# Cloud Auditing by API and Configuration State > **Intro:** One of the most useful cloud-security lessons from older DevSecOps material is still true: in cloud environments, many of the best security reviews come from **reading configuration state through APIs**, not from aggressively probing live services. ## Why this matters For cloud accounts, many high-value findings come from questions like: * which security groups are public? * which identities are over-privileged? * which storage resources are public or weakly encrypted? * which KMS, backup, and logging settings drifted? * which images or machine templates are stale? Those are often answered faster by cloud APIs than by active scanning. ## Legacy versus current tooling | Older tool or pattern | Status | Current use | | ----------------------------------- | ----------------------------- | --------------------------------------------------------------- | | AWS Trusted Advisor | still useful | fast first-pass review in AWS estates | | Scout2 | old AWS-focused name | translate to ScoutSuite for current multi-cloud posture reviews | | one-cloud-only scripts | still useful in small estates | combine with broader posture tooling when scale grows | | manual console-by-console review | painful but common | prefer repeatable CLI, API, or policy-driven review | | cloud scanning as “network pentest” | often misleading | focus on configuration, access, data exposure, and drift | ## Good current open-source choices * Prowler * ScoutSuite * Checkov for IaC before deployment * native cloud findings from AWS Config, Security Hub, Access Analyzer, GuardDuty, and equivalents on other clouds ## Practical snippet — raw AWS API inspection ```bash aws ec2 describe-security-groups \ --query 'SecurityGroups[?IpPermissions[?contains(to_string(IpRanges[].CidrIp), `0.0.0.0/0`)]]].[GroupId,GroupName]' \ --output table ``` This is often more useful than a noisy generic port scanner when you are reviewing cloud exposure. ## Practical snippet — Prowler ```bash prowler aws --profile audit-readonly --compliance cis_aws_1.5_0 ``` ## Practical snippet — ScoutSuite ```bash scout.py aws --profile audit-readonly ``` ## Practical snippet — legacy Scout2 note ```bash Scout2 --profile audit-readonly ``` Keep this only for estates that still have old local runbooks referencing it. For current usage, prefer maintained ScoutSuite documentation and releases. ## Practical review areas ### Network posture * public security groups; * internet-facing load balancers; * unmanaged egress; * missing flow logs for critical segments. ### Identity posture * wildcard policies; * stale access keys; * missing MFA for sensitive console users; * dangerous trust policies; * missing service control or guardrail patterns. ### Data protection * weak or missing encryption; * public buckets or containers; * database backup gaps; * overly broad KMS decrypt permissions. ### Logging and response readiness * CloudTrail or equivalent disabled or incomplete; * missing DNS, flow, or access logs for critical tiers; * no retention or external sink for high-value events. ## What not to overlearn from older books Older books sometimes show long-lived local credentials and simple CLI setup because they were teaching the basics. For modern implementations prefer: * short-lived identity where possible; * read-only audit roles; * automation-friendly service identities; * no permanent developer admin credentials in shared audit scripts. ## Related pages * [☁️ Cloud Security Across AWS, Azure, and GCP](/cloud-kubernetes-and-infrastructure-security/index/cloud-security-across-aws-azure-and-gcp.md) * [🟧 AWS Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/aws-security-baseline-and-top-misconfigurations.md) * [🤖 Ansible Security Baseline and Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/ansible-security-baseline-and-misconfigurations.md) * [🧱 Terraform Security Scanning and Checkov](/cloud-kubernetes-and-infrastructure-security/index/terraform-security-scanning-and-checkov.md) \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* ## v3.2 companion page For provider-by-provider CLI patterns and a more operational audit loop, see [🛰️ Cloud Audit Cookbook by Provider](/cloud-kubernetes-and-infrastructure-security/index/cloud-audit-cookbook-by-provider.md). ## Use this page with * [Compliance-to-Engineering Evidence Pass](/metrics-audit-risk-evidence-and-compliance/index-1/compliance-to-engineering-evidence-pass.md) * [CSA Cloud Controls Matrix (CCM) — Practical Guide](/metrics-audit-risk-evidence-and-compliance/index-1/csa-cloud-controls-matrix-ccm-practical-guide.md) * [Cloud Audit Cookbook by Provider](/cloud-kubernetes-and-infrastructure-security/index/cloud-audit-cookbook-by-provider.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index/cloud-auditing-by-api-and-configuration-state.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.