compliance |
Full check list per service → docs/SERVICES.md
# PyPI (recommended)
pip install kosty
# Docker
docker run --rm -v ~/.aws:/home/nonroot/.aws:ro ghcr.io/kosty-cloud/kosty:latest audit
# From source
git clone https://github.com/kosty-cloud/kosty.git && cd kosty && pip install -e .# kosty.yaml
default:
regions: [us-east-1, eu-west-1]
max_workers: 20
exclude:
services: [route53]
tags:
- key: "kosty_ignore"
value: "true"
profiles:
production:
role_arn: "arn:aws:iam::123456789012:role/AuditRole"
regions: [us-east-1]
staging:
aws_profile: "staging-profile"
regions: [eu-west-1]kosty audit --profile production
kosty audit --profiles --output all # all profiles in parallelFull configuration guide → docs/CONFIGURATION.md
| Guide | Description |
|---|---|
| Full Documentation | Complete user guide |
| Service Coverage | All 30 services and their checks |
| CLI Reference | Every command and option |
| Examples | Detailed usage examples |
| Configuration | YAML config, profiles, exclusions |
| Multi-Profile Guide | Parallel multi-customer audits |
| Release Notes | Version history |
- Report Issues — Open an issue
- Add Services — Follow the pattern in
kosty/services/ - Star the Repo — Show your support
Free 30-minute assessment to discuss your AWS setup.
📅 Book a call · 📧 [email protected] · 🌐 kosty.cloud
MIT License — see LICENSE
💰 Save money. Secure infrastructure. Ship faster.
⭐ Star this repo if Kosty saved you money