AWS provides the tools for security.
CloudSploit helps you use them correctly.

Adhering to security best practices can be difficult and time consuming, especially in large environments.

Free Your Developers

Auditing AWS account security can consume hours of developer time each week. CloudSploit automates the detection of risks on a continuous basis.

Make Compliance a Priority

The scan reports generated by CloudSploit can be used to quickly assess risk, plan for remediation, and audit changes over time. Legal's happy. You're happy.

Protect Your Customers

Misconfigurations put your customers' data and your business at risk. Look what happened to CodeSpaces. CloudSploit detects these risks before they are exploited.

Detect Risks in Every AWS Region

Many attackers who gain access to an AWS account embed themselves in unused regions to avoid detection. CloudSploit scans every public AWS region, even the ones you don't actively use.

  • CloudTrail & Config Service
  • Elastic Compute Cloud (EC2)
  • Identity and Access Management (IAM)
  • Virtual Private Cloud (VPC)
  • Relational Database Service (RDS)
  • + many more ...

Fix Issues and Follow Up

A security tool isn't much good if it doesn't help fix the problems it finds. Every CloudSploit scan report includes in-depth remediation steps. Don't just detect risks; fix them and continually reassess.

Add Unlimited Users and Accounts

There are no limits on the number of active CloudSploit users and connected AWS accounts - even in our Free Plan. Collaborate with your team, share scan reports, and protect all of your AWS infrastructure.

Integrate via API

Access all of CloudSploit's tools and functionality via API. Connect with CI/CD environments, custom scripts, and more. Read More »

See how CloudSploit complements existing AWS security solutions here.

How it Works

No agents to run; setup in minutes.

  • 1

    Create a secure, cross-account IAM role

    Cross-account IAM roles allow CloudSploit to query the AWS API on behalf of your account.

  • 2

    Give the role read-only permissions

    CloudSploit never requires write access to your account. Simply use the built-in AWS Security Audit policy.

  • 3

    Connect your role to CloudSploit

    It takes less than a minute to connect a new role through the CloudSploit dashboard.

  • 4

    Begin scanning

    You can initiate on-demand scans immediately or enable continuous, background scanning.


For more details and to see a complete comparison chart, click here.

Easy to Use

Setup in minutes with nothing to install and no infrastructure to manage.

Browser Based

CloudSploit can run entirely in your browser and output results for download.

Email Summaries

Receive email summaries with risk counts and new discoveries for every scan.

Region Hotmaps

Quickly detect issues and severity with CloudSploit's global region hotmap of detected risks.

Unlimited Users

Add as many users as you need to share results, reports and scan details. Even in our free plans.

Downloadable Reports

Export formatted reports as CSV for safe-keeping, auditing, and sharing.

Custom Signatures

Write your own private tests and checks specific to your environment for even more customized results.


Easily suppress false positives, unused resources, specific checks, or entire regions.

Results Search

Search for specific resources, tests, or keywords across all accounts and reports.

Archived Results

Scan results can be stored for up to six months for historical analysis and auditing.


Setup custom Slack, Email, and SNS alerts for specific tests and results.

Auditing Tools

CloudSploit tools highlight expiring SSL certificates, at-risk IAM users, and more.

Take a look at more screenshots of the product here.

A Secure and Reliable Platform

Our modern, open source scanning engine is fully auditable and open for community contributions.

Safe & Secure

CloudSploit scans require read-only permissions to your account with secure cross-account roles.


The CloudSploit plugin database is continually updated with the latest AWS services.


CloudSploit scans make the fewest API calls necessary to make an accurate prediction of security.


Save hundreds of developer-hours with our low-cost plans.


$ 0
/month/aws account


  • unlimited on-demand scans
  • unlimited users
  • unlimited stored accounts


$ 717
*when paid annually
or $8 paid monthly

  • unlimited on-demand scans
  • unlimited users
  • unlimited stored accounts
  • Auto scan every 36 hours
  • Scan and risk email alerts
  • 3 months of saved results
  • Downloadable scan reports
  • Searchable results
Best for Businesses!


$ 3600
*when paid annually
or $40 paid monthly

  • unlimited on-demand scans
  • unlimited users
  • unlimited stored accounts
  • Auto scan every 6 hours
  • Scan and risk email alerts
  • 6 months of saved results
  • Downloadable scan reports
  • Searchable results
  • Enable custom plugins
  • Unlimited sub-teams


$ 9900
*when paid annually
or $110 paid monthly

  • unlimited on-demand scans
  • unlimited users
  • unlimited stored accounts
  • Auto scan every 1 hour
  • Scan and risk email alerts
  • 14 months of saved results
  • Downloadable scan reports
  • Searchable results
  • Enable custom plugins
  • Unlimited sub-teams
  • Real-time events stream
  • Powerful API Access
  • SAML 2.0 Login
  • Assigned technical resource

Read more about our plans and pricing here.

Frequently Asked Questions

Our support team can answer any other questions that our help page can't.

Is CloudSploit safe to use?

Absolutely. CloudSploit only needs read-only access to your resources, never stores account information for on-demand scans, and supports secure cross-account IAM roles for access. For more information about our security efforts, click here.

Can CloudSploit make changes to my account?

No. CloudSploit's scans are passive consumers of AWS API responses and do not modify or delete an account's contents in any way. Regardless, the cross-account IAM role you create for CloudSploit should only use read-only permissions.

Which services does CloudSploit scan?

CloudSploit has multiple plugins for almost all AWS services that require security checks: CloudTrail, Config Service, EC2, ELB, IAM, KMS, RDS, Route53, S3, and VPC. Additional checks are constantly being added as AWS releases more services.

What part of CloudSploit is open-source?

Our entire scanning engine, which is responsible for querying the AWS APIs and interpreting the responses, is open-source. Additionally, all of the individual plugins for various AWS services are open-source as well. You can view both on GitHub.

Ready to test your security?

Sign up and begin scanning for free within minutes. No obligation.

Get Started