awesome-cloud-sec

Awesome list for cloud (mostly AWS at the moment), security, pentesting related projects and libraries.

NOTE: This isn't an endorsement of any of these projects. I'm mostly using this as a way to keep track of interesting projects I come across.

AWS

Info

aws_exposable_resources -- Resource types that can be publicly exposed on AWS
aws_managed_policies -- [MAMIP] Monitor AWS Managed IAM Policies Changes
Security Tool Comparison -- Comparisons between various security tools.
aws-public-account-ids -- Publicly-listed AWS account IDs for easy lookup. Great for cleaning up false positives from unknown Account IDs in Cloudtrail.

Other Awesome Lists

toniblyx/my-arsenal-of-aws-security-tools

Offensive Security

pacu -- The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
liquidswards -- Discover and maintain access to IAM roles.
aws_pwn -- A collection of AWS penetration testing junk.
IAMFinder -- Enumerates and finds users and IAM roles in a target AWS account.
enumerate-iam -- Brute force enumeration of permissions associated with AWS credential set.
endgame -- An AWS Pentesting tool that lets you use one-liner commands to backdoor an AWS account's resources with a rogue AWS account - or share the resources with the entire internet 😈
WeirdAAL -- WeirdAAL (AWS Attack Library)
marionett -- Example of how an attacker might swap user data temporarily to execute arbitrary commands.

Infrastructure as Code (IaC)

terraformer -- CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
former2 -- Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources.

General Utilities

coldsnap -- A command line interface for Amazon EBS snapshots
lsh -- Run interactive shell commands on AWS Lambda
dsnap -- Utility for downloading and mounting EBS snapshots using the EBS Direct API's
cognitocurl -- 🦉🤖Easily sign curl calls to API Gateway with Cognito authorization token.
Offline Web Console's
- ScoutSuite -- Multi-Cloud Security Auditing Tool
Resource analysis
- awspx -- Graph-based tool for visualizing effective access and resource relationships.
- PMapper -- A tool for quickly evaluating IAM permissions in AWS.
- aws_public_ips -- Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services
  - Fork that handles multiple regions: https://github.com/breser/aws_public_ips

Resource DBs

steampipe -- The extensible SQL interface to your favorite cloud APIs.
introspector -- A schema and set of tools for using SQL to query cloud infrastructure
cartography -- Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
cloudquery -- cloudquery transforms your cloud infrastructure into SQL or Graph database for easy monitoring, governance and security.

Visual Resource Graphing

cloudsplaining -- Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
cloudiscovery -- Discover resources in the cloud environment.
cloudmapper -- Analyze your Amazon Web Services (AWS) environments
- Note: Takes advantage of existing botocore definitions for discovery.
hammer -- Dow Jones Hammer : Protect the cloud with the power of the cloud(AWS)
cloudscout -- Identify and visualize cross platform attack paths, vulnerabilities, and enhance overall resilience.

Linting/Static Analysis

parliament -- AWS IAM linting library

Auditing

rpCheckup -- rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
prowler -- Best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
AWS Config -- Lambda's that analyze resource state and changes, primarily in AWS but extensible
cloudsploit -- Cloud Security Posture Management (CSPM)
smogcloud -- Find cloud assets that no one wants exposed 🔎 ☁️

Least privilege

policy_sentry -- IAM Least Privilege Policy Generator.
repokid -- IAM least privilege service
cloudtracker -- Finds over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
iamlive -- Generate a basic IAM policy from AWS client-side monitoring (CSM)
aws-leastprivilege -- Generates an IAM policy for the CloudFormation service role that adheres to least privilege.

Route53DB

cloudjack -- Route53/CloudFront Vulnerability Assessment Utility

Vulnerable by design

cloudgoat -- CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool
terragoat -- TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository.

SAML

shimit -- A tool that implements the Golden SAML attack

DNS

subfinder -- Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

Subdomain Enumeration

ctfr -- Abusing Certificate Transparency logs for getting HTTPS websites subdomains.

Subdomain Takeover

subdover -- Subdover is a MultiThreaded Subdomain Takeover Vulnerability Scanner Written In Python3
cloudjack -- Route53/CloudFront Vulnerability Assessment Utility
can-i-take-over-xyz -- "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
takeover -- Sub-Domain TakeOver Vulnerability Scanner
SubOver -- A Powerful Subdomain Takeover Tool

Kubernetes

cheatsheet
kube-hunter -- Hunt for security weaknesses in Kubernetes clusters
kubeaudit -- kubeaudit helps you audit your Kubernetes clusters against common security controls
kubiscan -- A tool to scan Kubernetes cluster for risky permissions
kubesploit -- Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
kubernetes-rbac-audit -- Tool for auditing RBACs in Kubernetes
peirates -- Peirates - Kubernetes Penetration Testing tool
cheatsheet -- Kubernetes Cheat Sheet – 15 Kubectl Commands & Objects

GCP

pydevops -- gcp gcloud cheat sheet
GCP-IAM-Privilege-Escalation -- A collection of GCP IAM privilege escalation methods documented by the Rhino Security Labs team.
ScoutSuite -- Multi-Cloud Security Auditing Tool
terraformer -- CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
gcp_enum -- A simple bash script to enumerate Google Cloud Platform environments.
gcp_misc -- Miscellaneous tools related to attack operations in Google Cloud Platform.
gcp_firewall_enum -- Parse gcloud output to enumerate compute instances with network ports exposed to the Internet. Generates targeted nmap and masscan scripts based on the results.
gcp_k8s_enum -- Enumerate services exposed via GKE.

Azure

CRT -- This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
security-cloud-scout -- Cross-Cloud AWS/Azure
how to applied purple teaming lab build on azure with terraform
ScoutSuite -- Multi-Cloud Security Auditing Tool

Other

Secret Scanning

DumpsterDiver -- Tool to search secrets in various filetypes.
ebs-direct-sec-tools -- Uses EBS Direct API to scan blocks for secrets

Terraform

Terraform Static Analysis
- checkov -- Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
- terrascan
  - Related: KaiMonkey
- tfsec -- Security scanner for your Terraform code
- kics -- Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
AirIAM -- Least privilege AWS IAM Terraformer.
terraform_aws_scp -- AWS Organizations Service Control Policies (SCPs) for Terraform.
terraformer -- CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code

Containers

deepce -- Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE).
ccat -- Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
trivy -- Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

Open Policy Agent (OPA)

opa -- An open source, general-purpose policy engine.
fregot -- Alternative REPL to OPA's built-in interpreter.
policy-hub-cli -- CLI for searching Rego policies
conftest -- Write tests against structured configuration data using the Open Policy Agent Rego query language

Misc

website-openid-proxy -- This service provides authenticated access to a static website hosted in an s3 bucket.
Config Conformance Packs
detect-secrets -- An enterprise friendly way of detecting and preventing secrets in code.

Non-CloudSec Stuff (TODO: move this elsewhere)

proxify -- Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.
CloudFail -- Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network.
chalice -- Python Serverless Microframework for AWS
placebo -- Make boto3 calls that look real but have no effect.
serverlessish -- Run the same Docker images in AWS Lambda and AWS ECS
BloodHound -- Six Degrees of Domain Admin
ProcMon-for-Linux -- Procmon is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.
exec-template -- Super simple go templater.
leapp -- Potential alternative to aws-vault

RyanJarv/awesome-cloud-sec