Metadata-Version: 2.4
Name: orchestrator-cloud-aws
Version: 0.1.0
Summary: AWS cloud-drift cross-reference plugin for devsecops-orchestrator.
Project-URL: Homepage, https://github.com/jaricsng/devsecops-orchestrator
Author-email: Jaric Sng <jaric.sng@gmail.com>
License-Expression: Apache-2.0
Keywords: aws,boto3,devsecops,drift,security
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Security
Requires-Python: >=3.11
Requires-Dist: boto3>=1.34
Requires-Dist: devsecops-orchestrator>=0.2.0
Provides-Extra: test
Requires-Dist: moto>=5.0; extra == 'test'
Requires-Dist: pytest-cov>=5.0; extra == 'test'
Requires-Dist: pytest>=8.0; extra == 'test'
Description-Content-Type: text/markdown

# orchestrator-cloud-aws

AWS cloud-drift cross-reference plugin for
[devsecops-orchestrator](https://github.com/jaricsng/devsecops-orchestrator).

It compares **live AWS resource configuration** (read via boto3) against the
security baseline that Checkov enforces on infrastructure-as-code, and flags
**drift** — places where the running cloud diverges from what the IaC/policy
declares (e.g. a bucket that is private in Terraform but public in AWS).

Installing it alongside the core tool adds an `orchestrator cloud-check`
subcommand via the `orchestrator.plugins` entry-point group; the core tool
itself stays cloud-agnostic and carries no AWS dependencies.

## Install

```bash
pip install devsecops-orchestrator orchestrator-cloud-aws
```

## Usage

```bash
orchestrator cloud-check                       # uses the default AWS credential chain
orchestrator cloud-check --region us-east-1 --fail-on high
orchestrator cloud-check -o ./reports          # also write cloud-report.md
```

Exits non-zero when drift at or above `--fail-on` (default `medium`) is found,
so it can gate a deploy pipeline.

### Checks

| Check | Severity | Cross-references | Flags |
| --- | --- | --- | --- |
| `s3-bucket-public` | HIGH | Checkov `CKV_AWS_53` | Buckets public via ACL that the baseline expects to be private |
| `iam-wildcard-policy` | HIGH | Checkov `CKV_AWS_1` | Customer-managed IAM policies allowing `Action:*` on `Resource:*` |

## Credentials

`cloud-check` needs **read-only** AWS access at runtime, resolved through the
standard boto3 chain (OIDC-assumed role in CI, instance/task role, SSO, or as a
last resort static keys). The AWS-managed `SecurityAudit` or `ReadOnlyAccess`
policy is sufficient. No credentials are needed to develop or test the plugin —
its tests run entirely against [`moto`](https://github.com/getmoto/moto).
