Free AWS Security Whitepaper
    Toc Consulting Logo
    Back to all tools

    EC2 Security Scanner

    Production-ready EC2 security scanner with multi-framework compliance mapping

    A comprehensive, production-ready AWS EC2 security scanner with 46 security checks across 8 categories and compliance mapping for AWS FSBP, CIS, PCI DSS, HIPAA, SOC 2, ISO 27001/27017/27018, GDPR, and NIST SP 800-53 Rev5 (137 controls total). Features multi-threaded scanning, UserData secret detection, and interactive HTML dashboards.

    View on GitHub

    Features

    Security Analysis (8 categories, 46 checks)

    • Instance Security: IMDSv2, public IP, IAM profile, UserData secrets
    • Network Security: SG SSH/RDP/high-risk ports, default SG, VPC flow logs, NACLs
    • Storage Security: EBS encryption, public snapshots, public AMIs, backup coverage
    • Access Control: IAM least-privilege, key pairs, serial console, Instance Connect
    • Logging & Monitoring: CloudTrail, CloudWatch alarms, SSM, GuardDuty
    • Network Exposure: unused EIPs, launch templates, VPC Block Public Access

    Compliance

    • AWS FSBP (32 controls)
    • CIS AWS Foundations v5.0 (7 controls)
    • PCI DSS v4.0.1 (12 controls)
    • HIPAA Security Rule (10 controls)
    • SOC 2 (13 controls)
    • ISO 27001/27017/27018
    • GDPR (8 controls), NIST 800-53 Rev5 (27 controls)

    Output

    • Security score 0-100 per instance + environment score
    • JSON, CSV, HTML reports
    • Interactive dashboards with charts
    • Strictly read-only: no API call mutates state

    Installation & Usage

    PyPI Installation

    pip install ec2-security-scanner

    Docker

    docker pull tarekcheikh/ec2-security-scanner:latest

    Commands

    # Scan all running EC2 instances
ec2-security-scanner security


# Scan with a specific AWS profile and region
ec2-security-scanner security --profile prod --region eu-west-1


# Filter by tag, or output a specific format
ec2-security-scanner security --tag-filter Environment=production
ec2-security-scanner security -f html -o ./reports

    Security Checks

    Secrets in UserDataCRITICAL
    Security Group SSH/RDP Open to 0.0.0.0/0HIGH
    IMDSv2 Not Enforced (IMDSv1 allowed)HIGH
    Unencrypted EBS VolumeHIGH
    Over-Privileged / Wildcard IAM RoleHIGH
    Public AMI or Public SnapshotHIGH
    Default Security Group Has RulesMEDIUM
    No VPC Flow LogsMEDIUM
    GuardDuty Not EnabledMEDIUM
    Unused Elastic IPs / Missing Required TagsLOW

    Compliance Frameworks

    32 controls
    AWS FSBP
    7 controls
    CIS AWS Foundations v5.0
    12 controls
    PCI DSS v4.0.1
    10 controls
    HIPAA Security Rule
    13 controls
    SOC 2
    17 controls
    ISO 27001:2022
    8 controls
    GDPR
    27 controls
    NIST 800-53 Rev5

    Need Help Implementing?

    We can help you deploy and customize this tool for your specific needs, or build custom solutions.

    Contact Us