If you discover a potential security issue in this project, we ask that you notify AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com.
Please do not create a public GitHub issue for security vulnerabilities.
CryptaMap is a read-only discovery tool: it enumerates cryptographic configuration metadata across AWS services and emits a CycloneDX CBOM + a PQC (post-quantum) readiness report. By design it:
- makes only read/describe/list API calls in its scanners (the least-privilege
IAM policy it ships, generated by
cmd/gen-policy, contains only read actions plus two resource-scoped writes used solely by the org orchestrator (s3:PutObjectto the results bucket anddynamodb:PutItemto the scans table); live Security Hub import is not carried in this release — ASFF is a local export only); - never transmits customer scan data off the customer's account — output is written locally (or to a customer-owned S3 bucket in org mode);
- ships no real account data. The dashboard's demo data is generated
synthetically (
cmd/gen-dashboard-mock); CI fails the build on any committed real AWS account ID, ARN, bucket name, or private key.
The CBOM and reports CryptaMap produces describe your cryptographic posture and may be sensitive. Treat them as you would any security finding: store them in a controlled location and do not commit them to public source control. The default deployment model keeps results within your AWS account and region.
CryptaMap is distributed as source you build yourself — there is no prebuilt
or signed release artifact (see docs/INSTALL.md).
Security fixes are applied to the main branch; build and run from the latest main.