Free AWS Security Whitepaper
    Toc Consulting Logo
    Back to all tools

    AWSMap

    Fast, comprehensive AWS resource inventory tool with SQL and natural language queries

    A fast, comprehensive tool for mapping and inventorying AWS resources across 150+ services and all regions. Scan your accounts, store results in a local SQLite database, and query your inventory using SQL or natural language. Features parallel scanning with 40 workers, 30 pre-built security queries, 1,381 example questions, multi-account support, and multiple output formats. Available on PyPI and Docker Hub.

    View on GitHub

    Features

    Coverage

    • 150+ AWS services supported
    • All regions scanned in parallel
    • Global services handled intelligently
    • Multi-account support (scan & query across accounts)
    • Tag filtering with AND/OR logic

    Query Engine

    • Local SQLite database (auto-stored)
    • Custom SQL queries on inventory history
    • 30 pre-built security & compliance queries
    • Natural language interface (ask in English)
    • 1,381 service-organized example questions

    Performance

    • 40 parallel workers by default
    • ~2 minutes for typical accounts
    • Region-aware collectors skip unsupported regions
    • Batch operations where available

    Output & Reports

    • Interactive HTML reports with dark mode
    • JSON with full resource details
    • CSV for spreadsheet analysis
    • Clickable tag badges and ARN copy

    Configuration

    • Persistent config (awsmap config set/get/list)
    • Default profile, regions, services, format
    • Custom queries in ~/.awsmap/queries/
    • Shell completion (bash, zsh, fish)

    Installation & Usage

    PyPI Installation

    pip install awsmap

    Docker

    docker pull tarekcheikh/awsmap

    Scan

    # Full account inventory
awsmap -p myprofile


# Specific services & regions
awsmap -p myprofile -s ec2,s3,rds -r us-east-1,eu-west-1


# Filter by tags
awsmap -p myprofile -t Owner=John -t Environment=Production

    SQL Queries

    # Custom SQL on your inventory
awsmap query "SELECT service, COUNT(*) FROM resources GROUP BY service"


# Pre-built security queries
awsmap query -n admin-users
awsmap query -n public-s3-buckets
awsmap query -n open-security-groups

    Natural Language

    # Ask in plain English
awsmap ask how many resources per region
awsmap ask show me all EC2 instances without Owner tag
awsmap ask which S3 buckets are in eu-west-1

    Examples Library

    # Browse 1,381 example questions
awsmap examples
awsmap examples lambda
awsmap examples lambda 5
awsmap examples --search "encryption"

    CLI Options

    OptionDescription
    -p, --profileAWS profile name
    -r, --regionRegion(s) to scan (comma-separated)
    -s, --servicesService(s) to scan (comma-separated)
    -t, --tagFilter by tag Key=Value (multiple allowed)
    -f, --formatOutput: html (default), json, csv
    -o, --outputOutput file path
    -w, --workersParallel workers (default: 40)
    -q, --quietSuppress progress output
    --timingsShow timing summary per service
    --exclude-defaultsExclude default AWS resources
    --no-dbSkip database storage
    --list-servicesList available service collectors
    query <SQL>Run a SQL query against inventory
    query -n <name>Run a pre-built named query
    query -lList all pre-built queries
    query -a <account>Scope query to a specific account
    ask <question>Query inventory in natural language
    examples [service]Browse example questions by service
    examples --search <keyword>Search across all example questions
    config set <key> <value>Set a config value (profile, regions, etc.)
    config listShow all configuration
    completion <shell>Generate shell completion (bash/zsh/fish)

    Pre-built Security Queries

    admin-usersIAM users with admin permissions
    admin-rolesIAM roles with admin permissions
    users-without-mfaMFA compliance check
    iam-inactive-usersInactive IAM users
    old-access-keysOld access keys needing rotation
    cross-account-rolesRoles with cross-account trust
    open-security-groupsSecurity groups with 0.0.0.0/0
    secrets-no-rotationSecrets without auto-rotation
    public-s3-bucketsS3 buckets with public access
    s3-no-versioningS3 buckets without versioning
    s3-no-loggingS3 buckets without access logging
    encryption-statusEncryption status across S3
    stopped-instancesEC2 instances in stopped state
    unused-volumesUnattached EBS volumes
    ebs-unencryptedUnencrypted EBS volumes
    unused-eipsUnused Elastic IP addresses
    default-vpcsDefault VPCs still present
    rds-publicPublicly accessible RDS instances
    rds-unencryptedUnencrypted RDS instances
    rds-no-multi-azRDS without Multi-AZ
    lambda-runtimesLambda runtime versions
    lambda-high-memoryLambda with high memory allocation
    untagged-resourcesResources missing required tags
    resources-by-serviceResource count per AWS service
    resources-by-regionResource distribution by region
    resources-by-accountResource count per AWS account

    Need Help Implementing?

    We can help you deploy and customize this tool for your specific needs, or build custom solutions.

    Contact Us