HEXL
Catalog/security-cloud-config

Security

Cloud config posture scorer (CIS-style) API

Scores a PROVIDED (flattened) cloud account config against 10 CIS-style controls (S3 public-access-block, default encryption, CloudTrail + log-file validation, root MFA, IAM MFA enforcement, no root access keys, key rotation <=90d, EBS default encryption, VPC flow logs, IAM Access Analyzer) using transparent per-control weights, returning per-control pass/fail findings with severity + remediation and a 0-100 weighted posture score; no live cloud access. Answers 'Does my AWS config meet CIS?','Which controls am I failing?'.

Price$0.01per request
MethodPOST
Route/v1/security/cloud-config
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitycloudcisawsposturecomplianceauditscoring
API URLhttps://x402.hexl.dev/v1/security/cloud-config
Integration docs
Example request
{
  "config": {
    "s3PublicAccessBlock": false,
    "s3DefaultEncryption": true,
    "cloudTrailEnabled": true,
    "cloudTrailLogValidation": false,
    "rootMfaEnabled": false,
    "iamMfaEnforced": true,
    "rootAccessKeysPresent": true,
    "maxKeyAgeDays": 120,
    "ebsEncryptionDefault": true,
    "vpcFlowLogsEnabled": true,
    "accessAnalyzerEnabled": false
  }
}
Example response
{
  "score": 43,
  "grade": "F",
  "controlsEvaluated": 11,
  "controlsPassed": 5,
  "controlsFailed": 6,
  "criticalFindings": 3,
  "findings": [
    {
      "control": "CIS-2.1.1",
      "title": "S3 account-level Public Access Block enabled",
      "status": "fail",
      "severity": "critical",
      "weight": 14,
      "remediation": "Enable s3:PutPublicAccessBlock (BlockPublicAcls, IgnorePublicAcls, BlockPublicPolicy, RestrictPublicBuckets) at the account level."
    },
    {
      "control": "CIS-1.5",
      "title": "MFA enabled for the root account",
      "status": "fail",
      "severity": "critical",
      "weight": 14,
      "remediation": "Enable hardware or virtual MFA on the root user and lock the credentials away."
    },
    {
      "control": "CIS-1.4",
      "title": "No active root access keys",
      "status": "fail",
      "severity": "critical",
      "weight": 11,
      "remediation": "Delete any root access keys; root should never have programmatic keys."
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "config"
  ],
  "properties": {
    "config": {
      "type": "object",
      "additionalProperties": true,
      "description": "Flattened account settings; booleans/enabled flags and maxKeyAgeDays.",
      "examples": [
        {
          "s3PublicAccessBlock": false,
          "s3DefaultEncryption": true,
          "cloudTrailEnabled": true,
          "cloudTrailLogValidation": false,
          "rootMfaEnabled": false,
          "iamMfaEnforced": true,
          "rootAccessKeysPresent": true,
          "maxKeyAgeDays": 120,
          "ebsEncryptionDefault": true,
          "vpcFlowLogsEnabled": true,
          "accessAnalyzerEnabled": false
        }
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}