Waypoint Compliance Advisory | waypointca.com
Practical Python scripts for automating federal compliance evidence collection and security controls. Designed for defense contractors and organizations pursuing CMMC, FedRAMP, or NIST 800-171 compliance.
| Script | Purpose | NIST Control |
|---|---|---|
01_evidence_collection.py |
Collect AWS security group configs | AC-4 (Information Flow) |
02_ai_decision_logger.py |
Log AI model decisions for audit | AU-2, AU-3 (Audit Events) |
03_audit_decorator.py |
Auto-log who did what when | AU-2, AU-3 (Audit Events) |
04_secrets_scanner.py |
Find hardcoded secrets in code | SC-28 (Protection at Rest) |
05_iam_auditor.py |
Audit IAM users against approved list | AC-2 (Account Management) |
06_aws_security_audit.sh |
AWS multi-control quick audit (bash) | AC-2, AU-2, SC-7, SC-28, IA-5 |
-
Install AWS CLI:
# macOS brew install awscli # Windows choco install awscli # Linux curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip awscliv2.zip && sudo ./aws/install
-
Configure credentials:
aws configure # Enter your Access Key ID, Secret Access Key, region, and output format -
Install boto3 (for scripts 01 and 05; script 06 uses the AWS CLI directly):
pip install boto3
No external dependencies - uses Python standard library only.
python 01_evidence_collection.py
# Creates: ./evidence/evidence_ac4_YYYYMMDD_HHMMSS.jsonfrom 02_ai_decision_logger import AIDecisionLogger logger = AIDecisionLogger("./logs") logger.log_decision( model_name="my_model", input_data={"user": "123"}, output="approved", confidence=0.95 )
from 03_audit_decorator import audit_log @audit_log("accessed_sensitive_data") def my_function(): # Your code here pass
python 04_secrets_scanner.py ./your-code-directory
# First, create approved_users.json: { "users": ["admin", "developer1", "ci-service"], "last_reviewed": "2025年01月08日", "reviewed_by": "security-team" } # Then run: python 05_iam_auditor.py approved_users.json
# Run against the default AWS profile ./06_aws_security_audit.sh # Or specify a profile ./06_aws_security_audit.sh production
Checks performed:
- IAM users without MFA enabled
- Root account access keys
- Security groups with
0.0.0.0/0ingress - S3 buckets missing a public access block
- CloudTrail multi-region and log validation status
- GuardDuty enablement
- Unencrypted EBS volumes
- Unencrypted RDS instances
- IAM password policy configuration
Read-only checks. No state is modified.
Add the secrets scanner to your pipeline:
# GitHub Actions example - name: Scan for secrets run: python scripts/04_secrets_scanner.py ./src
- Evidence collection - Files contain configuration data; store securely
- AI logger - Hashes input data by default to protect sensitive information
- Audit decorator - Does not log function arguments to avoid capturing sensitive data
- Secrets scanner - Basic pattern matching; use alongside dedicated tools like trufflehog or git-secrets
- IAM auditor - Requires read-only IAM permissions; use least-privilege credentials
- AWS security audit - Read-only multi-service audit; output may include account-identifying info, redact before sharing
MIT License - Use freely, attribution appreciated.
GitHub: github.com/WaypointCA/compliance-scripts
Built by Waypoint Compliance Advisory, a Service-Disabled Veteran-Owned Small Business providing cybersecurity compliance consulting for federal contractors.
- CMMC 2.0 Assessments
- FedRAMP Consulting
- Security Assessments
- Fractional CISO Services
Questions? Book a free consultation