CloudRec is an open source multi-cloud security posture management (CSPM) platform designed to help organizations improve the security of their cloud environments. CloudRec provides an open and scalable cloud assets collection framework and an OPA-based rule management engine. Based on CloudRec, you can easily implement comprehensive asset collection, real-time security inspection, and risk event operation in an enterprise cloud environment.
CloudRec Lite is a brand-new CloudRec edition built around one CLI that completes the whole lightweight CSPM workflow. It is local-first by default and designed for small and mid-sized teams that need fast cloud risk discovery without operating another platform. The loop is intentionally compact: collect cloud assets, run policy checks, understand the risky resource path, export results, and open a local dashboard in minutes.
Animated preview. Click the image to watch the full MP4 demo.
CloudRec Lite is designed for teams that want a faster starting point before running a full CSPM platform:
- One CLI for everything: credentials, discovery, risk inspection, asset and finding queries, export, rule quality checks, and local Web review are all driven from the same command line.
- No server stack required: keep scan results in local storage and open an embedded read-only dashboard when you need to investigate.
- Asset-aware findings: connect risks back to impacted resources, regions, accounts, and topology paths instead of showing isolated rule hits.
- Rule quality first: use OPA-based policies with validation gates so rule coverage, evidence, and remediation can be reviewed before release.
- Open-source friendly path: start lightweight with Lite, then move to the full CloudRec deployment when you need multi-user operations, collectors, and enterprise workflows.
CloudRec Lite is especially useful for quick Alibaba Cloud posture checks, local demos, CI-style rule validation, and small-team security reviews where a single binary is easier to operate than a full server deployment.
Start with the CloudRec Lite user guide. Maintainers can use the release checklist before publishing Lite binaries.
- 🔗Rich inspection rules in addition to the built-in high-risk rules, it provides a flexible rule configuration engine based on OPA and supports multiple asset association analysis.
- 🔗Multi-Cloud support : Built-in support for Alibaba Cloud, AWS, GCP and other cloud service providers, and can expand proprietary cloud on demand; It also provides Collector collection framework, which can be expanded and support other cloud vendors on demand.
- User-friendly page: intuitive UI interface, convenient for users to carry out asset management, rule editing, risk operation, support multi-tenant
| Function Modules | Description |
|---|---|
| Resource Discovery | Covers mainstream public cloud platforms, automatically discovers 30+ cloud services and 200+ resource types, provides framework-level supports, and can be easily expanded on demand. |
| Risk Detection | Based on enterprise-level real-world rules, covering multiple scenarios such as network protection, identity security, security protection, data protection, and log auditing. |
| Policy Engine | Declarative policy management based on OPA, which can be dynamically adjust without hard coding, and no need to re-deploy |
| Repair Closed Loop | Integrated enterprise WeChat/DingTalk, alarm policy can be flexibly configured |
Choose the path that matches your team:
- CloudRec Lite: local single-binary CSPM for quick Alibaba Cloud posture checks, no server stack required. Start with lite/README.md.
- Full CloudRec: server, collector, multi-user workflows, and enterprise operations. Use the deployment steps below.
git clone https://github.com/antgroup/CloudRec.git
cd CloudRec
MYSQL_ROOT_PASSWORD=$(openssl rand -base64 16) docker-compose up -d
Access http://localhost:8080 after deployment.
Login and get AccessToken for authentication of collector.
docker exec -it cloudrec-cloud-rec-1 bash
nohup ./collectors --accessToken "${AccessToken}" > logs/task.log 2>&1 < /dev/null &
# Collector name, if not configured, hostname will be used
AgentName: "Alibaba CloudHuawei Cloud, AWS,Tencent Cloud,GCP,Baidu Cloud Collector"
# The server URL, http://localhost:8080 is used by default, and can be adjusted according to actual conditions
ServerUrl: "http://localhost:8080"
# eg:@every 30s、@every 5m、@every 1h
# @every 5m means obtaining an account every five minutes. If the current task is finished, skip this task.
Cron: "@every 5m"
# If RunOnlyOnce is set to false, the program will be executed once immediately, but the program will not exit. It will be run regularly according to the Cron cycle.
# If RunOnlyOnce is set to true, the program will be executed once immediately and then exit.
RunOnlyOnce: false
# Access token, which is used to authenticate the request. You can get it from the server
AccessToken: "change your access token"
# Deployment site. If the deployment site is configured as 'S1', only cloudAccount of this site can be obtained. If the deployment site is not configured, all cloudAccount can be obtained.
# eg:["S1"]
# eg:["S1","I2","TE"]
Sites: [ ]
# Pay attention to the risk error information. If the error message contains text, the risk will be submitted to the server
AttentionErrorTexts: [ "NoPermission", "NotAuthorized", "NotApplicable",
"Forbidden.RAM", "Forbidden", "Throttling.User", "Throttling", "InvalidAccessKeyId.NotFound", "ServiceUnavailable", "Forbidden" ]package ecs_security_groups_misconfig
import rego.v1
default risk := false
risk if {
has_public_address
count(security_groups_misconfig) != 0
}
public_ip_address := input.Instance.PublicIpAddress.IpAddress
has_public_address if {
count(public_ip_address) > 0
}
security_groups_misconfig contains sg_rule if {
sg_rule := input.SecurityGroups[_].Permissions[_]
parts := split(sg_rule.SourceCidrIp, "/")
size := to_number(parts[1])
size <= 8
sg_rule.Direction == "ingress"
sg_rule.Policy == "Accept"
}To check detailed guidelines for new contributions, please refer (https://www.cloudrec.cloud/docs/contribution-guide)
This project uses the Apache-2.0 LICENSE, the full text of which is available in the LICENSE document. Commercial use is subject to supplementary terms.