A comprehensive collection of AWS DevOps and security scripts designed to streamline cloud operations, enhance security posture, and automate common tasks across AWS environments.
- AWS Security & Compliance Tools - Monitor and audit your AWS infrastructure
- Security Analysis Scripts - Identify vulnerabilities and compliance gaps
- Cost Optimization Tools - Track and optimize AWS cloud spending
- Resource Inventory Tools - Comprehensive AWS resource discovery and reporting
- Automation Ready - All scripts designed for integration into CI/CD pipelines
| Script | Description | Key Features |
|---|---|---|
| IAM MFA Checker | Identifies IAM users without MFA enabled | Console access audit, compliance reporting, Lambda version |
| Public RDS Detector | Finds publicly accessible RDS instances | Multi-region scan, security assessment, Lambda version |
| Public S3 Bucket Scanner | Lists publicly accessible S3 buckets | Bucket policy analysis, exposure detection, Lambda version |
| Security Group Auditor | Identifies unused security groups | Resource optimization, cleanup automation, Lambda version |
| ELB Security Auditor | Comprehensive load balancer security audit | SSL/TLS analysis, listener configuration, Lambda version |
| Script | Description | Key Features |
|---|---|---|
| AWS Cost Monitor | Real-time cost tracking and alerting | Threshold monitoring, spend analysis, Lambda version |
| EBS Snapshot Cleanup | Automated cleanup of old snapshots | Age-based retention, cost savings, Lambda version |
| Idle EC2 Manager | Stops underutilized EC2 instances | CPU monitoring, automated shutdown, Lambda version |
| Script | Description | Key Features |
|---|---|---|
| Lambda Function Lister | Comprehensive Lambda inventory | Runtime analysis, configuration audit, Lambda version |
| RDS Instance Reporter | Detailed RDS configuration reporting | Performance insights, security config, Lambda version |
| ELB/ALB Inventory | Load balancer configuration audit | Health checks, target analysis, Lambda version |
| KMS Key Usage Tracker | KMS key utilization analysis | Usage tracking, cost optimization, Lambda version |
| Route53 Zone Analyzer | DNS configuration audit | Record validation, health checks, Lambda version |
| Script | Description | Key Features |
|---|---|---|
| Lambda Runtime Detector | Identifies deprecated Lambda runtimes | Multi-region scan, upgrade recommendations, Lambda version |
# For AWS scripts
pip install boto3 awscli
aws configure
# For Lambda deployments (required for all *-lambda folders)
# Install AWS SAM CLI
pip install aws-sam-cli
# OR using Homebrew on macOS
brew install aws-sam-cli
# OR download from: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.htmlMany Lambda scripts in this collection send notifications via SNS. Create the required SNS topics first:
# Deploy SNS topics using CloudFormation
aws cloudformation deploy \
--template-file sns-topics.yaml \
--stack-name aws-helper-scripts-sns-topics \
--region us-east-1
# Get the topic ARNs for your Lambda environment variables
aws cloudformation describe-stacks \
--stack-name aws-helper-scripts-sns-topics \
--query 'Stacks[0].Outputs'This creates two SNS topics:
- SecurityFindings: For security-related alerts (IAM, S3, RDS, etc.)
- FinOps: For cost management and optimization alerts
Configure your Lambda functions with these environment variables:
SNS_TOPIC_ARN: Use SecurityFindingsTopicArn for security scriptsSNS_TOPIC_ARN: Use FinOpsTopicArn for cost monitoring scripts
# Clone the repository
git clone https://github.com/TocConsulting/aws-helper-scripts.git
cd aws-helper-scripts
# Run any CLI script
cd aws-cost-monitor/
python aws_cost_monitor_cli.py --threshold 1000
# Check for public S3 buckets
cd check-public-s3/
python check_public_s3_cli.py
# Deploy Lambda versions (serverless automation)
cd aws-cost-monitor-lambda/
./deploy.sh dev --guided # First time deployment
./deploy.sh prod # Subsequent deployments
# Deploy any Lambda function
cd check-public-s3-lambda/
sam build && sam deploy --guided- Compliance Auditing: Automated AWS security posture assessment
- Vulnerability Management: Identify public resources and misconfigurations
- Access Control: Monitor IAM configurations and MFA compliance
- Cost Optimization: Track spending patterns and identify waste
- Resource Management: Inventory and optimize cloud resources
- Automation: Integrate scripts into existing workflows
- Infrastructure Auditing: AWS resource configuration assessment
- Compliance Monitoring: Automated security and compliance checks
- Resource Optimization: Identify and clean up unused resources
IMPORTANT: This repository includes 14 Lambda versions of the CLI tools for automated, serverless execution. All Lambda deployments use AWS SAM.
Every *-lambda/ folder in this repository uses AWS SAM for deployment:
Required Tools:
# AWS SAM CLI (MANDATORY for Lambda deployments)
pip install aws-sam-cli
# Verify installation
sam --version
# Alternative installation methods:
# macOS: brew install aws-sam-cli
# Windows: choco install aws-sam-cli
# Linux: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-sam-cli.htmlEach Lambda folder contains:
template.yaml- SAM CloudFormation templatedeploy.sh- Automated deployment scriptsamconfig.toml- SAM configuration filelambda_function.py- Lambda handler coderequirements.txt- Python dependencies
Standard Deployment:
# Navigate to any Lambda folder
cd aws-cost-monitor-lambda/
# First-time deployment (creates S3 bucket, configures region)
./deploy.sh dev --guided
# Production deployment
./deploy.sh prod
# Manual SAM deployment (alternative)
sam build
sam deploy --guided --stack-name my-stack-nameAll Lambda functions use this SAM template pattern:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Parameters:
Environment: [dev|staging|prod]
Schedule: "cron(0 9 * * ? *)" # CloudWatch Events schedule
Resources:
FunctionName:
Type: AWS::Serverless::Function
Properties:
Runtime: python3.13
Handler: lambda_function.lambda_handler
Events:
ScheduledTrigger:
Type: Schedule
Properties:
Schedule: !Ref ScheduleAll Lambda functions include:
- CloudWatch Events scheduling (cron expressions)
- Environment-specific parameters (dev/staging/prod)
- IAM roles with least privilege permissions
- SNS integration for notifications
- Structured logging to CloudWatch
Example scheduled execution:
# Deploy with custom schedule (daily at 6 AM)
sam deploy --parameter-overrides Schedule="cron(0 6 * * ? *)"Most scripts support configuration through:
- Environment Variables: Set AWS regions, thresholds, etc.
- Command Line Arguments: Customize behavior per execution
- SAM Parameters: Configure Lambda deployment settings
- Configuration Files: JSON/YAML configs for complex setups
Example configuration:
export AWS_REGION=us-west-2
export COST_THRESHOLD=500
export ALERT_EMAIL=admin@company.com# GitHub Actions example
- name: AWS Security Audit
run: |
python check-public-s3/check_public_s3_cli.py
python check-iam-users-no-mfa/check_iam_users_no_mfa_cli.py# Cron job for daily cost monitoring
0 8 * * * cd /opt/aws-helper-scripts/aws-cost-monitor && python aws_cost_monitor_cli.py- IAM Permissions: Scripts use least-privilege AWS permissions
- Credential Management: Support for IAM roles and credential files
- Audit Logging: All scripts log their activities
- Safe Defaults: Conservative settings to prevent accidental changes
Scripts support multiple output formats:
- Console: Human-readable colored output
- JSON: Machine-readable structured data (where applicable)
- CSV: Spreadsheet-compatible format (where applicable)
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Submit a pull request
- Follow existing code style and patterns
- Include comprehensive error handling
- Add documentation and examples
- Test across multiple AWS regions/accounts
Each script includes:
- Individual README: Detailed usage instructions
- Configuration Options: All available parameters
- Example Outputs: Sample results and formats
- Troubleshooting: Common issues and solutions
- π Issues: Report bugs via GitHub Issues
- π¬ Discussions: Feature requests and questions
- π Wiki: Additional documentation and examples
This project follows semantic versioning. Check the releases page for version history and changelog.
MIT License - See LICENSE file for details.
β Star this repository if you find it useful! β
Made with β€οΈ for the DevOps and Security community