Cloud Security Guides

Cloud Security Guides 是由腾讯安全云鼎实验室维护的一个云计算安全知识库项目,用来收集云安全研究期间发现的优秀资源、文献、典型云安全漏洞以及知识图谱等,并以云参考模型架构为依托,将云上安全资源进行分类编排,为云上安全能力建设工作提供一份参考指南。Cloud Security Guides中提供的云鼎实验室云安全全景图&攻防矩阵,是由云鼎实验室根据云安全研究所总结的云上知识图谱以及云产品攻防抽象模型,可以指导云上安全工作开展,并为云产品安全能力建设提供帮助。

Cloud Security Guides is a cloud computing security knowledge base project maintained by Tencent Security Cloud YUNDING LAB. It is used to collect excellent resources, literature, typical cloud security vulnerabilities and knowledge graphs discovered during cloud security research, and is based on the cloud reference model architecture As a basis, the security resources on the cloud are classified and arranged to provide a reference guide for the construction of security capabilities on the cloud. The cloud security panorama & attack-defense matrix of YUNDING LAB provided in Cloud Security Guides is a cloud knowledge graph and an abstract model of cloud product attack and defense summarized by YUNDING LAB based on the Cloud Security Research Institute, which can guide the development of security work on the cloud. And provide help for cloud product security capacity building.

1 Cloud Computing Reference Architecture 📚

2 Cloud Security Guidance:books:

2.1 Compliances

2.2 Standards and Benchmarks

2.3 Threat Modeling

2.4 Top Cloud Security Risks

2.5 Security Practices

3 Cloud Security Report:books:

4 Cloud Management Panel 📚

4.1 API

4.2 IAM

4.3 Security Service

4.4 Log and Audit

5 Cloud Service Panel:books:

5.1 Iaas

5.1.1 Compute

5.1.2 Storage

5.1.3 Network

5.2 Paas

5.3 Saas

6 Cloud Infrastructure Panel:books:

6.1 Docker&Kubernetes

7 CSP Security:books:

7.1 AWS

7.2 Azure

7.3 GCP

7.4 Others

8 Tools 🛠️

8.1 Infrastructure Tools

  • cloud_enum:多云 OSINT 工具。枚举 AWS、Azure 和 Google Cloud 中的公共资源
  • nuvola:nuvola是一款功能强大的针对AWS环境的自动化安全分析工具,该工具可以使用通过Yaml语句创建的简单的预定义可扩展的自定义规则来转储AWS环境中的各种数据,并对AWS环境的配置信息和服务进程执行自动/手动安全分析
  • aws_pwn: A collection of AWS penetration testing junk
  • aws_ir: Python installable command line utility for mitigation of instance and key compromises.
  • aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.
  • aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
  • awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
  • azucar: A security auditing tool for Azure environments
  • checkov: A static code analysis tool for infrastructure-as-code.
  • cloud-forensics-utils: A python lib for DF & IR on the cloud.
  • Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.
  • cloudlist: Listing Assets from multiple Cloud Providers.
  • Cloud Sniper: A platform designed to manage Cloud Security Operations.
  • Cloudmapper: Analyze your AWS environments.
  • Cloudmarker: A cloud monitoring tool and framework.
  • Cloudsploit: Cloud security configuration checks.
  • CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.
  • Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
  • consoleme: A Central Control Plane for AWS Permissions and Access
  • cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
  • Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
  • dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.
  • diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
  • ElectricEye: Continuously monitor AWS services for configurations.
  • Forseti security: GCP inventory monitoring and policy enforcement tool.
  • Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
  • kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
  • Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
  • Open policy agent: Policy-based control tool.
  • pacbot: Policy as Code Bot.
  • pacu: The AWS exploitation framework.
  • Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
  • ScoutSuite: Multi-cloud security auditing tool.
  • Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
  • SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
  • Smogcloud: Find cloud assets that no one wants exposed.
  • Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.
  • Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
  • tfsec: Static analysis powered security scanner for Terraform code.
  • Zeus: AWS Auditing & Hardening Tool.

8.2 Container Tools

8.3 SaaS Tools

  • [ S3cret Scanner]( 公开存储桶密钥扫描工具
  • aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.
  • binaryalert: Serverless S3 yara scanner.
  • cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
  • Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.
  • Function Shield: Protection/destection lib of aws lambda and gcp function.
  • FestIN: S3 bucket finder and content discover.
  • GCPBucketBrute: A script to enumerate Google Storage buckets.
  • IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.
  • Lambda Guard: AWS Lambda auditing tool.
  • Policy Sentry: IAM Least Privilege Policy Generator.
  • S3 Inspector: Tool to check AWS S3 bucket permissions.
  • Serverless Goat: A serverless application demonstrating common serverless security flaws.
  • SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.

8.4 Penetration Testing Tools

  • CF:CF 是一个云环境利用框架,适用于在红队场景中对云上内网进行横向、SRC 场景中对 Access Key 即访问凭证的影响程度进行判定、企业场景中对自己的云上资产进行自检等等
  • [trufflehog](是一款可以帮助开发人员检测他们在GitHub上发布的项目是否已经不小心泄漏了任何秘密密钥。包含 600 多个凭证检测器,支持针对其各自 API 进行主动验证
  • [Packer Fuzzer](一款针对Webpack等前端打包工具所构造的网站进行快速、高效安全检测的扫描工具
  • ccat: Cloud Container Attack Tool.
  • CloudBrute: A multiple cloud enumerator.
  • cloudgoat: "Vulnerable by Design" AWS deployment tool.
  • Leonidas: A framework for executing attacker actions in the cloud.
  • Sadcloud: Tool for spinning up insecure AWS infrastructure with Terraform.
  • TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
  • WrongSecrets: A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.

9 CSP Cloud Vulnerability 📚


11 云鼎实验室云安全全景图&攻防矩阵

