cloud-collector

---

Generate audit-ready evidence packages with automatic mapping to SOC 2, ISO 27001, NIST 800-53, and CIS benchmarks. Outputs structured JSON for GRC tools and formatted Markdown for auditor review.

Installation

Via skills.sh

npx skills add Workstreet-Compliance/Cloud-Collector

Via pip

git clone https://github.com/Workstreet-Compliance/Cloud-Collector.git
cd Cloud-Collector
pip install -r requirements.txt

---

Quick Start

Using with Claude Code

Just ask naturally:

"Collect SOC 2 evidence from my AWS account"

"Generate ISO 27001 audit documentation for GCP project xyz"

"Check my Azure subscription for NIST 800-53 compliance"

Programmatic Usage

from skills.evidence_collector.scripts.aws_evidence import AWSEvidenceCollector
from skills.evidence_collector.scripts.output_formatter import EvidenceFormatter

# Collect evidence
collector = AWSEvidenceCollector()
package = collector.collect_all()

# Export
EvidenceFormatter.save(package, "./evidence_output")  # JSON + Markdown

from skills.evidence_collector.scripts.gcp_evidence import GCPEvidenceCollector

collector = GCPEvidenceCollector(project_id="my-project-id")
package = collector.collect_all()

from skills.evidence_collector.scripts.azure_evidence import AzureEvidenceCollector

collector = AzureEvidenceCollector(subscription_id="your-subscription-id")
package = collector.collect_all()

---

Evidence Categories

| Category | AWS | GCP | Azure | |:---------|:----|:----|:------| | IAM | Users, roles, policies, MFA | IAM bindings, service accounts | RBAC, custom roles | | Logging | CloudTrail | Audit logs, sinks | Activity logs, diagnostics | | Storage | S3 policies, encryption | GCS IAM, public access | Storage account security | | Security | Security Hub findings | Security Command Center | Defender for Cloud | | Encryption | KMS keys, rotation | Cloud KMS key rings | Key Vault config | | Network | VPC, security groups, NACLs | Firewall rules, VPC | NSGs, VNets |

---

Frameworks

See references/control_mappings.md for complete mapping details.

---

Prerequisites

# Option 1: AWS CLI
aws configure

# Option 2: Environment variables
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=xxx

Required permissions:

• iam:Get*, iam:List*
• cloudtrail:Describe*, cloudtrail:Get*
• s3:GetBucket*, s3:ListBucket
• securityhub:Get*
• kms:Describe*, kms:List*
• ec2:Describe*

# Option 1: Application Default Credentials
gcloud auth application-default login

# Option 2: Service account
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json

Required roles:

• roles/iam.securityReviewer
• roles/logging.viewer
• roles/storage.objectViewer
• roles/securitycenter.findingsViewer
• roles/cloudkms.viewer
• roles/compute.viewer

# Option 1: Azure CLI
az login

# Option 2: Service principal
export AZURE_CLIENT_ID=xxx
export AZURE_CLIENT_SECRET=xxx
export AZURE_TENANT_ID=xxx

Required roles:

• Reader
• Security Reader
• Key Vault Reader

---

Output Formats

JSON

Structured output for automated processing and GRC tool integration.

{
  "metadata": {
    "collection_timestamp": "2024-01-15T10:30:00Z",
    "cloud_provider": "aws",
    "account_id": "123456789012"
  },
  "evidence": [...],
  "control_mappings": [...]
}

Markdown

Human-readable reports with evidence grouped by category and control mapping tables—ready for auditor review.

---

Project Structure

cloud-evidence-collector/
├── skills/
│   └── evidence-collector/
│       ├── SKILL.md                 # Claude instructions
│       ├── scripts/
│       │   ├── aws_evidence.py
│       │   ├── gcp_evidence.py
│       │   ├── azure_evidence.py
│       │   └── output_formatter.py
│       └── references/
│           ├── control_mappings.md
│           └── evidence_schema.json
├── .claude-plugin/plugin.json       # Claude plugin config
├── skills.json                      # skills.sh config
└── requirements.txt

---

Contributing

1. Fork the repository
2. Create a feature branch
3. Add evidence collectors or control mappings
4. Submit a pull request

---

Security

This tool collects read-only evidence. It does not modify any cloud resources.

• Always use least-privilege credentials
• Review collected evidence before sharing externally
• For security issues, email ryan@workstreet.com

---