v1.9.1
What's new in v1.9.1
π kosty public-exposure β External Attack Surface Mapping
Scans 15 resource types, identifies everything reachable from the internet, and evaluates protection layers for each exposed resource.
Resources scanned: ALB/NLB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR Public, SNS, SQS, RDS & EBS Snapshots
Findings classified as:
- π΄ Exposed & Unprotected β immediate action required
- π‘ Exposed & Partially Protected β gaps to address
- π’ Exposed & Protected β all protections verified
π‘οΈ New Service: AWS WAFv2 (6 checks)
Unassociated ACLs, managed rules (CRS + IP Rep + SQLi + Known Bad Inputs), rate limiting, logging, count action, bot control
π IAM: +9 Security Checks
Root MFA, all users MFA, unused access keys, inline policies, PassRole wildcard, shared Lambda roles, multiple active keys, wildcard AssumeRole, privilege escalation detection (21 patterns) with optional --deep flag
π API Gateway: +9 Security Checks
WAF association, authorization, logging, throttling, private API policy, HTTP API JWT, TLS 1.2, request validation, CloudFront bypass detection
Other
- S3: object lock, cross-region replication
- RDS: auto minor upgrade, performance insights
- CloudWatch: configurable
--max-metrics(fixes scan hanging)
17 services | ~180 commands | 30+ new checks