Skip to content

kosty-cloud/kosty

BranchesTags

Repository files navigation

πŸ’° Kosty - AWS Cost Optimization & Security Audit CLI Tool

Kosty Logo Python AWS License

πŸ€– New in v2.0.0 β€” kosty ai now audits Bedrock and SageMaker workloads: guardrails, shadow AI detection, idle GPU endpoints, prompt caching, and more. See what's new β†’

Scan 30+ AWS services. Find cost waste. Detect security gaps. Audit GenAI workloads. One command.

Quick Start β€’ Key Features β€’ Service Coverage β€’ Documentation

⚑ Why Kosty

🌐 External Attack Surface Mapping β€” scan 15 resource types, classify exposure as unprotected / partially protected / protected

πŸ” IAM Privilege Escalation Detection β€” 21 known escalation patterns with optional --deep confirmation via SimulatePrincipalPolicy

πŸ€– GenAI Security & Cost Audit β€” Bedrock guardrails, shadow AI detection, SageMaker idle GPU endpoints, prompt caching

🏒 Organization-Wide Scanning β€” parallel audit across hundreds of AWS accounts with cross-account role assumption

πŸ›‘οΈ 200+ Security Checks β€” WAF hardening, API Gateway auth/throttling/TLS, CloudTrail, GuardDuty, VPC Flow Logs, KMS rotation

πŸ’° Real Dollar Savings β€” not just recommendations, actual monthly amounts for 11 services ($280/mo per stopped m5.2xlarge, $700/mo per oversized db.r5.4xlarge)

🎯 Quick Start

pip install kosty

# Full audit β€” cost + security across 30+ services
kosty audit --output all

# External attack surface mapping
kosty public-exposure --output console

# AI/ML audit β€” Bedrock + SageMaker
kosty ai audit --output console

# IAM privilege escalation detection (21 patterns)
kosty iam check-privilege-escalation --deep

# Organization-wide scan
kosty audit --organization --max-workers 20 --output all

πŸ’‘ Need expert help? Professional consulting available β†’

πŸ“Š Visual Dashboard

Kosty Dashboard

Kosty Dashboard AI Audit Dashboard
Full Audit Dashboard AI/ML Audit Dashboard

Upload your JSON report to the built-in dashboard for interactive charts, filtering, and cost breakdowns.

πŸš€ Key Features

🌐 Attack Surface Mapping

Map everything publicly exposed and evaluate protections β€” ALB, EC2, S3, RDS, API Gateway, Lambda URLs, CloudFront, OpenSearch, Redshift, EKS, ECR, SNS, SQS, and snapshots.

kosty public-exposure --output console

Each finding is classified:

  • πŸ”΄ Exposed & Unprotected β€” no protections, immediate action
  • 🟑 Exposed & Partially Protected β€” gaps remain
  • 🟒 Exposed & Protected β€” all protections verified

πŸ” Security Audit

200+ checks across 30+ services. Highlights:

  • IAM Privilege Escalation β€” detects 21 known escalation patterns with optional --deep confirmation via SimulatePrincipalPolicy
  • WAF Hardening β€” managed rules, rate limiting, bot control, logging, action mode
  • API Gateway β€” WAF association, authorization, throttling, TLS 1.2, CloudFront bypass detection, request validation
  • Foundational β€” CloudTrail, VPC Flow Logs, GuardDuty, AWS Config, KMS key rotation
  • Data Protection β€” S3 encryption, RDS encryption, ElastiCache encryption, Secrets Manager rotation
kosty iam security-audit --deep
kosty waf audit
kosty apigateway security-audit

πŸ€– AI/ML Audit

Dedicated kosty ai command for Bedrock and SageMaker workloads. Catches the invisible waste and security gaps that standard audits miss.

kosty ai audit                              # full Bedrock + SageMaker
kosty ai bedrock check-no-guardrails        # prompt injection protection
kosty ai bedrock check-shadow-ai            # unapproved AI usage
kosty ai sagemaker check-idle-endpoints     # GPU instances burning cash

Bedrock (12 checks) β€” guardrails, shadow AI detection, VPC endpoints, prompt caching, inference profiles, custom model encryption, logging, budget limits, TPM quota monitoring, cross-account model access, model sizing analysis, batch eligibility detection

SageMaker (8 checks) β€” idle endpoints, zombie notebooks, Spot training, checkpointing, Inference Components, VPC endpoints, internet access, root access

πŸ’° Cost Optimization

Real dollar savings for 11 services β€” not just recommendations, actual monthly amounts:

Finding Typical Savings
Stopped EC2 instances $280/mo per m5.2xlarge
Oversized RDS instances $700/mo per db.r5.4xlarge
Unused NAT Gateways $33/mo each
Orphaned EBS volumes $10/mo per 100GB
Load Balancers with no targets $16/mo each
Unused secrets $0.40/mo each 
kosty audit --output json   # generates report with $ amounts
open dashboard/index.html   # visualize savings

πŸ“Š Service Coverage

30 services, organized by category:

Category Services Key Checks
Compute EC2, Lambda Oversized, idle, IMDSv1, outdated runtimes
Storage S3, EBS, Snapshots Public access, encryption, lifecycle, object lock
Database RDS, DynamoDB Public DBs, oversized, encryption, backups
Network EIP, LB, NAT, SG, Route53, VPC Unused resources, open ports, flow logs
Security IAM, WAFv2, GuardDuty, KMS Privilege escalation, MFA, key rotation, threat detection
Management CloudWatch, Backup, CloudTrail, Config Logging, audit trail, drift detection
Application API Gateway WAF, auth, throttling, TLS, CloudFront bypass
AI/ML Bedrock, SageMaker Guardrails, shadow AI, idle endpoints, prompt caching, VPC endpoints
Secrets Secrets Manager Unused secrets, rotation
Messaging SNS, SQS Encryption at rest and in transit
Cache ElastiCache Encryption at rest and in transit
Certificates ACM Expiring certificates
Containers ECS Privileged task definitions
Patch Mgmt SSM Patch compliance

Full check list per service β†’ docs/SERVICES.md

πŸ”§ Installation

# PyPI (recommended)
pip install kosty

# Docker
docker run --rm -v ~/.aws:/home/nonroot/.aws:ro ghcr.io/kosty-cloud/kosty:latest audit

# From source
git clone https://github.com/kosty-cloud/kosty.git && cd kosty && pip install -e .

βš™οΈ Configuration

# kosty.yaml
default:
  regions: [us-east-1, eu-west-1]
  max_workers: 20

exclude:
  services: [route53]
  tags:
    - key: "kosty_ignore"
      value: "true"

profiles:
  production:
    role_arn: "arn:aws:iam::123456789012:role/AuditRole"
    regions: [us-east-1]
  staging:
    aws_profile: "staging-profile"
    regions: [eu-west-1]
kosty audit --profile production
kosty audit --profiles --output all    # all profiles in parallel

Full configuration guide β†’ docs/CONFIGURATION.md

πŸ“– Documentation

Guide Description
Full Documentation Complete user guide
Service Coverage All 30 services and their checks
CLI Reference Every command and option
Examples Detailed usage examples
Configuration YAML config, profiles, exclusions
Multi-Profile Guide Parallel multi-customer audits
Release Notes Version history

🀝 Contributing

  1. Report Issues β€” Open an issue
  2. Add Services β€” Follow the pattern in kosty/services/
  3. Star the Repo β€” Show your support

πŸ’Ό Professional Services

Free 30-minute assessment to discuss your AWS setup.

πŸ“… Book a call Β· πŸ“§ yassir@kosty.cloud Β· 🌐 kosty.cloud

πŸ“„ License

MIT License β€” see LICENSE

πŸ’° Save money. Secure infrastructure. Ship faster.

⭐ Star this repo if Kosty saved you money

About

Scan 30+ AWS services. Find cost waste. Detect security gaps. Map your attack surface. One command.

Topics

python aws devops cloud api-gateway iam waf bedrock privilege-escalation devsecops cloud-security cost-optimization attack-surface aws-audit sagemaker finops

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

268 stars

Watchers

4 watching

Forks

23 forks
Report repository

Releases 27

v2.0.0 β€” kosty ai: Bedrock & SageMaker Audit Latest
Apr 26, 2026
+ 26 releases

Packages

 
 
 

Contributors

Languages