ScoutSuite — Install, Use, Optimise (2026)

Multi-cloud security audit tool — generates HTML reports of misconfigurations across AWS, Azure, GCP, OCI, AliCloud.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx

pipx install scoutsuite

Source

pip install scoutsuite

Docker

docker run -ti --rm -v ~/.aws:/root/.aws nccgroup/scoutsuite

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

AWS audit

scout aws

Azure audit (with service principal)

scout azure --tenant TENANT_ID --client-id ID --client-secret SECRET

GCP audit (service account)

scout gcp --service-account ./gcp-key.json

Custom rules

scout aws --ruleset custom-ruleset.json

Generate report only

scout aws --report-name myorg --no-browser

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• AWS audit: 5-15 min on small accounts, 1-3 hours on enterprise. Run during off-hours.
• --regions to scope: skip unused regions for 50%+ time savings.
• --services s3,iam,ec2 targets specific services — much faster than default all-services.
• Output is static HTML in scoutsuite-report/ — diff between audits with diff -r old/ new/.
• Re-run with --update updates a previous report rather than regenerating from scratch.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Read-only IAM perms required — but ScoutSuite’s default IAM policy is overly broad. Use the minimal policy from docs.
• Some checks (e.g., S3 public-access analysis) miss recent AWS feature flags. Cross-check with AWS Trusted Advisor.
• Reports include resource ARNs — treat output as confidential, AWS account topology disclosure.
• Default rule set is conservative. For DPDP compliance audits, layer custom rules for India-specific data residency.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• Prowler — AWS-focused, ships CIS benchmark out of the box.
• CloudSploit — similar mission, less actively maintained.
• Steampipe — SQL-queryable cloud asset graph, more flexible but steeper learning.

India context and engagement notes

For Indian SaaS in scope of DPDP / ISO 27001 / SOC 2: monthly ScoutSuite + Prowler runs are the practical baseline. Both run from a CI job, post diffs to Slack — finds new exposures within hours of misconfiguration.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.