Metadata-Version: 2.4
Name: vigilai-scan
Version: 0.1.0
Summary: Read-only AWS compliance baseline scanner — 15 checks mapped to SOC 2 criteria, with the Terraform fix for every failure
Author: VigilAI
License: MIT
Keywords: aws,compliance,soc2,security,scanner
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: boto3>=1.28
Provides-Extra: dev
Requires-Dist: pytest>=7; extra == "dev"
Dynamic: license-file

# vigilai-scan

**Find out in 60 seconds why your AWS account would fail an enterprise security review.**

15 read-only checks against the controls that SOC 2 auditors, enterprise procurement teams, and security questionnaires actually ask about — each mapped to its SOC 2 criterion, each with a concrete fix.

```
  FAIL  LOG-01  A multi-region CloudTrail trail is logging      [CRITICAL · SOC2 CC7.2]
  FAIL  NET-02  No security group opens SSH/RDP to the world    [CRITICAL · SOC2 CC6.6]
         SG(s) with 0.0.0.0/0 on admin ports: sg-0892…, sg-0b37…
  FAIL  S3-01   Account-level S3 public access block is on      [CRITICAL · SOC2 CC6.6]
  ...
  7 passed · 7 failed · 1 warnings
```

## Run it

```bash
pip install vigilai-scan          # or: pipx run vigilai-scan
vigilai-scan                      # uses your default AWS profile
vigilai-scan --profile prod --region us-west-2
vigilai-scan --json > report.json # CI-friendly; exits 1 on any FAIL
```

**Read-only, local, zero telemetry.** Every AWS call is a `Describe`/`List`/`Get`. Nothing is modified, nothing leaves your machine. The safest way to run it is with the AWS-managed `SecurityAudit` policy. Audit the ~700 lines of source yourself — that's the point of it being open.

## What it checks

| ID | Check | SOC 2 |
|---|---|---|
| IAM-01 | Root account MFA | CC6.1 |
| IAM-02 | No IAM users with console passwords (SSO roles instead) | CC6.2 |
| IAM-03 | MFA on every human identity | CC6.1 |
| IAM-04 | No access keys older than 90 days | CC6.2 |
| IAM-05 | No `AdministratorAccess` attached directly to users | CC6.3 |
| S3-01 | Account-level public access block | CC6.6 |
| S3-02 | Default encryption on every bucket | CC6.1 |
| S3-03 | Per-bucket public access blocks | CC6.6 |
| NET-01 | Default security groups deny all traffic | CC6.6 |
| NET-02 | No SSH/RDP open to 0.0.0.0/0 | CC6.6 |
| NET-03 | VPC flow logs enabled | CC7.3 |
| NET-04 | Peering routes scoped tighter than /24 | CC6.6 |
| KMS-01 | Rotation on customer-managed keys | CC6.1 |
| LOG-01 | Active multi-region CloudTrail | CC7.2 |
| LOG-02 | EBS encryption-by-default | CC6.1 |

## The full baseline checklist

The scanner covers what's machine-checkable. The complete ~30-control checklist — including the process controls (access reviews, IR severity levels, vuln SLAs, change management) — is in [CHECKLIST.md](CHECKLIST.md). It's the engineering half of compliance, free under CC BY 4.0.

## The kit

Every failing check above has a ready-to-apply fix — a Terraform module or hardened template, plus the five corporate policies (Access Control, Change Management, Data Classification, Incident Response, Vulnerability Management) that enterprise reviewers ask for, pre-mapped to the code that enforces them.

> **⚡ Compliance Kit — $349 one-time.** Versioned Terraform modules + policies + control-to-code mapping, delivered as a private git repo. [Get it here.](https://YOUR-CHECKOUT-LINK)
>
> **🚀 Compliance Sprint — done with you in 14 days.** We run the scan, deploy the fixes into your account, customize the policies, and hand you a filled-out security questionnaire answer bank. [Book a free scan review.](https://calendly.com/banhjosh/30min)

## FAQ

**Why not just use Prowler / ScoutSuite?** They're excellent and far more exhaustive — hundreds of findings across every service. This is deliberately the opposite: the 15 checks an enterprise security reviewer will actually probe first, with a fix attached to each. Run this to get deal-ready this week; run Prowler when you have a security team.

**Will this get me SOC 2 certified?** No tool does. This gets your technical controls to the baseline auditors expect, which is most of the engineering work and the part that blocks deals.

**License:** MIT (scanner), CC BY 4.0 (checklist).
