Cloud security is no longer just about dashboards and manual reviews. Modern security teams rely heavily on automation to detect and respond to misconfigurations in real time.
In this article, I will show how I built a simple Cloud Security Posture Management (CSPM) tool using Rust and the AWS SDK. The goal is to demonstrate how Rust can be used for real world cloud security automation, not just systems programming.
Why Rust for Cloud Security
Most cloud security automation is written in Python or Go. Rust is less common, but it has some serious advantages:
- Memory safety by default
- High performance for log processing and scanning
- Single static binaries for agents and tools
- Strong type system for building reliable security systems
Rust is especially useful when building security tooling that needs to be fast, stable, and safe to run in production.
Project Overview: CloudGuard
The project is a simple Rust CLI tool called CloudGuard.
It performs two basic but very realistic security checks:
1.Detect public S3 buckets
2.Detect EC2 security groups open to the world on sensitive ports
This is essentially a mini CSPM tool.
What the Tool Does
CloudGuard scans an AWS account and prints a security report showing:
1.Any S3 buckets with public access
2.Any security groups with 0.0.0.0/0 on:
3.Port 22 (SSH)
4.Port 3389 (RDP)
5.Port 3306 (MySQL)
These are some of the most common real world cloud misconfigurations.
Architecture
The architecture is very simple:
Rust CLI
→ AWS SDK for Rust
→ AWS APIs (S3, EC2)
There is no agent and no infrastructure required. It runs using normal AWS credentials.
Project Structure
The project is split into small modules:
- main.rs: entry point
- s3_scan.rs: S3 public access checks
- sg_scan.rs: security group checks
This keeps the code clean and easy to extend.
Setting Up the Project
Create the project:
- cargo new cloud-guard
- cd cloud-guard
Add dependencies to Cargo.toml:
[dependencies]
- aws-config = "1"
- aws-sdk-s3 = "1"
- aws-sdk-ec2 = "1"
- tokio = { version = "1", features = ["full"] }
Configure AWS credentials:
- aws configure
Example: Scanning for Public S3 Buckets
The tool lists all buckets and checks their ACLs for public access.
The logic is:
- Call ListBuckets
- For each bucket, call GetBucketAcl
- If the grantee contains AllUsers, the bucket is public
This mirrors how real CSPM tools work internally.
Example: Scanning Open Security Groups**
The security group scan works like this:
- Call DescribeSecurityGroups
- Loop through inbound rules
- If CIDR is 0.0.0.0/0 and port is sensitive, flag it
This is exactly the same logic used in enterprise security tools.
Running the Tool
Run it locally:
- cargo run
You will get output like:
=== S3 Public Bucket Scan ===
Public bucket found: test-assets-bucket
=== Security Group Scan ===
Open SG: web-sg on ports 22-22
That is already a working cloud security scanner.
Github repo:https://github.com/Copubah/aws-cloudguard
Top comments (0)