Skip to content

v1.9.2

Choose a tag to compare

View all tags
@yassirkachri yassirkachri released this 17 Apr 10:14
· 13 commits to main since this release
v1.9.2
27d5cfc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸš€ Kosty v1.9.2 β€” 30 Services, 180+ Checks

What's New

13 new services bringing Kosty from 17 to 30 AWS services:

  • CloudTrail, VPC, GuardDuty, AWS Config, Secrets Manager, Bedrock, KMS, ACM, ElastiCache, SNS, SQS, ECS, SSM

kosty public-exposure β€” Map your entire external attack surface in one command

  • Scans 15 resource types (ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, RDS/EBS Snapshots)
  • Classifies findings: πŸ”΄ Unprotected / 🟑 Partially Protected / 🟒 Protected

WAFv2 service (6 checks)

  • Unassociated ACLs, managed rules (CRS + IP Rep + SQLi + Known Bad Inputs), rate limiting, logging, count action, bot control

IAM privilege escalation detection (21 patterns)

  • Detects direct escalation, credential theft, and compute-based escalation paths
  • Optional --deep flag confirms findings via iam:SimulatePrincipalPolicy

API Gateway hardening (10 security checks)

  • WAF, authorization, logging, throttling, TLS 1.2, request validation, CloudFront bypass, JWT, private API policy

Fixes

  • Fixed CloudWatch check-unused-custom-metrics hanging on large accounts (configurable --max-metrics)
  • Fixed RDS oversized false positive on smallest available instance class per engine (#30)
  • Docker build now triggers only on release (was on every push to main)

Full Changelog

  • 30 services, ~180+ checks, ~240 commands
  • Tested on live account: 180 issues detected in 59 seconds
  • See Release Notes for details

Install / Upgrade

pip install --upgrade kosty
Assets 2
Loading