Awesome Cloud Security
Awesome Cloud Security 是一个用来收集云计算安全研究期间发现的优秀资源的项目。欢迎大家一起对云安全资源进行贡献与补充。
1 Cloud Computing Reference Architecture 📚
2 Cloud Security Guidance:books:
2.1 Compliances
2.2 Standards and Benchmarks
- NIST.SP.800-190 Application Container Security Guide (2017-09-25)
- NIST.IR.8176 Security Assurance Requirements for Linux Application Container Deployments (2017-10)
- OWASP Container Security Verification Standard
- CIS Kubernetes Benchmark
- CIS Docker Benchmark
- NIST.SP.800-204 Security Strategies for Microservices-based Application Systems (2019-08)
- 腾讯云安全白皮书
- 阿里云安全白皮书
- 华为云安全白皮书
- Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
- AWS Security Maturity Roadmap
- CLOUD NATIVE SECURITY Your Guide to Containers / Kubernetes Security
2.3 Threat Modeling
2.4 Top Cloud Security Risks
2.5 Security Practices
- Using ATT&CKfor Containers to Level Up your Cloud Defenses
- Cloud Penetration Testing Playbook
- A Penetration Tester’s Guide to the Azure Cloud
- Are You Sure Your AWS Cloud Is Secure?
- HackingTheClouds
- 云上攻防实战 (Red Teaming for Cloud)
- 云上攻防二三事(续)地址
3 Cloud Security Report:books:
4 Cloud Management Panel 📚
4.1 API
- APISIX CVE-2022-29266 漏洞分析与复现
- 使用腾讯云 API 网关保护 API 安全
- 云原生环境下的API业务安全思考
- 云原生架构下的API安全防护方案
- API经济下的安全变局
- Best practices for securing your applications and APIs using Apigee
- Escalating AWS IAM Privileges with an Undocumented CodeStar API
4.2 IAM
- IAM 中的安全最佳实践
- 6 Big AWS IAM Vulnerabilities – and How to Avoid Them
- AWS ELB、VPC 和 IAM 服务攻防
- 如何使用Cliam枚举云端环境IAM权限
- Cloudsplaining:一款针对AWS IAM的安全审计与评估工具
- 如何使用Red-Shadow扫描AWS IAM中的安全漏洞
- AWS环境中对IAM提权漏洞的安全评估工具
- IAM Your Defense Against Cloud Threats: The Latest Unit 42 Cloud Threat Research
- Exploiting, detecting, and correcting IAM security misconfigurations
- Privilege Escalation in Google Cloud Platform – Part 1 (IAM)
- AWS IAM权限提升
- 微服务下统一认证风险总结
- Microsoft fixes critical Azure bug that exposed customer data
- VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive
- 在 AWS 下查看自己所拥有的权限
- Working-As-Intended: RCE to IAM Privilege Escalation in GCP Cloud Build
4.3 Security Service
- Encryption in the Cloud: Managing Certificates and Keys in AWS
- CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response
4.4 Log and Audit
5 Cloud Service Panel:books:
5.1 Iaas
5.1.1 Compute
- AWS EC2 弹性计算服务攻防
- 阿里云 ECS 攻防
- 腾讯云服务器攻防(CVM+轻量应用服务器)
- 华为云 ECS 弹性云服务器攻防
- 谷歌云 Compute Engine 攻防
- 微软云 VM 攻防
- 浅谈云上攻防——云服务器攻防矩阵
- 华为云 CTF cloud 非预期解之 k8s 渗透实战
- 从云服务器 SSRF 漏洞到接管你的阿里云控制台
5.1.2 Storage
5.1.3 Network
5.2 Paas
- AWS RDS Vulnerability Leads to AWS Internal Service Credentials
- Hunting AWS RDS security events with Sysdig
- Weaponizing AWS ECS Task Definitions to Steal Credentials From Running Containers
- Pillaging AWS ECS Task Definitions for Hardcoded Secrets
- Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT)
5.3 Saas
- ELK在渗透测试中的利用与安全配置解析
- 云上渗透-RDS数据库攻防
- 华为云 RDS 云数据库攻防
- 数据库在云上?谈谈 AWS 云数据库的攻防手法
- Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
- Redis CSRF漏洞分析及云数据库Redis版安全措施介绍
- aws-allowlister
- binaryalert
- cloudsplaining
- Cloud Guardrails
- Function Shield
- FestIN
- GCPBucketBrute
- IAM Zero
- Lambda Guard
- Policy Sentry
- S3 Inspector
- Serverless Goat
- SkyArk
6 Cloud Infrastructure Panel:books:
6.1 Docker&Kubernetes
- 云原生之容器安全实践
- Docker 容器最佳安全实践 白皮书
- Kubernetes threat landscape
- k0otkit:针对K8s集群的通用后渗透控制技术
- Hacking Kubernetes
- k8s-threat-model
- 红蓝对抗中的云原生漏洞挖掘及利用实录
7 CSP Security:books:
7.1 AWS
- Overiew of AWS Security
- AWS-IAM-Privilege-Escalation by RhinoSecurityLabs
- MITRE ATT&CK Matrices of AWS
- AWS security workshops
- ThreatModel for Amazon S3
7.2 Azure
- Overiew of Azure Security
- Azure security fundamentals
- MicroBurst by NetSPI
- MITRE ATT&CK Matrices of Azure
- Azure security center workflow automation
7.3 GCP
- Overiew of GCP Security
- GKE security scenarios demo
- MITRE ATT&CK Matrices of GCP
- Security response automation
7.4 Others
- Cloud Security Research by RhinoSecurityLabs
- CSA cloud security guidance v4
- Appsecco provides training
- Cloud Risk Encyclopedia by Orca Security: 900+ documented cloud security risks, with ability to filter by cloud vendor, compliance framework, risk category, and criticality.
8 Tools 🛠️
8.1 Infrastructure Tools
- cloud_enum:多云 OSINT 工具。枚举 AWS、Azure 和 Google Cloud 中的公共资源
- nuvola:nuvola是一款功能强大的针对AWS环境的自动化安全分析工具,该工具可以使用通过Yaml语句创建的简单的预定义可扩展的自定义规则来转储AWS环境中的各种数据,并对AWS环境的配置信息和服务进程执行自动/手动安全分析
- aws_pwn: A collection of AWS penetration testing junk
- aws_ir: Python installable command line utility for mitigation of instance and key compromises.
- aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.
- aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
- awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
- azucar: A security auditing tool for Azure environments
- checkov: A static code analysis tool for infrastructure-as-code.
- cloud-forensics-utils: A python lib for DF & IR on the cloud.
- Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.
- cloudlist: Listing Assets from multiple Cloud Providers.
- Cloud Sniper: A platform designed to manage Cloud Security Operations.
- Cloudmapper: Analyze your AWS environments.
- Cloudmarker: A cloud monitoring tool and framework.
- Cloudsploit: Cloud security configuration checks.
- CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.
- Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
- consoleme: A Central Control Plane for AWS Permissions and Access
- cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
- Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
- dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.
- diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
- ElectricEye: Continuously monitor AWS services for configurations.
- Forseti security: GCP inventory monitoring and policy enforcement tool.
- Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
- kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
- Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
- Open policy agent: Policy-based control tool.
- pacbot: Policy as Code Bot.
- pacu: The AWS exploitation framework.
- Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
- ScoutSuite: Multi-cloud security auditing tool.
- Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
- Smogcloud: Find cloud assets that no one wants exposed.
- Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.
- Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
- tfsec: Static analysis powered security scanner for Terraform code.
- Zeus: AWS Auditing & Hardening Tool.
8.2 Container Tools
- [CDK]( https://github.com/cdk-team/CDK/wiki/CDK-Home-CN):CDK是一款为容器环境定制的渗透测试工具,在已攻陷的容器内部提供零依赖的常用命令及PoC/EXP。集成Docker/K8s场景特有的 逃逸、横向移动、持久化利用方式,插件化管理
- ScoutSuite:ScoutSuite: 云安全审计工具, 添加 Kubernetes 支持
- [Kubeeye]( https://github.com/kubesphere/kubeeye):Kubernetes开源安全工具:kubeeye
- auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
- Falco: Container runtime security.
- mkit: Managed kubernetes inspection tool.
- Open policy agent: Policy-based control tool.
8.3 SaaS Tools
- [ S3cret Scanner]( https://github.com/Eilonh/s3crets_scanner):S3 公开存储桶密钥扫描工具
- aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.
- binaryalert: Serverless S3 yara scanner.
- cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
- Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.
- Function Shield: Protection/destection lib of aws lambda and gcp function.
- FestIN: S3 bucket finder and content discover.
- GCPBucketBrute: A script to enumerate Google Storage buckets.
- IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.
- Lambda Guard: AWS Lambda auditing tool.
- Policy Sentry: IAM Least Privilege Policy Generator.
- S3 Inspector: Tool to check AWS S3 bucket permissions.
- Serverless Goat: A serverless application demonstrating common serverless security flaws.
- SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.
8.4 Penetration Testing Tools
- CF:CF 是一个云环境利用框架,适用于在红队场景中对云上内网进行横向、SRC 场景中对 Access Key 即访问凭证的影响程度进行判定、企业场景中对自己的云上资产进行自检等等
- [trufflehog]( https://github.com/trufflesecurity/trufflehog):trufflehog是一款可以帮助开发人员检测他们在GitHub上发布的项目是否已经不小心泄漏了任何秘密密钥。包含 600 多个凭证检测器,支持针对其各自 API 进行主动验证
- [Packer Fuzzer]( https://github.com/rtcatc/Packer-Fuzzer):一款针对Webpack等前端打包工具所构造的网站进行快速、高效安全检测的扫描工具
- ccat: Cloud Container Attack Tool.
- CloudBrute: A multiple cloud enumerator.
- cloudgoat: "Vulnerable by Design" AWS deployment tool.
- Leonidas: A framework for executing attacker actions in the cloud.
- Sadcloud: Tool for spinning up insecure AWS infrastructure with Terraform.
- TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
- WrongSecrets: A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.