macOS
brew install cloudsplaininglocal Homebrew formula metadata
brew
AWS IAM Security Assessment tool. Version 0.9.1 via Homebrew; verified 2026-06-16.
install
brew install cloudsplaininglocal Homebrew formula metadata
overview
AWS IAM Security Assessment tool
history
Cloudsplaining is a Salesforce open source command-line tool for auditing AWS IAM policies and producing risk-prioritized least-privilege reports.
The project was created as a companion to Salesforce's Policy Sentry work: the README explains that Policy Sentry made least-privilege policy creation easier, but existing AWS accounts still had large backlogs of broad IAM policies that needed assessment.
Cloudsplaining's public release stream began in 2020, with the GitHub releases page marking version 0.0.2 as the open source release. The tool's core model has remained a CLI workflow that downloads AWS IAM account authorization details, scans them, and emits HTML plus JSON results.
The upstream README documents installation through pip and Homebrew, including Salesforce's Homebrew tap, making it easy to put the scanner into Unix security and cloud-audit workflows.
Its adoption niche is AWS security engineering, penetration testing, and compliance review: it focuses on practical IAM risks such as data exfiltration, infrastructure modification, resource exposure, privilege escalation, and credentials exposure.
Typical use starts with configured AWS credentials, `cloudsplaining download` to collect account authorization details, `cloudsplaining create-exclusions-file` to generate `exclusions.yml`, and `cloudsplaining scan` to generate reports.
The CLI can also scan a single IAM policy file, which makes it useful both for full-account audits and for reviewing individual policy documents during development.
Cloudsplaining is a good example of a cloud-security Python tool packaged for both pip and Homebrew: it turns a cloud API audit into a repeatable shell command that can live in developer laptops, CI jobs, and consulting toolkits.
security posture
infrastructure mutation or orchestration signal.
orange risk · medium confidence · infrastructure
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
local files
These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.
Config paths the tool may read or write during local use.
./exclusions.ymlCredential-bearing paths to review before unattended agent runs.
~/.aws/credentialsexecutables
| Command | Kind | Exposure | Note |
|---|---|---|---|
cloudsplaining | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://cloudsplaining.readthedocs.io/en/latest/
install metadata
| Package key | brew:cloudsplaining |
|---|---|
| Version | 0.9.1 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/cloudsplaining |
| Homepage | https://cloudsplaining.readthedocs.io/en/latest/ |
| Repository | https://github.com/salesforce/cloudsplaining |
| Upstream docs | https://cloudsplaining.readthedocs.io/en/latest |
| License | BSD-3-Clause |
| Source archive | https://files.pythonhosted.org/packages/7c/89/bf53630e908aef0680a4c843c4e8acd0b96a22b196ffec5a94bcc5249f80/cloudsplaining-0.9.1.tar.gz |
| Last updated | 2026-06-16T04:27:03Z |
| Pulse | updated |
| Dependencies | certifi, libyaml, python@3.14 |
| Build dependencies | rust |
| Bottle | available (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | cloudsplaining |
| Version Scheme | 0 |
| Revision | 0 |
| Head Version | HEAD |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.