0x9090/AWSSecGuide

## AWSSecGuide
This document outlines several ways to harden your AWS environment using free tools and paid services.

1. Scout2 (free) - https://github.com/nccgroup/Scout2
    * Scout2 is focused toward pentesters doing one-time audits of AWS environment configuration issues. Can output a report as HTML or JSON
2. Prowler (free) - https://github.com/toniblyx/prowler
    * Checks the items from the CIS Amazon Web Services Foundations Benchmark. - https://www.cisecurity.org/benchmark/amazon_web_services/
3. CloudSploit (free/paid) - https://github.com/cloudsploit/scans
    * CloudSploit is a paid service, but it has two free options. One allows you to use their website to run a manual scan, and the other is they've open-sourced their engine and its rules so you can run it yourself.
4. AWS Trusted Advisor (freemium) - console.aws.amazon.com/trustedadvisor/
    * AWS Trusted Advisor comes free with your AWS account and provides not only security checks, but also cost optimization, performance, and fault tolerance checks.
5. AWS Config (paid) - https://aws.amazon.com/config/
    * AWS Config is A recording of what is in your account throughout time, and rules engine that can evaluate these items and generate alerts via SNS.
6. AWS Guard Duty (paid) - https://aws.amazon.com/guardduty/
   * Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
7. SecurityMonkey (free) - https://github.com/Netflix/security_monkey
    * detects issues both for AWS and Google Cloud Platform (GCP). Security Monkey is expected to be deployed as an entire EC2 and needs a PostgreSQL backend. It can repeatedly scan multiple accounts and generate alerts.
8. CloudCustodian (free) - https://github.com/capitalone/cloud-custodian
    * CloudCustodian doesn't just detect issues like the other tools, but actually enforces compliance with an organization's rules. It does this via the heavy handed method of in some cases, simply killing anything that isn't in compliance.


For the tools that require AWS account credentials, please attempt to use ReadOnly permissions first. Few of these auditing tools actually need to modify an AWS account.
	This document outlines several ways to harden your AWS environment using free tools and paid services.

	1. Scout2 (free) - https://github.com/nccgroup/Scout2
	* Scout2 is focused toward pentesters doing one-time audits of AWS environment configuration issues. Can output a report as HTML or JSON
	2. Prowler (free) - https://github.com/toniblyx/prowler
	* Checks the items from the CIS Amazon Web Services Foundations Benchmark. - https://www.cisecurity.org/benchmark/amazon_web_services/
	3. CloudSploit (free/paid) - https://github.com/cloudsploit/scans
	* CloudSploit is a paid service, but it has two free options. One allows you to use their website to run a manual scan, and the other is they've open-sourced their engine and its rules so you can run it yourself.
	4. AWS Trusted Advisor (freemium) - console.aws.amazon.com/trustedadvisor/
	* AWS Trusted Advisor comes free with your AWS account and provides not only security checks, but also cost optimization, performance, and fault tolerance checks.
	5. AWS Config (paid) - https://aws.amazon.com/config/
	* AWS Config is A recording of what is in your account throughout time, and rules engine that can evaluate these items and generate alerts via SNS.
	6. AWS Guard Duty (paid) - https://aws.amazon.com/guardduty/
	* Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
	7. SecurityMonkey (free) - https://github.com/Netflix/security_monkey
	* detects issues both for AWS and Google Cloud Platform (GCP). Security Monkey is expected to be deployed as an entire EC2 and needs a PostgreSQL backend. It can repeatedly scan multiple accounts and generate alerts.
	8. CloudCustodian (free) - https://github.com/capitalone/cloud-custodian
	* CloudCustodian doesn't just detect issues like the other tools, but actually enforces compliance with an organization's rules. It does this via the heavy handed method of in some cases, simply killing anything that isn't in compliance.


	For the tools that require AWS account credentials, please attempt to use ReadOnly permissions first. Few of these auditing tools actually need to modify an AWS account.