Diagrams — SDD-05: Scout Suite


Diagram 1 — Scout Suite's Assessment Architecture

flowchart TB
    CREDS([cloud credentials]) --> PROVIDERS
    subgraph PROVIDERS["Per-Cloud Providers"]
        AWS[AWS]
        AZURE[Azure]
        GCP[GCP]
        ALI[Alibaba Cloud]
        OCI[OCI]
    end
    PROVIDERS --> COLLECTOR[Configuration Collector<br/>per-service: EC2, S3, IAM, network, ...<br/>collects FULL config, not just findings]
    COLLECTOR --> RULES[Rules Engine<br/>per-service rules → findings + severity]
    RULES --> REPORT[Report Generator]
    REPORT --> HTML[(Single Offline HTML Report<br/>self-contained · no server · embedded JS navigation)]

    style COLLECTOR fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style HTML fill:#1a1015,stroke:#5eead4,color:#e4e4e8

Reading: Scout Suite's architecture is assessment-focused. Per-cloud providers enumerate configuration. The collector gathers FULL config (not just pass/fail) — the security group rules, the IAM policies, the bucket configs. The rules engine evaluates. The report generator produces a single offline HTML file. The defining property is the last box: a self-contained report with no server, viewable in any browser, years later.


Diagram 2 — Scout Suite vs Prowler (Assessment vs Operations)

flowchart LR
    subgraph SCOUT["Scout Suite — Assessment"]
        S1[Point-in-time snapshot]
        S2[Single offline HTML report]
        S3[Full config collection]
        S4[Client deliverable]
        S5[No CI integration]
        S6[GPL-2.0]
    end
    subgraph PROWLER["Prowler — Operations"]
        P1[Continuous monitoring]
        P2[Structured findings (OCSF/ASFF)]
        P3[600+ checks]
        P4[SIEM / ticketing integration]
        P5[GitHub Action CI gate]
        P6[Apache-2.0]
    end
    SCOUT -.complementary: assessment + operations.-> PROWLER

    style SCOUT fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: Scout Suite and Prowler are different tools for different jobs. Scout is the assessment specialist: point-in-time, offline report, client deliverable, full config context. Prowler is the operations specialist: continuous, structured output, CI-integrated, deep checks. A mature cloud security program uses both — Scout during audits, Prowler between audits.


Diagram 3 — The Offline HTML Report (Why It Is the Defining Property)

flowchart TB
    SCAN[scout aws --report] --> COLLECT[enumerate + collect full config]
    COLLECT --> EVALUATE[run ruleset → findings + severity]
    EVALUATE --> GENERATE[render single HTML file<br/>embedded JS · no server]
    GENERATE --> FILE[(report.html<br/>self-contained)]
    FILE --> PORTABLE[Portable: works anywhere, no server]
    FILE --> ARCHIVABLE[Archivable: snapshot viewable years later]
    FILE --> DELIVERABLE[Client deliverable: single file, no portal/account]
    FILE --> RISK[Risk: full cloud config in one exfiltrable file]

    style FILE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style PORTABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style ARCHIVABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style DELIVERABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style RISK fill:#2a0d0d,stroke:#5eead4,color:#f08080

Reading: The offline HTML report is Scout Suite's defining property and its three advantages (portable, archivable, client-deliverable) all stem from one decision: self-contained, no server. But the same property creates the risk (red): the report contains full cloud configuration in a single, easily-exfiltrated file. Govern the report file with the same care as the credentials that produced it.


Diagram 4 — When to Reach for Which Tool (Scout vs Prowler vs SDD-06)

flowchart TB
    START([cloud security question]) --> Q1{continuous monitoring<br/>or point-in-time assessment?}
    Q1 -->|continuous| PROWLER[Prowler (SDD-04)<br/>CSPM · CI gate · SIEM feed]
    Q1 -->|point-in-time / audit| Q2{need a client report<br/>or escalation paths?}
    Q2 -->|client report| SCOUT[Scout Suite (SDD-05)<br/>offline HTML · full config · deliverable]
    Q2 -->|escalation paths| SDD06[Attack-Path Tools (SDD-06)<br/>pmapper · BloodHound · graph traversal]

    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SCOUT fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SDD06 fill:#0d1b2a,stroke:#5eead4,color:#5eead4

Reading: The decision tree for cloud security tooling. Continuous monitoring → Prowler. Point-in-time audit needing a client report → Scout Suite. Privilege-escalation path analysis → SDD-06 graph tools. They answer different questions; a mature program has all three.

# Diagrams — SDD-05: Scout Suite

---

## Diagram 1 — Scout Suite's Assessment Architecture

```mermaid
flowchart TB
    CREDS([cloud credentials]) --> PROVIDERS
    subgraph PROVIDERS["Per-Cloud Providers"]
        AWS[AWS]
        AZURE[Azure]
        GCP[GCP]
        ALI[Alibaba Cloud]
        OCI[OCI]
    end
    PROVIDERS --> COLLECTOR[Configuration Collector<br/>per-service: EC2, S3, IAM, network, ...<br/>collects FULL config, not just findings]
    COLLECTOR --> RULES[Rules Engine<br/>per-service rules → findings + severity]
    RULES --> REPORT[Report Generator]
    REPORT --> HTML[(Single Offline HTML Report<br/>self-contained · no server · embedded JS navigation)]

    style COLLECTOR fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style HTML fill:#1a1015,stroke:#5eead4,color:#e4e4e8
```

**Reading**: Scout Suite's architecture is assessment-focused. Per-cloud providers enumerate configuration. The collector gathers FULL config (not just pass/fail) — the security group rules, the IAM policies, the bucket configs. The rules engine evaluates. The report generator produces a single offline HTML file. The defining property is the last box: a self-contained report with no server, viewable in any browser, years later.

---

## Diagram 2 — Scout Suite vs Prowler (Assessment vs Operations)

```mermaid
flowchart LR
    subgraph SCOUT["Scout Suite — Assessment"]
        S1[Point-in-time snapshot]
        S2[Single offline HTML report]
        S3[Full config collection]
        S4[Client deliverable]
        S5[No CI integration]
        S6[GPL-2.0]
    end
    subgraph PROWLER["Prowler — Operations"]
        P1[Continuous monitoring]
        P2[Structured findings (OCSF/ASFF)]
        P3[600+ checks]
        P4[SIEM / ticketing integration]
        P5[GitHub Action CI gate]
        P6[Apache-2.0]
    end
    SCOUT -.complementary: assessment + operations.-> PROWLER

    style SCOUT fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: Scout Suite and Prowler are different tools for different jobs. Scout is the assessment specialist: point-in-time, offline report, client deliverable, full config context. Prowler is the operations specialist: continuous, structured output, CI-integrated, deep checks. A mature cloud security program uses both — Scout during audits, Prowler between audits.

---

## Diagram 3 — The Offline HTML Report (Why It Is the Defining Property)

```mermaid
flowchart TB
    SCAN[scout aws --report] --> COLLECT[enumerate + collect full config]
    COLLECT --> EVALUATE[run ruleset → findings + severity]
    EVALUATE --> GENERATE[render single HTML file<br/>embedded JS · no server]
    GENERATE --> FILE[(report.html<br/>self-contained)]
    FILE --> PORTABLE[Portable: works anywhere, no server]
    FILE --> ARCHIVABLE[Archivable: snapshot viewable years later]
    FILE --> DELIVERABLE[Client deliverable: single file, no portal/account]
    FILE --> RISK[Risk: full cloud config in one exfiltrable file]

    style FILE fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style PORTABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style ARCHIVABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style DELIVERABLE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style RISK fill:#2a0d0d,stroke:#5eead4,color:#f08080
```

**Reading**: The offline HTML report is Scout Suite's defining property and its three advantages (portable, archivable, client-deliverable) all stem from one decision: self-contained, no server. But the same property creates the risk (red): the report contains full cloud configuration in a single, easily-exfiltrated file. Govern the report file with the same care as the credentials that produced it.

---

## Diagram 4 — When to Reach for Which Tool (Scout vs Prowler vs SDD-06)

```mermaid
flowchart TB
    START([cloud security question]) --> Q1{continuous monitoring<br/>or point-in-time assessment?}
    Q1 -->|continuous| PROWLER[Prowler (SDD-04)<br/>CSPM · CI gate · SIEM feed]
    Q1 -->|point-in-time / audit| Q2{need a client report<br/>or escalation paths?}
    Q2 -->|client report| SCOUT[Scout Suite (SDD-05)<br/>offline HTML · full config · deliverable]
    Q2 -->|escalation paths| SDD06[Attack-Path Tools (SDD-06)<br/>pmapper · BloodHound · graph traversal]

    style PROWLER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SCOUT fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style SDD06 fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: The decision tree for cloud security tooling. Continuous monitoring → Prowler. Point-in-time audit needing a client report → Scout Suite. Privilege-escalation path analysis → SDD-06 graph tools. They answer different questions; a mature program has all three.