Multi-cloud compliance evidence collector for AWS, GCP, and Azure.
Connect to your cloud environment, select what to collect, and receive a packaged ZIP of evidence mapped to NIST 800-53 controls — ready for audits, assessments, and POA&Ms.
Crafted by networkbm
| Category | Evidence |
|---|---|
| IAM | Users, roles, MFA status, access keys, service accounts |
| Network | VPCs, security groups, firewall rules, flow logs |
| Storage | S3/GCS/Azure buckets, EBS volumes, RDS instances, encryption status |
| Compute | EC2/GCE/VMs, load balancers, auto scaling groups |
| Logging | CloudTrail, CloudWatch, AWS Config, GCP log sinks, Azure diagnostics |
| Encryption | KMS keys, key rotation status, Azure Key Vaults |
| Monitoring | GuardDuty, CloudWatch alarms, GCP SCC, Azure Defender |
| Vulnerability | Inspector2, ECR scans, SSM patch compliance |
| Backup | AWS Backup plans, RDS backup config, GCP snapshots, Azure Recovery vaults |
- Python 3.9+
- Git
git clone https://github.com/networkbm/cloudgrc.git
cd cloudgrc
pip install -r requirements.txtpython cloudgrc.pyNo cloud credentials? Run in demo mode to see the full flow with sample data:
python cloudgrc.py --demo
The easiest way to use CloudGRC is directly from your cloud provider's shell — credentials are automatically configured, no setup needed.
-
Open the AWS Console and click the CloudShell icon in the top navigation bar
-
Clone and install:
git clone https://github.com/networkbm/cloudgrc.git
cd cloudgrc
pip install -r requirements.txt
boto3is pre-installed in AWS CloudShell —pip install -r requirements.txtwill skip it if already present.
- Run:
python cloudgrc.py-
Select AWS and choose your evidence categories
-
When collection finishes, download the ZIP:
- Click Actions → Download file in the CloudShell toolbar
- Enter the path shown at the end of the run (e.g.
cloudgrc/cloudgrc_evidence_20260426_143022.zip)
-
Open the GCP Console and click the Activate Cloud Shell button in the top right
-
Clone and install:
git clone https://github.com/networkbm/cloudgrc.git
cd cloudgrc
pip install -r requirements.txt- Run:
python cloudgrc.py-
Select GCP and choose your evidence categories
-
Download the ZIP using the Cloud Shell file browser (Open Editor → navigate to the file → right-click → Download)
-
Open the Azure Portal and click the Cloud Shell icon in the top navigation bar. Select Bash when prompted.
-
Clone and install:
git clone https://github.com/networkbm/cloudgrc.git
cd cloudgrc
pip install --user -r requirements.txt- Run:
python cloudgrc.py-
Select Azure and choose your evidence categories
-
Download the ZIP using the Cloud Shell toolbar: Upload/Download files → Download → enter the ZIP path
Every run produces a timestamped directory and ZIP:
cloudgrc_evidence_20260426_143022/
├── aws/
│ ├── iam.json
│ ├── storage.json
│ └── ...
├── MANIFEST.json
cloudgrc_evidence_20260426_143022.zip
Each JSON file contains:
metadata— category, cloud provider, NIST 800-53 controls, timestampdata— raw collected evidenceerrors— any API permission errors encountered during collection
MANIFEST.json is an index of every file collected, the cloud it came from, and its category.
After collection, CloudGRC automatically analyzes the evidence and flags suspicious configurations mapped to NIST 800-53 controls. Examples:
| Severity | Finding | Control |
|---|---|---|
| HIGH | MFA not enabled on IAM user | IA-2(1) |
| HIGH | EBS volume not encrypted | SC-28 |
| HIGH | GuardDuty not enabled | SI-4 |
| MEDIUM | Access key older than 90 days | IA-5 |
| MEDIUM | CloudTrail log retention under 1 year | AU-11 |
| LOW | S3 bucket versioning suspended | CP-9 |
Findings are displayed inline at the end of every run and are referenced by the resource name and JSON file for easy evidence lookup.
If you are not running inside a cloud shell, configure credentials before running CloudGRC.
aws configure
# Enter: AWS Access Key ID, Secret Access Key, default region (e.g. us-east-1), output format (json)Or set environment variables directly:
export AWS_ACCESS_KEY_ID=your_key
export AWS_SECRET_ACCESS_KEY=your_secret
export AWS_DEFAULT_REGION=us-east-1gcloud auth application-default login
# Opens a browser — sign in with the account that has Viewer access to your projectThen set your project:
gcloud config set project YOUR_PROJECT_IDaz login
# Opens a browser — sign in with the account that has Reader access to the subscriptionCloudGRC requires read-only access to your cloud environment. No changes are made.
AWS — Attach the ReadOnlyAccess managed policy to the IAM user or role running the tool.
GCP — Assign the Viewer role (roles/viewer) plus roles/securitycenter.findingsViewer on the project.
Azure — Assign the Reader role on the subscription scope.
ModuleNotFoundError — Run pip install -r requirements.txt again or use pip install --user -r requirements.txt on Azure Cloud Shell.
No cloud credentials detected — Make sure you are running inside the correct cloud shell or have credentials configured in your environment:
- AWS:
aws configureor setAWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY - GCP:
gcloud auth application-default login - Azure:
az login
Permission errors in output — The tool logs these under errors in each JSON file and continues. Attach the appropriate read-only policy to your account and re-run.