# Kloudle Cloud Security Scanners — Agent Tools

Static binaries that AI agents can discover, download, and run autonomously. No SDKs, no dependencies, no containers — just curl, verify, execute.

## How It Works

1. **Discover** — Agent calls `search("s3 encryption")` via MCP to find the right scanner.
2. **Get** — Agent calls `get("k5e-aws-s3")` and receives a ready-to-run command with SHA256 verification.
3. **Run** — Agent downloads the ~2MB static binary, verifies the checksum, and executes the security scan.

## Available Scanners

| Binary | Service | Description | Checks |
|---|---|---|---|
| k5e-aws-s3 | S3 | Bucket encryption, public access blocks, versioning, logging, lifecycle policies | 5 |
| k5e-aws-iam | IAM | Root account MFA, stale access keys, password policy compliance | 3 |
| k5e-aws-ec2 | EC2 | Public SSH access, security group rules, EBS encryption, IMDSv2 enforcement | 4 |
| k5e-aws-eks | EKS | Public endpoint access, control plane logging, secrets encryption | 3 |
| k5e-aws-rds | RDS | Public accessibility, storage encryption, automated backup retention | 3 |
| k5e-aws-cloudtrail | CloudTrail | Multi-region trails, log file validation, KMS encryption | 3 |
| k5e-aws-cloudwatch-logs | CloudWatch Logs | Log group retention, encryption at rest, metric filter coverage | 3 |

## MCP Connection

Add this to any MCP-compatible client configuration:

```json
{
  "mcpServers": {
    "kloudle": {
      "url": "https://mcp.kloudle.dev/mcp"
    }
  }
}
```

- **Transport:** Streamable HTTP
- **Free tier:** 50 scans/day per IP
- **No API key required**

Also available on [Smithery](https://smithery.ai/server/@kloudle/cloud-security-scanner) and [MCP Registry](https://registry.modelcontextprotocol.io).

## Technical Details

- **Static Binaries** — Compiled with Rust + musl for zero external dependencies.
- **SHA256 Verified** — Every binary ships with a checksum. The MCP server returns a command that downloads, verifies, and runs in a single pipeline.
- **Structured Exit Codes** — 0 = all clear, 1 = misconfigurations found, 2 = auth failure, 3 = network error.
- **JSON Output** — Machine-readable results with severity levels, resource identifiers, and remediation hints.
- **Minimal IAM Permissions** — Each scanner declares exactly which read-only IAM permissions it needs.
- **CDN-Delivered** — Binaries served from Cloudflare R2 with immutable caching.