Aws Default Sg Audit
Fleet audit for AWS Security Hub control EC2.2 ("VPC default security groups
should not allow inbound or outbound traffic"), with a remediation-safety
verdict per default security group. A single read-only scan method fans out
over profiles × regions in one execution, emitting one finding per VPC
default security group (rule counts, referencing ENIs, and a verdict of
compliant / safe_to_remediate / in_use_needs_migration).
Each (profile, region) that cannot be assessed — an expired SSO token, an
SCP-denied region, a malformed response — becomes one scan_error row instead
of aborting the sweep.
Read-only: only Describe* and sts:GetCallerIdentity are called. Pairs with
the companion report @jentz/aws-default-sg-audit-report for an operator
worklist (safe-to-strip vs needs-migration, plus coverage gaps).
Global Arguments
| Argument | Type | Description |
|---|---|---|
| profiles | array | Named AWS profiles to sweep, one account each. Empty (default) uses the |
| regions | array | Regions to scan per account. Empty (default) discovers each account's |
| requiredProfileSuffix | string | If set, every profile (and the ambient AWS_PROFILE) must end with this |
Resources
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types (deprecated)1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned