Merge pull request #36 from kosty-cloud/release/v1.9.2

feat: v1.9.2 — 30 services, 180+ checks, public-exposure, privilege escalation, WAFv2

Author: yassirkachri

README.md

@@ -9,7 +9,7 @@
 
 > 💡 Need expert help optimizing your AWS infrastructure? [Professional consulting services available →](https://kosty.cloud?utm_source=github&utm_medium=readme-header)
 
-**🚀 Identify AWS cost waste and security vulnerabilities across 17 core services with a single command**
+**🚀 Identify AWS cost waste and security vulnerabilities across 30 core services with a single command**
 
 *Save thousands of dollars monthly and improve security posture by finding unused resources, oversized instances, misconfigurations, and compliance issues*
 
@@ -43,7 +43,7 @@ So I built Kosty - the tool I wish existed when I started consulting.
 
 
 ### What Kosty Does
-- 🔍 Scans **17 core AWS services** in one command
+- 🔍 Scans **30 core AWS services** in one command
 - 💰 **Quantifies cost savings** with real dollar amounts (11 services)
 - 📊 Finds **oversized instances** (EC2, RDS, Lambda)
 - 🔐 Detects **security vulnerabilities** (public DBs, unencrypted storage, open ports)
@@ -54,7 +54,7 @@ So I built Kosty - the tool I wish existed when I started consulting.
 **One command. Full audit. Real savings. Free forever.**
 
 AWS costs and security risks can spiral out of control quickly. Kosty helps you:
-- 🔍 **Discover** unused resources and security vulnerabilities across 17 core AWS services
+- 🔍 **Discover** unused resources and security vulnerabilities across 30 core AWS services
 - 💰 **Quantify** cost savings with real dollar amounts ($X/month calculations)
 - 🔐 **Detect** security misconfigurations and compliance issues
 - ⚡ **Optimize** with prioritized recommendations by financial impact
@@ -236,6 +236,18 @@ kosty s3 check-no-cross-region-replication
 # RDS security
 kosty rds check-no-auto-minor-upgrade
 kosty rds check-no-performance-insights
+
+# Foundational security checks
+kosty cloudtrail audit
+kosty vpc check-no-flow-logs
+kosty guardduty check-not-enabled
+kosty config check-not-enabled
+
+# Secrets & AI
+kosty secretsmanager check-unused-secrets
+kosty secretsmanager check-no-rotation
+kosty bedrock check-no-logging
+kosty bedrock check-no-budget-limits
 ```
 
 ### 🌐 External Attack Surface Audit
@@ -411,19 +423,26 @@ These services provide security and compliance audits without cost quantificatio
 
 ---
 
-## 📊 Complete Service Coverage (17 Services)
+## 📊 Complete Service Coverage (23 Services)
 
 ### 🎯 Service Overview
 
 | Category | Services | Key Checks |
 |----------|----------|------------|
-| **💻 Compute** | EC2, Lambda | Oversized instances, unused functions |
+| **💻 Compute** | EC2, Lambda | Oversized instances, unused functions, IMDSv1+oversized combo |
 | **🗄️ Storage** | S3, EBS, Snapshots | Empty buckets, orphaned volumes, old snapshots |
 | **🗃️ Database** | RDS, DynamoDB | Idle databases, over-provisioned tables |
-| **🌐 Network** | EIP, LB, NAT, SG, Route53 | Unused resources, no healthy targets |
-| **🔐 Security** | IAM, WAFv2 | MFA, privilege escalation, rate limiting, managed rules |
-| **📊 Management** | CloudWatch, Backup | Unused alarms, expensive logs, empty vaults |
+| **🌐 Network** | EIP, LB, NAT, SG, Route53, VPC | Unused resources, no healthy targets, flow logs |
+| **🔐 Security** | IAM, WAFv2, GuardDuty, KMS | MFA, privilege escalation, rate limiting, threat detection, key rotation |
+| **📊 Management** | CloudWatch, Backup, CloudTrail, AWS Config | Logging, alarms, audit trail, drift detection |
 | **🌐 Application** | API Gateway | WAF association, authorization, throttling, logging |
+| **🤖 AI/ML** | Bedrock | Invocation logging, budget limits |
+| **🔑 Secrets** | Secrets Manager | Unused secrets, rotation |
+| **📨 Messaging** | SNS, SQS | Encryption at rest and in transit |
+| **🗃️ Cache** | ElastiCache | Encryption at rest and in transit |
+| **📜 Certificates** | ACM | Expiring certificates |
+| **📦 Containers** | ECS | Privileged task definitions |
+| **🔧 Patch Management** | SSM | Patch compliance |
 
 ### 📋 Service Commands Summary
 
@@ -520,7 +539,7 @@ kosty audit --output all
 ```
 
 **What `kosty audit` does:**
-- Scans 17 core AWS services automatically
+- Scans 30 core AWS services automatically
 - Runs complete audits (cost + security) per service
 - Generates comprehensive reports (JSON, CSV, Console)
 - Prioritizes issues by severity and impact
@@ -535,7 +554,7 @@ kosty audit --output all
 - Multiple report formats: Console, JSON, CSV, visual reports
 
 ### Comprehensive Analysis
-- 17 core AWS services coverage
+- 30 core AWS services coverage
 - Real dollar cost savings for 11 services
 - One-command audit scans everything
 - Multi-account organization support with configurable roles

docs/CLI_REFERENCE.md

@@ -5,7 +5,7 @@
 ### Global Commands
 
 #### `kosty audit`
-Comprehensive scan of all 17 AWS services.
+Comprehensive scan of all 30 AWS services.
 
 **Usage:**
 ```bash
@@ -295,6 +295,130 @@ kosty apigateway check-missing-request-validation
 kosty apigateway check-cloudfront-bypass
 ```
 
+### CloudTrail Commands (6 total)
+
+#### Audit Commands
+```bash
+kosty cloudtrail audit
+kosty cloudtrail security-audit
+```
+
+#### Individual Checks
+```bash
+kosty cloudtrail check-not-enabled
+kosty cloudtrail check-no-log-validation
+kosty cloudtrail check-no-encryption
+```
+
+### VPC Commands (5 total)
+
+#### Audit Commands
+```bash
+kosty vpc audit
+kosty vpc security-audit
+```
+
+#### Individual Checks
+```bash
+kosty vpc check-no-flow-logs
+kosty vpc check-default-sg-open
+```
+
+### GuardDuty Commands (2 total)
+
+```bash
+kosty guardduty audit
+kosty guardduty check-not-enabled
+```
+
+### AWS Config Commands (2 total)
+
+```bash
+kosty config audit
+kosty config check-not-enabled
+```
+
+### Secrets Manager Commands (6 total)
+
+#### Audit Commands
+```bash
+kosty secretsmanager audit [--days INT]
+kosty secretsmanager cost-audit [--days INT]
+kosty secretsmanager security-audit
+```
+
+#### Individual Checks
+```bash
+kosty secretsmanager check-unused-secrets [--days INT]
+kosty secretsmanager check-no-rotation
+```
+
+### Bedrock Commands (5 total)
+
+#### Audit Commands
+```bash
+kosty bedrock audit
+kosty bedrock cost-audit
+kosty bedrock security-audit
+```
+
+#### Individual Checks
+```bash
+kosty bedrock check-no-logging
+kosty bedrock check-no-budget-limits
+```
+
+### KMS Commands (3 total)
+
+```bash
+kosty kms audit
+kosty kms check-no-key-rotation
+```
+
+### ACM Commands (3 total)
+
+```bash
+kosty acm audit [--days INT]
+kosty acm check-expiring-certificates [--days INT]
+```
+
+### ElastiCache Commands (4 total)
+
+```bash
+kosty elasticache audit
+kosty elasticache security-audit
+kosty elasticache check-no-encryption-at-rest
+kosty elasticache check-no-encryption-in-transit
+```
+
+### SNS Commands (2 total)
+
+```bash
+kosty sns audit
+kosty sns check-no-encryption
+```
+
+### SQS Commands (2 total)
+
+```bash
+kosty sqs audit
+kosty sqs check-no-encryption
+```
+
+### ECS Commands (2 total)
+
+```bash
+kosty ecs audit
+kosty ecs check-privileged-tasks
+```
+
+### SSM Commands (2 total)
+
+```bash
+kosty ssm audit
+kosty ssm check-non-compliant-patches
+```
+
 ---
 
 ## 🔧 Common Parameters

docs/RELEASE_NOTES.md

@@ -1,5 +1,79 @@
 # 🚀 Kosty Release Notes
 
+## Version 1.9.2 - Foundational Security Services & Bedrock Audit (2025-01-XX)
+
+### 🌟 13 New Services
+
+**CloudTrail** (3 checks)
+- `check-not-enabled` — No multi-region trail configured (CIS 3.1)
+- `check-no-log-validation` — Log file integrity validation disabled (CIS 3.2)
+- `check-no-encryption` — Logs not encrypted with KMS (CIS 3.7)
+
+**VPC** (2 checks)
+- `check-no-flow-logs` — VPC without Flow Logs enabled (CIS 3.9)
+- `check-default-sg-open` — Default security group has inbound rules (CIS 5.3)
+
+**GuardDuty** (1 check)
+- `check-not-enabled` — Threat detection not active in region (CIS 4.15)
+
+**AWS Config** (1 check)
+- `check-not-enabled` — Configuration recorder not active (CIS 3.5)
+
+**Secrets Manager** (2 checks)
+- `check-unused-secrets` — Secrets never accessed but billed $0.40/mo each
+- `check-no-rotation` — Automatic rotation not enabled
+
+**Amazon Bedrock** (2 checks)
+- `check-no-logging` — Model invocation logging disabled
+- `check-no-budget-limits` — No AWS Budget for Bedrock spend
+
+**KMS** (1 check)
+- `check-no-key-rotation` — Customer-managed keys without automatic rotation
+
+**ACM** (1 check)
+- `check-expiring-certificates` — Certificates expiring within 30 days (configurable via `--days`)
+
+**ElastiCache** (2 checks)
+- `check-no-encryption-at-rest` — Redis replication groups without encryption at rest
+- `check-no-encryption-in-transit` — Redis replication groups without encryption in transit
+
+**SNS** (1 check)
+- `check-no-encryption` — Topics without server-side encryption
+
+**SQS** (1 check)
+- `check-no-encryption` — Queues without server-side encryption
+
+**ECS** (1 check)
+- `check-privileged-tasks` — Task definitions with privileged containers (container escape risk)
+
+**SSM** (1 check)
+- `check-non-compliant-patches` — Instances with missing security patches
+
+### 🔧 Enhanced Checks
+
+**IAM `check-unused-roles`**
+- Default threshold reduced from 90 to 30 days
+- Roles with AdministratorAccess or `*:*` now flagged as `critical` instead of `high`
+- Admin detection via attached policies and inline policy analysis
+
+**EC2 `check-imdsv1-oversized`** (new)
+- Cross-references IMDSv1 + low CPU utilization into a single `critical` finding
+- Instances that are both SSRF-vulnerable and wasting money get highest remediation priority
+
+**RDS `check-no-event-subscription`** (new)
+- Detects missing RDS event subscriptions for instance events
+
+**S3 `check-no-account-public-access-block`** (new)
+- Checks if account-level S3 Block Public Access is fully enabled
+- Flags as critical if not configured at all
+
+### 📊 Summary
+- **Total services**: 30 (was 17)
+- **New checks this release**: 25+
+- **Total commands**: ~240+
+
+---
+
 ## Version 1.9.0 - Security Audit Expansion, WAFv2 & Public Exposure (2025-01-XX)
 
 ### 🌐 New Command: `kosty public-exposure`

kosty/__init__.py

@@ -1,2 +1,2 @@
-__version__ = "1.9.1"
+__version__ = "1.9.2"
 

kosty/cli/__init__.py

@@ -22,6 +22,19 @@
 from .snapshots_commands import snapshots
 from .waf_commands import waf
 from .public_exposure_commands import public_exposure
+from .cloudtrail_commands import cloudtrail
+from .vpc_commands import vpc
+from .guardduty_commands import guardduty
+from .config_commands import awsconfig
+from .secretsmanager_commands import secretsmanager
+from .bedrock_commands import bedrock_cmd
+from .kms_commands import kms
+from .acm_commands import acm
+from .elasticache_commands import elasticache
+from .sns_commands import sns
+from .sqs_commands import sqs
+from .ecs_commands import ecs
+from .ssm_commands import ssm
 
 @click.group(invoke_without_command=True)
 @click.option('--config-file', help='Path to configuration file (default: ./kosty.yaml or ~/.kosty/config.yaml)')
@@ -232,6 +245,19 @@ def version():
 cli.add_command(snapshots)
 cli.add_command(waf)
 cli.add_command(public_exposure)
+cli.add_command(cloudtrail)
+cli.add_command(vpc)
+cli.add_command(guardduty)
+cli.add_command(awsconfig)
+cli.add_command(secretsmanager)
+cli.add_command(bedrock_cmd)
+cli.add_command(kms)
+cli.add_command(acm)
+cli.add_command(elasticache)
+cli.add_command(sns)
+cli.add_command(sqs)
+cli.add_command(ecs)
+cli.add_command(ssm)
 
 if __name__ == '__main__':
     cli()

kosty/cli/acm_commands.py

@@ -0,0 +1,29 @@
+import click
+from .utils import common_options, execute_service_command
+
+
+@click.group()
+@click.pass_context
+def acm(ctx):
+    """ACM (Certificate Manager) operations"""
+    pass
+
+
+@acm.command('audit')
+@click.option('--days', default=30, type=int, help='Days before expiration to flag (default: 30)')
+@common_options
+@click.pass_context
+def acm_audit(ctx, days, profile, organization, region, max_workers, regions, output, save_to, cross_account_role, org_admin_account_id):
+    """Run ACM audit"""
+    from ..services.acm_audit import ACMAuditService
+    execute_service_command(ctx, ACMAuditService, 'audit', output, organization, region, max_workers, regions, cross_account_role, org_admin_account_id, save_to, profile, days=days)
+
+
+@acm.command('check-expiring-certificates')
+@click.option('--days', default=30, type=int, help='Days before expiration to flag (default: 30)')
+@common_options
+@click.pass_context
+def acm_check_expiring(ctx, days, profile, organization, region, max_workers, regions, output, save_to, cross_account_role, org_admin_account_id):
+    """Find certificates expiring soon"""
+    from ..services.acm_audit import ACMAuditService
+    execute_service_command(ctx, ACMAuditService, 'check_expiring_certificates', output, organization, region, max_workers, regions, cross_account_role, org_admin_account_id, save_to, profile, days=days)