CloudBoosterDocs
Troubleshooting

`cbx audit` failures

Errors running cbx audit aws: LLM preflight, rule-pack resolution, AWS permissions, discovery integrity, CI integration.

cbx audit failures

cbx audit aws is the only audit subcommand. It reads your live AWS account through the SDK, grounds every finding in CloudBooster's curated AWS knowledge and rule pack, and runs a local LLM CLI (claude -p by default, or codex exec via --llm-executor codex) to produce cited findings. Most failures fall into four buckets: the LLM preflight, rule-pack resolution, AWS auth/permissions, and discovery integrity.

E_LLM_PREFLIGHT: the grounding LLM isn't ready

Before it touches AWS, cbx audit aws probes the LLM executor it will use to ground findings. If that probe fails, the command aborts early with E_LLM_PREFLIGHTbefore any AWS spend.

Error: E_LLM_PREFLIGHT: llm executor "claude-code" is not ready

Common causes and fixes:

CauseFix
The CLI isn't on PATHInstall claude (or codex) and make sure it's reachable. The executor binary must be on PATH.
Bad or missing authRe-authenticate the executor: cbx llm api login claude (or cbx llm api login codex).
Revoked / unavailable modelClear the pin or set a valid one with cbx llm model <provider> <model>, or pass --llm-model <model> for a single run.
Usage / rate limits hitWait for the limit to reset, or switch executors with --llm-executor codex.

Verify a local executor directly before re-running the audit:

cbx llm cli test claude-code
# or:
cbx llm cli test codex

If cbx llm cli test passes but the audit still fails preflight, you likely pinned a model the executor can't serve — drop --llm-model or fix the stored model with cbx llm model.

Rule-pack resolution failure

Every cbx audit aws run grounds findings in CloudBooster's AWS rule pack. The CLI resolves it in order: an explicit override (CBX_AUDIT_RULES_FILE), then the rule-pack registry over the CB knowledge API, then the local cache at ~/.cache/cbx/rulepack/. If the registry is unreachable and the cache is cold and no override is set, the audit aborts before any AWS spend.

Error: could not resolve AWS rule pack (registry unreachable, cache empty)

Fix: run the audit once while online — a single successful run populates ~/.cache/cbx/rulepack/, after which audits work offline against the cached pack. To run fully offline or in an air-gapped environment, point at a local copy:

export CBX_AUDIT_RULES_FILE=/path/to/rulepack.json
cbx audit aws --region eu-west-1

To pin a specific rule-pack version (for reproducible CI), use --rulepack-version or CBX_RULEPACK_VERSION:

cbx audit aws --region eu-west-1 --rulepack-version 2026.06.1

AWS auth and permission errors

The audit reads live AWS via the SDK, so it needs working credentials and read permissions for the services it discovers.

Error: no AWS credentials found

Use your normal AWS credential resolution (environment, shared config, SSO), or point at a specific file:

cbx audit aws --region eu-west-1 --credentials-file ~/.aws/staging-creds

When a describe-* call is denied, the finding set will carry permission errors instead of results. Run with --diagnose to get a recommended least-privilege IAM policy covering everything the audit tried to read:

cbx audit aws --region eu-west-1 --diagnose

Attach the emitted policy to the principal you're auditing with, then re-run.

Discovery-integrity warnings

When discovery is partial — a region times out, a service throttles, or a paginated list is cut short — the audit reports discovery-integrity warnings alongside its findings. By default the audit still completes and reports what it found. If you need a clean, complete discovery (for example in CI, where a partial scan shouldn't pass), use --strict to make those warnings fail the run:

cbx audit aws --region eu-west-1 --strict

Throttling is the usual trigger. Lower the AWS-side concurrency so large accounts don't hit rate limits:

cbx audit aws --region eu-west-1 --aws-concurrency 4

Scope to specific regions (repeatable, or all) to shrink the blast radius:

cbx audit aws --region eu-west-1 --region eu-central-1
cbx audit aws --region all

CI integration

For machine-readable output in CI, use the global --json (or -o json) flag — findings are wrapped in the standard envelope so a non-zero exit signals findings at or above the severity threshold.

cbx audit aws --region eu-west-1 -o json

Two things break CI runs most often:

  • LLM preflight in headless runners — the grounding CLI (claude/codex) must be installed and authenticated on the runner. A failed preflight exits non-zero with E_LLM_PREFLIGHT. Test it with cbx llm cli test claude-code as a setup step.
  • Cold rule-pack cache + no network — if the runner can't reach the registry and has no cache, resolution fails. Bake CBX_AUDIT_RULES_FILE (or warm the cache) into the runner image, and pin --rulepack-version so results are reproducible across runs.

Add --no-tui to disable the interactive TUI in non-interactive environments.

See also

Previous

AWS connection errors

Next

Cross-Account Role Security Model

On this page