AI-powered CLI agent that audits AWS accounts for security misconfigurations and cost anomalies using Claude.
The agent uses read-only AWS API calls to scan your account, then applies Claude's reasoning to produce prioritized findings with actionable remediation steps. It never modifies your AWS resources.
- 20 audit tools across 5 domains: IAM, S3, EC2, Cost, and Compliance
- AI-powered analysis — Claude reasons over raw AWS data to detect issues human-written rules would miss
- Read-only — every tool is explicitly annotated as non-destructive
- Scoped audits — run a full audit or target specific domains
- Cost anomaly detection — identifies daily spending spikes and usage-type drill-downs
- Bedrock support — optionally route LLM calls through AWS Bedrock so data stays in your VPC
- OpenTelemetry tracing — optional Phoenix instrumentation for inspecting agent behavior
- Node.js 18+
The agent uses Claude to reason over your AWS data. Choose one of:
Claude Max plan (recommended) — no API key needed:
claude auth loginAnthropic API key — if you have separate API credits:
export ANTHROPIC_API_KEY=sk-ant-...AWS Bedrock — routes LLM calls through your AWS account so data stays in your VPC:
export CLAUDE_CODE_USE_BEDROCK=1The agent needs read-only access to your AWS account. Choose one of:
AWS CLI profile (most common):
aws configure
# or use a named profile
aws configure --profile productionEnvironment variables:
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_REGION=us-east-1IAM role — works automatically on EC2, ECS, and Lambda with no extra configuration.
The agent only needs read-only permissions. See AWS Permissions for the required policies.
# Full audit
npx @trellisclad/cloud-audit-agent --scope all
# Security-only audit
npx @trellisclad/cloud-audit-agent --scope iam s3 ec2 compliance
# Cost-only audit
npx @trellisclad/cloud-audit-agent --scope cost
# Specific region and AWS profile
npx @trellisclad/cloud-audit-agent --region eu-west-1 --profile production --scope allnpm install -g @trellisclad/cloud-audit-agent
cloud-audit-agent --scope all| Option | Description | Default |
|---|---|---|
-s, --scope <scopes...> |
Audit scopes: iam, s3, ec2, cost, compliance, all |
all |
-r, --region <region> |
AWS region to audit | us-east-1 |
-p, --profile <profile> |
AWS CLI profile to use | default |
-f, --format <format> |
Output format: markdown, human, html, json |
markdown |
-m, --model <model> |
Claude model to use | auto |
--max-turns <number> |
Maximum agent turns | auto-computed |
--redact |
Redact sensitive data (account IDs, resource names, ARNs) | false |
--trace |
Enable Phoenix tracing | false |
The --format flag controls how the audit report is rendered.
Raw markdown output from the agent, including the structured JSON findings block at the end. Best for piping into other tools or saving as .md files.
cloud-audit-agent --scope all > report.mdClean, terminal-friendly report with findings grouped by severity. Strips the raw JSON block and adds scannable labels, resource identifiers, and a metadata footer.
cloud-audit-agent --scope all --format humanSelf-contained styled HTML report with color-coded severity badges, properly rendered tables, and a metadata footer. Open directly in a browser.
cloud-audit-agent --scope s3 --format html > report.html
open report.htmlStructured AuditReport object with parsed findings, severity/domain summaries, and audit metadata. Useful for programmatic consumption.
# Pipe to jq
cloud-audit-agent --scope iam --format json | jq '.findings[] | select(.severity == "CRITICAL")'
# Save for processing
cloud-audit-agent --scope all --format json > audit.jsonList users, check access key age/rotation, MFA status, role trust policies, inline/attached policies, account summary.
List buckets, check public access blocks, encryption settings, bucket policies. Per-bucket storage cost estimation via CloudWatch.
Security groups (open ports, 0.0.0.0/0 rules), VPCs, network ACLs, VPC flow log status.
Cost breakdown by service, cost forecasting, cost anomalies. Daily spike detection with usage-type drill-down.
Security Hub findings, AWS Config rule compliance, CIS benchmark status.
import { runAudit } from "@trellisclad/cloud-audit-agent";
const result = await runAudit({
awsConfig: { region: "us-east-1", profile: "default" },
scopes: ["iam", "s3"],
});
console.log(result.markdown);
console.log(`Cost: $${result.costUsd.toFixed(4)}`);The agent is built on the Claude Agent SDK and uses MCP (Model Context Protocol) tool servers to interact with AWS.
CLI (commander) → runAudit() → Claude Agent SDK
↓
MCP Tool Servers
┌──────────┼──────────┐
aws-iam aws-s3 aws-ec2
aws-cost aws-compliance
└──────────┼──────────┘
↓
AWS SDK (read-only)
The agent follows a 3-phase workflow:
- Detect — systematically call all tools in scope to gather raw data
- Analyze — reason over the data to identify security risks and cost issues
- Recommend — produce prioritized findings with severity, impact, and remediation steps
The agent requires read-only access. The following AWS managed policies cover all tools:
ReadOnlyAccess(covers all services), or individually:IAMReadOnlyAccessAmazonS3ReadOnlyAccessAmazonEC2ReadOnlyAccessAWSBillingReadOnlyAccessAWSSecurityHubReadOnlyAccessAWSConfigUserAccess
git clone https://github.com/trellisclad/cloud-audit-agent.git
cd cloud-audit-agent
npm install
npm test # run unit tests
npm run dev # run CLI in dev modeSee CONTRIBUTING.md for guidelines on setting up the project and submitting pull requests.