Releases: kosty-cloud/kosty
v2.0.0 — kosty ai: Bedrock & SageMaker Audit
🤖 v2.0.0 — AI/ML Audit
New command: kosty ai
Dedicated audit for Bedrock and SageMaker workloads.
Bedrock (12 checks): guardrails, shadow AI, VPC endpoints, prompt caching, inference profiles, KMS encryption, logging, budget limits, TPM quota, cross-account access, model sizing (--deep), batch eligibility (--deep)
SageMaker (8 checks): idle endpoints, zombie notebooks, Spot training, checkpointing, Inference Components, VPC endpoints, internet access, root access
kosty ai audit
kosty ai bedrock check-no-guardrails
kosty ai bedrock check-shadow-ai
kosty ai sagemaker check-idle-endpointsOther improvements
- Audit report: cost/security split + deduplicated security findings
- Console output: all issues displayed (no longer truncated at 5)
- Removed standalone kosty bedrock CLI — use kosty ai bedrock
Summary
- 31 services, 220+ checks
- Tested on live account: 185 issues in 59 seconds
v1.9.3
v1.9.3 — Documentation Overhaul
- README restructured from 755 to 211 lines
- Security-first positioning: attack surface mapping, privilege escalation, WAF hardening featured prominently
- New
docs/SERVICES.md— complete check list for all 30 services - New
docs/EXAMPLES.md— organized usage examples - Version bump to 1.9.3
v1.9.2
🚀 Kosty v1.9.2 — 30 Services, 180+ Checks
What's New
13 new services bringing Kosty from 17 to 30 AWS services:
- CloudTrail, VPC, GuardDuty, AWS Config, Secrets Manager, Bedrock, KMS, ACM, ElastiCache, SNS, SQS, ECS, SSM
kosty public-exposure — Map your entire external attack surface in one command
- Scans 15 resource types (ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, RDS/EBS Snapshots)
- Classifies findings: 🔴 Unprotected / 🟡 Partially Protected / 🟢 Protected
WAFv2 service (6 checks)
- Unassociated ACLs, managed rules (CRS + IP Rep + SQLi + Known Bad Inputs), rate limiting, logging, count action, bot control
IAM privilege escalation detection (21 patterns)
- Detects direct escalation, credential theft, and compute-based escalation paths
- Optional
--deepflag confirms findings viaiam:SimulatePrincipalPolicy
API Gateway hardening (10 security checks)
- WAF, authorization, logging, throttling, TLS 1.2, request validation, CloudFront bypass, JWT, private API policy
Fixes
- Fixed CloudWatch
check-unused-custom-metricshanging on large accounts (configurable--max-metrics) - Fixed RDS oversized false positive on smallest available instance class per engine (#30)
- Docker build now triggers only on release (was on every push to main)
Full Changelog
- 30 services, ~180+ checks, ~240 commands
- Tested on live account: 180 issues detected in 59 seconds
- See Release Notes for details
Install / Upgrade
pip install --upgrade kostyv1.9.1
What's new in v1.9.1
🌐 kosty public-exposure — External Attack Surface Mapping
Scans 15 resource types, identifies everything reachable from the internet, and evaluates protection layers for each exposed resource.
Resources scanned: ALB/NLB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR Public, SNS, SQS, RDS & EBS Snapshots
Findings classified as:
- 🔴 Exposed & Unprotected — immediate action required
- 🟡 Exposed & Partially Protected — gaps to address
- 🟢 Exposed & Protected — all protections verified
🛡️ New Service: AWS WAFv2 (6 checks)
Unassociated ACLs, managed rules (CRS + IP Rep + SQLi + Known Bad Inputs), rate limiting, logging, count action, bot control
🔐 IAM: +9 Security Checks
Root MFA, all users MFA, unused access keys, inline policies, PassRole wildcard, shared Lambda roles, multiple active keys, wildcard AssumeRole, privilege escalation detection (21 patterns) with optional --deep flag
🌐 API Gateway: +9 Security Checks
WAF association, authorization, logging, throttling, private API policy, HTTP API JWT, TLS 1.2, request validation, CloudFront bypass detection
Other
- S3: object lock, cross-region replication
- RDS: auto minor upgrade, performance insights
- CloudWatch: configurable
--max-metrics(fixes scan hanging)
17 services | ~180 commands | 30+ new checks
v1.9
What's new in v1.9.0
🌐 kosty public-exposure — External Attack Surface Mapping
Scans 15 resource types, identifies everything reachable from the internet, and evaluates protection layers for each exposed resource.
Resources scanned: ALB/NLB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR Public, SNS, SQS, RDS & EBS Snapshots
Findings classified as:
- 🔴 Exposed & Unprotected — immediate action required
- 🟡 Exposed & Partially Protected — gaps to address
- 🟢 Exposed & Protected — all protections verified
🛡️ New Service: AWS WAFv2 (6 checks)
Unassociated ACLs, managed rules (CRS + IP Rep + SQLi + Known Bad Inputs), rate limiting, logging, count action, bot control
🔐 IAM: +9 Security Checks
Root MFA, all users MFA, unused access keys, inline policies, PassRole wildcard, shared Lambda roles, multiple active keys, wildcard AssumeRole, privilege escalation detection (21 patterns) with optional --deep flag
🌐 API Gateway: +9 Security Checks
WAF association, authorization, logging, throttling, private API policy, HTTP API JWT, TLS 1.2, request validation, CloudFront bypass detection
Other
- S3: object lock, cross-region replication
- RDS: auto minor upgrade, performance insights
- CloudWatch: configurable
--max-metrics(fixes scan hanging)
17 services | ~180 commands | 30+ new checks
v1.8.1
What's New in v1.8.1
- Fix Docker entrypoint for distroless image
- Docker now works correctly with
python3 -m kosty.cli
v1.8.0
What's New in v1.8.0
- Docker support with multi-arch builds (AMD64/ARM64)
- Distroless base image for security
- Non-root user execution
- Automated GHCR publishing
v1.7.3 : fix Dashboard : show total cost savings per issue group card
v1.7.3 : fix Dashboard : show total cost savings per issue group card
v1.7.2 update docs and release version
update docs
v1.7.1 fix release version
fix/ version in Update __init__.py fix/ version in Update __init__.py