Read-only AWS audit CLI.
pip install kulshan
kulshan reportOne command. One report. Zero writes to your AWS account.
Documentation | IAM Policy | Changelog
Ten read-only audit packs in one CLI. Cost anomalies, security posture, waste detection, DR gaps, drift, tag compliance, observability blind spots, quota headroom, and network topology - scored 0-100, exportable as HTML, JSON, SARIF, or CSV.
Reads your Cost Explorer data and your own CUR/Data Export Parquet files in place. No data leaves your machine. No SaaS account. No telemetry. Nothing to opt out of, because nothing exists.
- Does not write to AWS. The IAM policy contains only Get, List, and Describe actions.
- Does not phone home. No telemetry, no update checks, no analytics.
- Does not require infrastructure. No databases, no containers, no SaaS.
- Does not hold credentials. Uses the same credential chain as the AWS CLI.
pip install kulshanPython 3.9+. macOS, Linux, Windows. Optional extras: kulshan[mcp], kulshan[pdf], kulshan[excel], kulshan[pptx], or kulshan[all].
| Pack | What it watches |
|---|---|
cost |
Anomalies (z-score, IQR, MAD), commitment gaps, spend acceleration, forecasts |
security |
IAM, encryption, network exposure, logging, public access, GuardDuty |
sweep |
Orphaned volumes, unused EIPs, idle LBs, detached ENIs, empty repos |
dr |
Backup coverage, single-AZ, single points of failure, missing replication |
age |
EOL runtimes, expiring certs, stale AMIs, outdated engines |
drift |
CloudFormation drift, IaC coverage, severity classification |
tag |
Missing required tags, unattributed spend, key inconsistencies |
pulse |
Alarm gaps, missing metric filters, blind spots |
limit |
Quota headroom, at-limit services, scaling risk |
topo |
CIDR overlaps, route integrity, peering issues, TGW misconfigs |
kulshan report # cost only (default, ~$0.15)
kulshan report --packs security,sweep # specific packs (free APIs)
kulshan report --packs all --regions us-east-1 # full diagnosticRead-only by construction, not read-only by default. There is no cleanup mode to leave off, no write path to enable. The published IAM policy contains zero actions that create, modify, or delete AWS resources.
- 159 read-only actions, zero write actions. Read every line.
- Reports stay on your machine
- No telemetry, no phone-home
- Open source: Apache 2.0. IAM policy additionally CC BY 4.0.
kulshan preflight # Check credentials and permissions
kulshan report # Cost baseline (default)
kulshan report -o report.html # HTML report
kulshan report --packs all --regions us-east-1 --deep # Full deep scan
kulshan history # Past scans
kulshan workspace list # All environments
kulshan workspace reconcile # Link shared-payer environments
kulshan shell # Interactive REPL
kulshan mcp-serve # MCP server for AI agentsKulshan is the Lummi name for the mountain known colonially as Mt. Baker, meaning "great white watcher." The mountain is visible from Mission, BC and is an active volcano in the Cascade Range. We acknowledge the Lummi and Nooksack peoples as the original namers of this mountain.
Mission FinOps - open-source AWS audit tooling.
Apache 2.0. Free and open source forever.