Multi-cloud security posture management with MITRE ATT&CK® threat enrichment, blast radius scoring, and compliance mapping across CIS, NIST CSF, SOC 2, and PCI DSS.
Most CSPM tools tell you what is misconfigured. CloudSentinel tells you what an attacker can do with it.
Every finding is enriched with:
- MITRE ATT&CK® technique mappings — with a plain-English explanation of why this specific misconfiguration enables this specific technique
- Blast radius score — quantifies lateral movement paths, data exfiltration risk, and privilege escalation potential
- Kill chain construction — given a set of open findings, CloudSentinel reconstructs the furthest an adversary could progress through the ATT&CK kill chain
- Compliance controls — every finding maps to CIS, NIST CSF, SOC 2, and PCI DSS simultaneously
┌─────────────────────────────────────────────────────────────┐
│ React Dashboard │
│ Overview │ Findings │ ATT&CK Heatmap │ Compliance │
└─────────────────────┬───────────────────────────────────────┘
│ REST API
┌─────────────────────▼───────────────────────────────────────┐
│ FastAPI Backend │
│ │
│ ┌─────────────┐ ┌──────────────┐ ┌──────────────────┐ │
│ │ Scan Engine │ │ MITRE Engine │ │ Risk Scorer │ │
│ │ 15 rules │ │ 30+ technique│ │ Composite 0-10 │ │
│ │ AWS live │ │ mappings │ │ Blast radius │ │
│ │ Azure stub │ │ Kill chain │ │ Exposure mult │ │
│ │ GCP stub │ │ constructor │ │ │ │
│ └─────────────┘ └──────────────┘ └──────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Compliance Mapper: CIS │ NIST CSF │ SOC 2 │ PCI DSS │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────────┐
│ DynamoDB Findings Store │
│ SHA-256 fingerprinting │ GSI filtering │ TTL auto-expiry │
└─────────────────────────────────────────────────────────────┘
│
┌─────────────────────▼───────────────────────────────────────┐
│ Terraform IaC │
│ Scanner IAM role │ DynamoDB │ Lambda │ EventBridge │ KMS │
└─────────────────────────────────────────────────────────────┘
Modelled on the Capital One breach (2019)
Misconfigurations: IMDSv1 enabled + overprivileged Lambda role
Attack path:
- Attacker finds SSRF vulnerability in web application on EC2
- IMDSv1 (CS-EC2-003) allows unauthenticated GET to
169.254.169.254 - Instance role credentials returned — no session token required
- Role has
iam:*wildcard (CS-IAM-003) — privilege escalation trivial - Attacker calls
iam:CreatePolicyVersionto attach AdministratorAccess - Full account takeover achieved from a single SSRF vulnerability
ATT&CK techniques enabled:
- T1552 — Unsecured Credentials (IMDSv1 credential theft)
- T1548 — Abuse Elevation Control Mechanism (wildcard IAM escalation)
- T1098 — Account Manipulation (persistent backdoor IAM user created)
CloudSentinel detection: Both CS-EC2-003 and CS-IAM-003 flagged as HIGH with privilege escalation blast radius. Kill chain shows Credential Access → Privilege Escalation → Persistence.
Public S3 + disabled logging = no forensic evidence
Misconfigurations: S3 public access + S3 logging disabled + CloudTrail disabled
Attack path:
- Automated scanner (GrayhatWarfare) discovers public S3 bucket (CS-S3-001)
- Attacker syncs entire bucket to external AWS account — zero authentication
- S3 access logging disabled (CS-S3-003) — no S3-level forensic evidence
- CloudTrail disabled (CS-LOG-001) — no API-level audit trail
- Exfiltration of entire data lake produces zero detectable artifacts
- Breach discovered weeks later via third-party notification
ATT&CK techniques enabled:
- T1530 — Data from Cloud Storage (unauthenticated bucket access)
- T1537 — Transfer Data to Cloud Account (sync to attacker account)
- T1070 — Indicator Removal (no logs = no evidence)
CloudSentinel detection: All three rules flagged. Kill chain reaches Exfiltration with data exfiltration blast radius flag. Narrative explicitly states data loss is a realistic outcome.
Open RDP + no VPC flow logs = lateral movement in the dark
Misconfigurations: Unrestricted RDP + VPC Flow Logs disabled + EBS unencrypted
Attack path:
- Shodan indexes RDP port 3389 open to 0.0.0.0/0 (CS-EC2-002)
- Attacker brute-forces or credential-stuffs RDP credentials
- VPC Flow Logs disabled (CS-LOG-003) — lateral movement invisible
- Attacker moves to other EC2 instances using internal RDP
- Ransomware deployed — EBS volumes unencrypted (CS-ENC-001)
- Snapshots exfiltrated to attacker account before encryption
ATT&CK techniques enabled:
- T1190 — Exploit Public-Facing Application (open RDP)
- T1021 — Remote Services (internal RDP lateral movement)
- T1570 — Lateral Tool Transfer (ransomware staging, no network logs)
- T1530 — Data from Cloud Storage (unencrypted snapshot exfiltration)
CloudSentinel detection: Three rules flagged across EC2, VPC, and EBS. Kill chain spans Initial Access → Lateral Movement → Collection. Blast radius flags both lateral movement and data exfiltration paths.
| Rule ID | Title | Severity | Service | CIS |
|---|---|---|---|---|
| CS-IAM-001 | Root account has active access keys | CRITICAL | IAM | 1.4 |
| CS-IAM-002 | IAM user without MFA has console access | HIGH | IAM | 1.10 |
| CS-IAM-003 | IAM policy grants wildcard permissions | HIGH | IAM | 1.16 |
| CS-IAM-004 | Access key not rotated in 90+ days | MEDIUM | IAM | 1.14 |
| CS-S3-001 | S3 bucket publicly accessible | CRITICAL | S3 | 2.1.5 |
| CS-S3-002 | S3 encryption disabled | MEDIUM | S3 | 2.1.1 |
| CS-S3-003 | S3 access logging disabled | MEDIUM | S3 | 2.1.4 |
| CS-EC2-001 | Unrestricted SSH (0.0.0.0/0) | HIGH | EC2 | 5.2 |
| CS-EC2-002 | Unrestricted RDP (0.0.0.0/0) | HIGH | EC2 | 5.3 |
| CS-EC2-003 | IMDSv1 enabled | HIGH | EC2 | 5.6 |
| CS-LOG-001 | CloudTrail disabled | HIGH | CloudTrail | 3.1 |
| CS-LOG-002 | CloudTrail log validation disabled | MEDIUM | CloudTrail | 3.2 |
| CS-LOG-003 | VPC Flow Logs disabled | MEDIUM | VPC | 3.9 |
| CS-ENC-001 | EBS encryption disabled | MEDIUM | EBS | 2.2.1 |
| CS-ENC-002 | RDS encryption disabled | HIGH | RDS | 2.3.1 |
# Clone and install
git clone https://github.com/GeekyBlessing/cloudsentinel
cd cloudsentinel
python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt
# Run against your AWS account (read-only)
export PYTHONPATH=$(pwd)
python3 -c "
from cloudsentinel.scanner.engine import ScanEngine
engine = ScanEngine(regions=['eu-north-1'], persist=False)
result = engine.scan_account()
print(result.summary())
for f in result.findings:
print(f'{f.severity.value:<8} {f.risk_score}/10 {f.title}')
"
# Start the API
uvicorn cloudsentinel.main:app --reload --port 8000
# Run with Docker
docker-compose up# Full suite
python3 -m pytest tests/ -v
# With coverage
python3 -m pytest tests/ --cov=cloudsentinel --cov-report=term-missing
# Single module
python3 -m pytest tests/test_mitre.py -vScanned against a real AWS account (eu-north-1) — 6 findings detected, 5 ATT&CK tactics active, kill chain reaching Collection.
See LIVE_SCAN_RESULTS.md for full output.
| Finding | Severity | Risk | ATT&CK Techniques |
|---|---|---|---|
| IAM user without MFA | HIGH | 7.3/10 | T1078, T1528 |
| CloudTrail validation disabled | MEDIUM | 5.9/10 | T1070 |
| VPC Flow Logs disabled | MEDIUM | 5.9/10 | T1562, T1570 |
| EBS encryption disabled | MEDIUM | 5.0/10 | T1530 |
| S3 access logging disabled (×2) | MEDIUM | 5.0/10 | T1070 |
Kill chain: Initial Access → Defense Evasion → Credential Access → Lateral Movement → Collection
cd terraform/
# Initialise
terraform init
# Preview
terraform plan -var="account_id=YOUR_ACCOUNT_ID"
# Deploy
terraform apply -var="account_id=YOUR_ACCOUNT_ID"