Automic VaultAutomic Vault

brew

Install cloudsplaining with Homebrew

AWS IAM Security Assessment tool. Version 0.9.1 via Homebrew; verified 2026-06-16.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install cloudsplaining

local Homebrew formula metadata

overview

Package summary

AWS IAM Security Assessment tool

Commands and aliases

  • cloudsplaining

history

Project history and usage

Cloudsplaining is a Salesforce open source command-line tool for auditing AWS IAM policies and producing risk-prioritized least-privilege reports.

Project history

The project was created as a companion to Salesforce's Policy Sentry work: the README explains that Policy Sentry made least-privilege policy creation easier, but existing AWS accounts still had large backlogs of broad IAM policies that needed assessment.

Cloudsplaining's public release stream began in 2020, with the GitHub releases page marking version 0.0.2 as the open source release. The tool's core model has remained a CLI workflow that downloads AWS IAM account authorization details, scans them, and emits HTML plus JSON results.

Adoption history

The upstream README documents installation through pip and Homebrew, including Salesforce's Homebrew tap, making it easy to put the scanner into Unix security and cloud-audit workflows.

Its adoption niche is AWS security engineering, penetration testing, and compliance review: it focuses on practical IAM risks such as data exfiltration, infrastructure modification, resource exposure, privilege escalation, and credentials exposure.

How it is used

Typical use starts with configured AWS credentials, `cloudsplaining download` to collect account authorization details, `cloudsplaining create-exclusions-file` to generate `exclusions.yml`, and `cloudsplaining scan` to generate reports.

The CLI can also scan a single IAM policy file, which makes it useful both for full-account audits and for reviewing individual policy documents during development.

Why package nerds care

Cloudsplaining is a good example of a cloud-security Python tool packaged for both pip and Homebrew: it turns a cloud API audit into a repeatable shell command that can live in developer laptops, CI jobs, and consulting toolkits.

Timeline

  • 2020: Version 0.0.2 was published as the open source release on GitHub.
  • 2020: Early releases added HTML report improvements, recursive scanning, trust-policy reporting, and automated Homebrew updates.
  • 2020: The README documented both pip and Homebrew installation paths.

Related projects

  • Policy Sentry is the closest related Salesforce project and is cited in the README as the motivation for Cloudsplaining.
  • Cloudsplaining also intersects with AWS IAM, AWS SecurityAudit-style permissions, and IAM privilege-escalation research such as Pathfinding.cloud.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:cloud

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 3 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
./exclusions.yml

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.aws/credentials

executables

Installed executables

CommandKindExposureNote
cloudsplainingcliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version0.9.1
manager updated2026-06-16
local dataok
upstreamnot checked
latest detectednot detected

https://cloudsplaining.readthedocs.io/en/latest/

install metadata

Package metadata

Package keybrew:cloudsplaining
Version0.9.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/cloudsplaining
Homepagehttps://cloudsplaining.readthedocs.io/en/latest/
Repositoryhttps://github.com/salesforce/cloudsplaining
Upstream docshttps://cloudsplaining.readthedocs.io/en/latest
LicenseBSD-3-Clause
Source archivehttps://files.pythonhosted.org/packages/7c/89/bf53630e908aef0680a4c843c4e8acd0b96a22b196ffec5a94bcc5249f80/cloudsplaining-0.9.1.tar.gz
Last updated2026-06-16T04:27:03Z
Pulseupdated
Dependenciescertifi, libyaml, python@3.14
Build dependenciesrust
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecloudsplaining
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • package relationship graph
  • package version freshness
  • package-page enrichment