AWS security tools

aws_sec_tools.md

Defensive (Hardening, Security Assessment, Inventory)

• ScoutSuite: https://github.com/nccgroup/ScoutSuite - Multi-Cloud Security auditing tool for AWS, Google Cloud and Azure environments (Python)
• Prowler: https://github.com/toniblyx/prowler - CIS benchmarks and additional checks for security best practices in AWS (Shell Script)
• CloudSploit: https://github.com/cloudsploit/scans - AWS security scanning checks (NodeJS)
• CloudMapper: https://github.com/duo-labs/cloudmapper - helps you analyze your AWS environments (Python)
• CloudTracker: https://github.com/duo-labs/cloudtracker - helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
• AWS Security Benchmarks: https://github.com/awslabs/aws-security-benchmark - scrips and templates guidance related to the AWS CIS Foundation framework (Python)
• AWS Public IPs: https://github.com/arkadiyt/aws_public_ips - Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services (Ruby)
• PMapper: https://github.com/nccgroup/PMapper - Advanced and Automated AWS IAM Evaluation (Python)
• AWS-Inventory: https://github.com/nccgroup/aws-inventory - Make a inventory of all your resources across regions (Python)
• Resource Counter: https://github.com/disruptops/resource-counter - Counts number of resources in categories across regions
• ICE: https://github.com/Teevity/ice - Ice provides insights from a usage and cost perspective, with high detail dashboards.
• SkyArk: https://github.com/cyberark/SkyArk - SkyArk provides advanced discovery and security assessment for the most privileged entities in the tested AWS.
• Trailblazer AWS: https://github.com/willbengtson/trailblazer-aws - Trailblazer AWS, determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
• Lunar: https://github.com/lateralblast/lunar - Security auditing tool based on several security frameworks (it does some AWS checks)
• Cloud-reports: https://github.com/tensult/cloud-reports - Scans your AWS cloud resources and generates reports
• Pacbot: https://github.com/tmobile/pacbot - Platform for continuous compliance monitoring, compliance reporting and security automation for the cloud
• cs-suite: https://github.com/SecurityFTW/cs-suite - Integrates tools like Scout2 and Prowler among others
• aws-key-disabler: https://github.com/te-papa/aws-key-disabler - A small lambda script that will disable access keys older than a given amount of days
• Antiope: https://github.com/turnerlabs/antiope/ - AWS Inventory and Compliance Framework
• FunctionShield: https://www.puresec.io/function-shield A free AWS Lambda security library for developers, providing runtime protection such as: outbound network blocking, disable shell processes, /tmp/ disk I/O operations and prevents leakage of the handler's source code.
• Cloud Reports: https://github.com/tensult/cloud-reports Scans your AWS cloud resources and generates reports, includes security best practices.
• Terraform AWS Secure Baseline: https://github.com/nozaq/terraform-aws-secure-baseline Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations.
• Cartography: https://github.com/lyft/cartography - Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
• TrailScraper: https://github.com/flosell/trailscraper - A command-line tool to get valuable information out of AWS CloudTrail
• LambdaGuard: https://github.com/Skyscanner/LambdaGuard - An AWS Lambda auditing tool designed to create asset visibility and provide actionable results.
• Komiser: https://github.com/mlabouardy/komiser - Cloud Environment Inspector, nalyze and manage cloud cost, usage, security, and governance in one place.
• Perimeterator: https://github.com/darkarnium/perimeterator - AWS perimeter monitoring: Periodically scan internet facing AWS resources to detect misconfigured services
• PolicySentry: https://github.com/salesforce/policy_sentry - IAM Least Privilege Policy Generator, auditor, and analysis database.
• Zeus: https://github.com/DenizParlak/Zeus - AWS Auditing & Hardening Tool

Offensive:

• weirdALL: https://github.com/carnal0wnage/weirdAAL - AWS Attack Library
• Pacu: https://github.com/RhinoSecurityLabs/pacu - AWS penetration testing toolkit
• Cred Scanner: https://github.com/disruptops/cred_scanner
• AWS PWN: https://github.com/dagrz/aws_pwn
• Cloudfrunt: https://github.com/MindPointGroup/cloudfrunt
• Cloudjack: https://github.com/prevade/cloudjack
• Nimbostratus: https://github.com/andresriancho/nimbostratus
• GitLeaks: https://github.com/zricethezav/gitleaks - Audit git repos for secrets
• TruffleHog: https://github.com/dxa4481/truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
• DumpsterDiver: https://github.com/securing/DumpsterDiver - Tool to search secrets in various filetypes, like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords.
• Mad-King: https://github.com/ThreatResponse/mad-king - Proof of Concept Zappa Based AWS Persistence and Attack Platform
• Cloud-Nuke: https://github.com/gruntwork-io/cloud-nuke - A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
• MozDef: The Mozilla Defense Platform https://github.com/mozilla/MozDef - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
• Lambdashell: http://www.lambdashell.com/ - This is a simple AWS lambda function that does a straight exec. Essentially giving you a shell directly in my AWS infrastructure to just run your commands.
• Lambda-Proxy: [https://github.com/puresec/lambda-proxy/] - A bridge between SQLMap and AWS Lambda, which lets you use SQLMap to natively test AWS Lambda functions for SQL Injection vulnerabilities.
• CloudCopy: https://github.com/Static-Flow/CloudCopy - Cloud version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission
• enumerate-iam: https://github.com/andresriancho/enumerate-iam - Enumerate the permissions associated with AWS credential set
• Barq: https://github.com/Voulnet/barq - A post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure

Continuous Security Auditing:

• Security Monkey: https://github.com/Netflix/security_monkey
• Krampus (as Security Monkey complement) https://github.com/sendgrid/krampus
• Cloud Inquisitor: https://github.com/RiotGames/cloud-inquisitor
• CloudCustodian: https://github.com/capitalone/cloud-custodian
• Disable keys after X days: https://github.com/te-papa/aws-key-disabler
• Repokid Least Privilege: https://github.com/Netflix/repokid
• Wazuh CloudTrail module: https://documentation.wazuh.com/current/amazon/index.html
• Hammer: https://github.com/dowjones/hammer
• Streamalert: https://github.com/airbnb/streamalert
• Billing Alerts CFN templates: https://github.com/btkrausen/AWS/tree/master/CloudFormation/Billing%20Alerts
• Watchmen: https://github.com/iagcl/watchmen - AWS account compliance using centrally managed Config Rules

DFIR:

• AWS IR: https://github.com/ThreatResponse/aws_ir - AWS specific Incident Response and Forensics Tool
• Margaritashotgun: https://github.com/ThreatResponse/margaritashotgun - Linux memory remote acquisition tool
• LiMEaide: https://kd8bny.github.io/LiMEaide/ - Linux memory remote acquisition tool
• Diffy: https://github.com/Netflix-Skunkworks/diffy - Triage tool used during cloud-centric security incidents
• AWS Security Automation: https://github.com/awslabs/aws-security-automation - AWS scripts and resources for DevSecOps and automated incident response
• GDPatrol: https://github.com/ansorren/GDPatrol - Automated Incident Response based off AWS GuardDuty findings
• AWSlog: https://github.com/jaksi/awslog - Show the history and changes between configuration versions of AWS resources using AWS Config
• AWS_Responder https://github.com/prolsen/aws_responder - AWS Digital Forensic and Incident Response (DFIR) Response Python Scripts
• SSM-Acquire: https://github.com/mozilla/ssm-acquire - A python module for orchestrating content acquisitions and analysis via Amazon SSM

Development Security:

• CFN NAG: https://github.com/stelligent/cfn_nag - CloudFormation security test (Ruby)
• Git-secrets: https://github.com/awslabs/git-secrets
• Repository of sample Custom Rules for AWS Config: https://github.com/awslabs/aws-config-rules
• asecure.cloud: https://asecure.cloud - A repository of cutomizable AWS security configurations (Cloudformation and CLI templates)
• CFripper: https://github.com/Skyscanner/cfripper/ - Lambda function to "rip apart" a CloudFormation template and check it for security compliance.
• Assume: https://github.com/SanderKnape/assume - A simple CLI utility that makes it easier to switch between different AWS roles
• Terrascan: https://github.com/cesar-rodriguez/terrascan - A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate
• tfsec: https://github.com/liamg/tfsec - Provides static analysis of your terraform templates to spot potential security issues
• pytest-services: https://github.com/mozilla-services/pytest-services - Unit testing framework for test driven security of AWS configurations and more
• IAM Least-Privileged Role Generator: https://github.com/puresec/serverless-puresec-cli - A Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles.
• AWS Vault: https://github.com/99designs/aws-vault - A vault for securely storing and accessing AWS credentials in development environments
• AWS Service Control Policies: https://github.com/jchrisfarris/aws-service-control-policies - Collection of semi-useful Service Control Policies and scripts to manage them
• Half-Life: https://github.com/Skyscanner/halflife - AWS Lambda auditing tool that provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective

S3 Buckets Auditing:

• https://github.com/Parasimpaticki/sandcastle
• https://github.com/smiegles/mass3
• https://github.com/koenrh/s3enum
• https://github.com/tomdev/teh_s3_bucketeers/
• https://github.com/Quikko/BuQuikker (multi threading for teh_s3_bucketeers)
• https://github.com/eth0izzle/bucket-stream
• https://github.com/gwen001/s3-buckets-finder
• https://github.com/aaparmeggiani/s3find
• https://github.com/bbb31/slurp
• https://github.com/random-robbie/slurp
• https://github.com/kromtech/s3-inspector
• https://github.com/petermbenjamin/s3-fuzzer
• https://github.com/jordanpotti/AWSBucketDump
• https://github.com/bear/s3scan
• https://github.com/sa7mon/S3Scanner
• https://github.com/magisterquis/s3finder
• https://github.com/abhn/S3Scan
• https://breachinsider.com/honey-buckets/
• https://www.buckhacker.com [Currently Offline]
• https://www.thebuckhacker.com/
• https://buckets.grayhatwarfare.com/
• https://github.com/whitfin/s3-meta
• https://github.com/vr00n/Amazon-Web-Shenanigans/tree/master/S3PublicBucketCheck
• https://github.com/FishermansEnemy/bucket_finder
• https://github.com/brianwarehime/inSp3ctor
• https://github.com/Atticuss/bucketcat
• https://github.com/Ucnt/aws-s3-bruteforce
• https://github.com/nahamsec/lazys3
• https://github.com/securing/BucketScanner
• https://digi.ninja/projects/bucket_finder.php
• https://github.com/VirtueSecurity/aws-extender-cli

Training:

• http://flaws.cloud/ - flAWS challenge to learn through a series of levels about common mistakes and gotchas when using AWS
• http://flaws2.cloud/ - flAWS 2 has two paths this time: Attacker and Defender! In the Attacker path, you'll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path, that target is now viewed as the victim and you'll work as an incident responder for that same app, understanding how an attack happened.
• https://github.com/RhinoSecurityLabs/cloudgoat - Vulnerable by Design AWS infrastructure setup tool
• https://github.com/m6a-UdS/dvca - Damn Vulnerable Cloud Application more info
• https://github.com/sonofagl1tch/AWSDetonationLab - Scripts and templates to generate some basic detections of the AWS security services
• OWASP ServerlessGoat - OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application, maintained by OWASP for educational purposes. Single click installation through the AWS Serverless Application Repository.

Honey-token:

• https://bitbucket.org/asecurityteam/spacecrab
• https://breachinsider.com/honey-buckets/
• https://github.com/0x4D31/honeyLambda
• https://github.com/thinkst/canarytokens-docker

Others:

• https://github.com/nagwww/s3-leaks - a list of some biggest leaks recorded
• Model Risk AWS https://magoo.github.io/model-risk-aws/ - POC about probabilistic risk model for AWS
• asecure.cloud https://asecure.cloud/ - a great place for security resources regarding AWS Security.