{"id":33091514,"url":"https://github.com/kosty-cloud/kosty","last_synced_at":"2026-04-26T23:02:21.861Z","repository":{"id":320873572,"uuid":"1083546530","full_name":"kosty-cloud/kosty","owner":"kosty-cloud","description":" Identify AWS cost waste and security vulnerabilities across 16 core services with a single command","archived":false,"fork":false,"pushed_at":"2026-04-16T21:09:55.000Z","size":2950,"stargazers_count":266,"open_issues_count":1,"forks_count":23,"subscribers_count":4,"default_branch":"main","last_synced_at":"2026-04-16T23:16:47.945Z","etag":null,"topics":["aws","cloud","cost","finops","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kosty-cloud.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-26T08:45:50.000Z","updated_at":"2026-04-16T21:09:50.000Z","dependencies_parsed_at":"2025-10-28T12:27:41.154Z","dependency_job_id":null,"html_url":"https://github.com/kosty-cloud/kosty","commit_stats":null,"previous_names":["yassirkachri/kosty","kosty-cloud/kosty"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/kosty-cloud/kosty","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosty-cloud%2Fkosty","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosty-cloud%2Fkosty/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosty-cloud%2Fkosty/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosty-cloud%2Fkosty/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kosty-cloud","download_url":"https://codeload.github.com/kosty-cloud/kosty/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kosty-cloud%2Fkosty/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32315712,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T21:09:39.134Z","status":"ssl_error","status_checked_at":"2026-04-26T21:09:21.240Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud","cost","finops","security"],"created_at":"2025-11-14T18:00:27.877Z","updated_at":"2026-04-26T23:02:21.855Z","avatar_url":"https://github.com/kosty-cloud.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# 💰 Kosty - AWS Cost Optimization \u0026 Security Audit CLI Tool\n\n\u003cdiv align=\"center\"\u003e\n\n![Kosty Logo](https://img.shields.io/badge/💰-Kosty-blue?style=for-the-badge)\n[![Python](https://img.shields.io/badge/Python-3.7+-blue?style=flat-square\u0026logo=python)](https://python.org)\n[![AWS](https://img.shields.io/badge/AWS-Compatible-orange?style=flat-square\u0026logo=amazon-aws)](https://aws.amazon.com)\n[![License](https://img.shields.io/badge/License-MIT-green?style=flat-square)](LICENSE)\n\n\u003e 🤖 **New in v2.0.0** — `kosty ai` now audits Bedrock and SageMaker workloads: guardrails, shadow AI detection, idle GPU endpoints, prompt caching, and more. [See what's new →](docs/RELEASE_NOTES.md)\n\n**Scan 30+ AWS services. Find cost waste. Detect security gaps. Audit GenAI workloads. One command.**\n\n[Quick Start](#-quick-start) • [Key Features](#-key-features) • [Service Coverage](#-service-coverage) • [Documentation](docs/DOCUMENTATION.md)\n\n\u003c/div\u003e\n\n---\n\n## ⚡ Why Kosty\n\n🌐 **External Attack Surface Mapping** — scan 15 resource types, classify exposure as unprotected / partially protected / protected\n\n🔐 **IAM Privilege Escalation Detection** — 21 known escalation patterns with optional `--deep` confirmation via SimulatePrincipalPolicy\n\n🤖 **GenAI Security \u0026 Cost Audit** — Bedrock guardrails, shadow AI detection, SageMaker idle GPU endpoints, prompt caching\n\n🏢 **Organization-Wide Scanning** — parallel audit across hundreds of AWS accounts with cross-account role assumption\n\n🛡️ **200+ Security Checks** — WAF hardening, API Gateway auth/throttling/TLS, CloudTrail, GuardDuty, VPC Flow Logs, KMS rotation\n\n💰 **Real Dollar Savings** — not just recommendations, actual monthly amounts for 11 services ($280/mo per stopped m5.2xlarge, $700/mo per oversized db.r5.4xlarge)\n\n---\n\n## 🎯 Quick Start\n\n```bash\npip install kosty\n\n# Full audit — cost + security across 30+ services\nkosty audit --output all\n\n# External attack surface mapping\nkosty public-exposure --output console\n\n# AI/ML audit — Bedrock + SageMaker\nkosty ai audit --output console\n\n# IAM privilege escalation detection (21 patterns)\nkosty iam check-privilege-escalation --deep\n\n# Organization-wide scan\nkosty audit --organization --max-workers 20 --output all\n```\n\n\u003e 💡 Need expert help? [Professional consulting available →](https://kosty.cloud?utm_source=github\u0026utm_medium=readme)\n\n---\n\n## 📊 Visual Dashboard\n\n![Kosty Dashboard](dashboard/kosty-dashboard-header.png)\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003ctd\u003e\u003cimg src=\"dashboard/kosty_dashboard.png\" alt=\"Kosty Dashboard\" width=\"400\"/\u003e\u003c/td\u003e\n\u003ctd\u003e\u003cimg src=\"dashboard/kosty-ai-audit-dashboard.png\" alt=\"AI Audit Dashboard\" width=\"400\"/\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd align=\"center\"\u003e\u003cem\u003eFull Audit Dashboard\u003c/em\u003e\u003c/td\u003e\n\u003ctd align=\"center\"\u003e\u003cem\u003eAI/ML Audit Dashboard\u003c/em\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\nUpload your JSON report to the built-in dashboard for interactive charts, filtering, and cost breakdowns.\n\n---\n\n## 🚀 Key Features\n\n### 🌐 Attack Surface Mapping\n\nMap everything publicly exposed and evaluate protections — ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, and snapshots.\n\n```bash\nkosty public-exposure --output console\n```\n\nEach finding is classified:\n- 🔴 **Exposed \u0026 Unprotected** — no protections, immediate action\n- 🟡 **Exposed \u0026 Partially Protected** — gaps remain\n- 🟢 **Exposed \u0026 Protected** — all protections verified\n\n### 🔐 Security Audit\n\n200+ checks across 30+ services. Highlights:\n\n- **IAM Privilege Escalation** — detects 21 known escalation patterns with optional `--deep` confirmation via SimulatePrincipalPolicy\n- **WAF Hardening** — managed rules, rate limiting, bot control, logging, action mode\n- **API Gateway** — WAF association, authorization, throttling, TLS 1.2, CloudFront bypass detection, request validation\n- **Foundational** — CloudTrail, VPC Flow Logs, GuardDuty, AWS Config, KMS key rotation\n- **Data Protection** — S3 encryption, RDS encryption, ElastiCache encryption, Secrets Manager rotation\n\n```bash\nkosty iam security-audit --deep\nkosty waf audit\nkosty apigateway security-audit\n```\n\n### 🤖 AI/ML Audit\n\nDedicated `kosty ai` command for Bedrock and SageMaker workloads. Catches the invisible waste and security gaps that standard audits miss.\n\n```bash\nkosty ai audit                              # full Bedrock + SageMaker\nkosty ai bedrock check-no-guardrails        # prompt injection protection\nkosty ai bedrock check-shadow-ai            # unapproved AI usage\nkosty ai sagemaker check-idle-endpoints     # GPU instances burning cash\n```\n\n**Bedrock** (12 checks) — guardrails, shadow AI detection, VPC endpoints, prompt caching, inference profiles, custom model encryption, logging, budget limits, TPM quota monitoring, cross-account model access, model sizing analysis, batch eligibility detection\n\n**SageMaker** (8 checks) — idle endpoints, zombie notebooks, Spot training, checkpointing, Inference Components, VPC endpoints, internet access, root access\n\n### 💰 Cost Optimization\n\nReal dollar savings for 11 services — not just recommendations, actual monthly amounts:\n\n| Finding | Typical Savings |\n|---------|----------------|\n| Stopped EC2 instances | $280/mo per m5.2xlarge |\n| Oversized RDS instances | $700/mo per db.r5.4xlarge |\n| Unused NAT Gateways | $33/mo each |\n| Orphaned EBS volumes | $10/mo per 100GB |\n| Load Balancers with no targets | $16/mo each |\n| Unused secrets | $0.40/mo each |\n\n```bash\nkosty audit --output json   # generates report with $ amounts\nopen dashboard/index.html   # visualize savings\n```\n\n---\n\n## 📊 Service Coverage\n\n**30 services**, organized by category:\n\n| Category | Services | Key Checks |\n|----------|----------|------------|\n| **Compute** | EC2, Lambda | Oversized, idle, IMDSv1, outdated runtimes |\n| **Storage** | S3, EBS, Snapshots | Public access, encryption, lifecycle, object lock |\n| **Database** | RDS, DynamoDB | Public DBs, oversized, encryption, backups |\n| **Network** | EIP, LB, NAT, SG, Route53, VPC | Unused resources, open ports, flow logs |\n| **Security** | IAM, WAFv2, GuardDuty, KMS | Privilege escalation, MFA, key rotation, threat detection |\n| **Management** | CloudWatch, Backup, CloudTrail, Config | Logging, audit trail, drift detection |\n| **Application** | API Gateway | WAF, auth, throttling, TLS, CloudFront bypass |\n| **AI/ML** | Bedrock, SageMaker | Guardrails, shadow AI, idle endpoints, prompt caching, VPC endpoints |\n| **Secrets** | Secrets Manager | Unused secrets, rotation |\n| **Messaging** | SNS, SQS | Encryption at rest and in transit |\n| **Cache** | ElastiCache | Encryption at rest and in transit |\n| **Certificates** | ACM | Expiring certificates |\n| **Containers** | ECS | Privileged task definitions |\n| **Patch Mgmt** | SSM | Patch compliance |\n\nFull check list per service → [docs/SERVICES.md](docs/SERVICES.md)\n\n---\n\n## 🔧 Installation\n\n```bash\n# PyPI (recommended)\npip install kosty\n\n# Docker\ndocker run --rm -v ~/.aws:/home/nonroot/.aws:ro ghcr.io/kosty-cloud/kosty:latest audit\n\n# From source\ngit clone https://github.com/kosty-cloud/kosty.git \u0026\u0026 cd kosty \u0026\u0026 pip install -e .\n```\n\n---\n\n## ⚙️ Configuration\n\n```yaml\n# kosty.yaml\ndefault:\n  regions: [us-east-1, eu-west-1]\n  max_workers: 20\n\nexclude:\n  services: [route53]\n  tags:\n    - key: \"kosty_ignore\"\n      value: \"true\"\n\nprofiles:\n  production:\n    role_arn: \"arn:aws:iam::123456789012:role/AuditRole\"\n    regions: [us-east-1]\n  staging:\n    aws_profile: \"staging-profile\"\n    regions: [eu-west-1]\n```\n\n```bash\nkosty audit --profile production\nkosty audit --profiles --output all    # all profiles in parallel\n```\n\nFull configuration guide → [docs/CONFIGURATION.md](docs/CONFIGURATION.md)\n\n---\n\n## 📖 Documentation\n\n| Guide | Description |\n|-------|-------------|\n| [Full Documentation](docs/DOCUMENTATION.md) | Complete user guide |\n| [Service Coverage](docs/SERVICES.md) | All 30 services and their checks |\n| [CLI Reference](docs/CLI_REFERENCE.md) | Every command and option |\n| [Examples](docs/EXAMPLES.md) | Detailed usage examples |\n| [Configuration](docs/CONFIGURATION.md) | YAML config, profiles, exclusions |\n| [Multi-Profile Guide](docs/MULTI_PROFILE_GUIDE.md) | Parallel multi-customer audits |\n| [Release Notes](docs/RELEASE_NOTES.md) | Version history |\n\n---\n\n## 🤝 Contributing\n\n1. **Report Issues** — [Open an issue](https://github.com/kosty-cloud/kosty/issues)\n2. **Add Services** — Follow the pattern in `kosty/services/`\n3. **Star the Repo** — Show your support\n\n---\n\n## 💼 Professional Services\n\nFree 30-minute assessment to discuss your AWS setup.\n\n📅 [Book a call](https://calendly.com/consulting-kosty/30min) · 📧 yassir@kosty.cloud · 🌐 [kosty.cloud](https://kosty.cloud?utm_source=github\u0026utm_medium=readme)\n\n---\n\n## 📄 License\n\nMIT License — see [LICENSE](LICENSE)\n\n\u003cdiv align=\"center\"\u003e\n\n**💰 Save money. Secure infrastructure. Ship faster.**\n\n⭐ Star this repo if Kosty saved you money\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosty-cloud%2Fkosty","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkosty-cloud%2Fkosty","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkosty-cloud%2Fkosty/lists"}