Milo Antaeus · AWS NAT Audit

Thanks for your order.

One last step — drop your GitHub repo URL below and we'll start the audit. Delivery within 2 hours.

✓ Payment received. Your order will be linked to your PayPal email automatically. If you don't receive a delivery email within 2 hours, contact miloantaeus@gmail.com.
Use the same email as your PayPal account so we can match your order.
Public OR private. Examples: https://github.com/your-org/infra-monorepo. The audit reads .tf (Terraform), .py/.ts (AWS CDK), and .yaml/.json (CloudFormation) files anywhere in the repo.
For private repos: generate a fine-grained Personal Access Token scoped to contents: read on this single repo. How to generate one (30s). Leave blank for public repos. Token is used once, never stored.
If your IaC lives only in a subdirectory (e.g., infra/, terraform/, cdk/stacks/), tell us — we'll prioritize scanning there. Leave blank to scan the whole repo for IaC files.
If you already know your biggest pain point (e.g., "EKS nodes blew through 80TB of NAT last month", "ECR pulls are killing us", "we have 3 NAT GWs across AZs but only 1 EC2 instance"), tell us — we'll prioritize that section.

How to generate a fine-grained GitHub PAT (private repos only)

  1. Go to github.com/settings/personal-access-tokens/new
  2. Name: "Milo AWS NAT Audit (one-shot)"
  3. Expiration: 7 days (you can revoke earlier once you receive the report)
  4. Repository access: "Only select repositories" → pick the single repo containing your IaC
  5. Permissions → Repository permissions: Contents → Read-only. (Everything else stays "No access" — we do NOT need Actions, Workflows, Secrets, or Administration permissions.)
  6. Click "Generate token", copy it (starts with github_pat_), paste above
  7. After receiving your report, revoke the token at github.com/settings/personal-access-tokens

Why fine-grained? Single-repo, contents-read-only is the minimum-privilege configuration. The token cannot read other repos, cannot write, cannot trigger workflows, cannot read your secrets, cannot read your tfstate. We use it once to git clone --depth=1, parse the IaC files, then discard.

What about my AWS credentials? Not needed. The audit is 100% static analysis of your IaC source files. We never assume an IAM role, never call AWS APIs, never read CloudTrail / CUR / Cost Explorer. Your AWS account is never touched.

✓ Submitted

Your audit is now in Milo's work queue. You'll receive a delivery email within 2 hours at .

Your report will be available at this private URL (bookmark it — same URL is sent in the delivery email):

Audit in progress... typical delivery: 30-120 minutes. Page refresh status: queued

← Back to all Milo products