# Install cloudsplaining with Homebrew

AWS IAM Security Assessment tool. Version 0.9.1 via Homebrew; verified 2026-06-16.

## Install

```sh
sudo av install brew:cloudsplaining
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install cloudsplaining
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:cloudsplaining
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/cloudsplaining>
- **Version:** 0.9.1
- **Source summary:** AWS IAM Security Assessment tool
- **Homepage:** <https://cloudsplaining.readthedocs.io/en/latest/>
- **Repository:** <https://github.com/salesforce/cloudsplaining>
- **Upstream docs:** <https://cloudsplaining.readthedocs.io/en/latest>
- **License:** BSD-3-Clause
- **Source archive:** <https://files.pythonhosted.org/packages/7c/89/bf53630e908aef0680a4c843c4e8acd0b96a22b196ffec5a94bcc5249f80/cloudsplaining-0.9.1.tar.gz>
- **Last updated:** 2026-06-16T04:27:03Z
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- cloudsplaining (cli)
- cloudsplaining (alias)

## Dependencies

- certifi
- libyaml
- python@3.14

## Build dependencies

- rust

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.9.1
- Package-manager updated: 2026-06-16
- Local data: ok
- Upstream repository: https://cloudsplaining.readthedocs.io/en/latest/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

Cloudsplaining is a Salesforce open source command-line tool for auditing AWS IAM policies and producing risk-prioritized least-privilege reports.

### Project history

The project was created as a companion to Salesforce's Policy Sentry work: the README explains that Policy Sentry made least-privilege policy creation easier, but existing AWS accounts still had large backlogs of broad IAM policies that needed assessment.

Cloudsplaining's public release stream began in 2020, with the GitHub releases page marking version 0.0.2 as the open source release. The tool's core model has remained a CLI workflow that downloads AWS IAM account authorization details, scans them, and emits HTML plus JSON results.

### Adoption history

The upstream README documents installation through pip and Homebrew, including Salesforce's Homebrew tap, making it easy to put the scanner into Unix security and cloud-audit workflows.

Its adoption niche is AWS security engineering, penetration testing, and compliance review: it focuses on practical IAM risks such as data exfiltration, infrastructure modification, resource exposure, privilege escalation, and credentials exposure.

### How it is used

Typical use starts with configured AWS credentials, `cloudsplaining download` to collect account authorization details, `cloudsplaining create-exclusions-file` to generate `exclusions.yml`, and `cloudsplaining scan` to generate reports.

The CLI can also scan a single IAM policy file, which makes it useful both for full-account audits and for reviewing individual policy documents during development.

### Why package nerds care

Cloudsplaining is a good example of a cloud-security Python tool packaged for both pip and Homebrew: it turns a cloud API audit into a repeatable shell command that can live in developer laptops, CI jobs, and consulting toolkits.

### Timeline

- 2020: Version 0.0.2 was published as the open source release on GitHub.
- 2020: Early releases added HTML report improvements, recursive scanning, trust-policy reporting, and automated Homebrew updates.
- 2020: The README documented both pip and Homebrew installation paths.

### Related projects

- Policy Sentry is the closest related Salesforce project and is cited in the README as the motivation for Cloudsplaining.
- Cloudsplaining also intersects with AWS IAM, AWS SecurityAudit-style permissions, and IAM privilege-escalation research such as Pathfinding.cloud.

### Sources

- <https://github.com/salesforce/cloudsplaining#readme>
- <https://cloudsplaining.readthedocs.io/en/latest/>
- <https://github.com/salesforce/cloudsplaining/releases>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: ./exclusions.yml

## Credential files

- Unix: ~/.aws/credentials
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** cloudsplaining
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [parliament](https://www.automicvault.com/pkg/brew/parliament/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, policy-analysis.
- [cliam](https://www.automicvault.com/pkg/brew/cliam/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, security.
- [principalmapper](https://www.automicvault.com/pkg/brew/principalmapper/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, security.
- [terraform-iam-policy-validator](https://www.automicvault.com/pkg/brew/terraform-iam-policy-validator/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, security.
- [trailscraper](https://www.automicvault.com/pkg/brew/trailscraper/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, security.
- [cfripper](https://www.automicvault.com/pkg/brew/cfripper/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [cloudfox](https://www.automicvault.com/pkg/brew/cloudfox/) - Shares av.db curated category or tags: aws, cli, cloud-security, security.
- [policy_sentry](https://www.automicvault.com/pkg/brew/policy-sentry/) - Shares av.db curated category or tags: aws, cli, cloud-security, iam, least-privilege.

## Combined YAML source

View the package source record on GitHub. [combined/cloudsplaining.yml](https://github.com/automic-vault/db/blob/main/combined/cloudsplaining.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
