I often get asked which tools are good to use for securing your AWS infrastructure so I figured I'd write a short listof some useful Security Tools for the AWS Cloud Infrastructure.
This list is not intended be something completely exhaustive, more so provide a good launching pad for someone as they dig into AWS and want to make it secure from the start.
This section focuses on tools and services provided by the community and released as open-source.
Tools to help you auth (clients) securely in AWS.
Tools that enable you to ensure security best practices are followed across your organisation and infrastructure.
Tools to help perform Incident Response on AWS
AWS Least Privilege for Distributed, High-Velocity Deployment
Tools that provide a good way monitoring your overall security posture through scraping configuration and collating it or ingesting logs.
Finding interesting S3 buckets through monitoring certificate transparency logs
Exif Cleaner
Secret Keeper
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.
This section focuses on tools and services provided by AWS for a nominal charge or as part of their overall service.
Services that provide authentication and authorisation to AWS services, with STS enabling that access to be through temporary credentials.
Service that helps your monitor your AWS services holistically to reduce cost, ensure best practices are being followed and improve security.
AWS service that enable your to audit and monitor your configurations and API calls.
AWS Service that is essentially a managed threat detection service that continuously monitors for malicious behaviour to help you protect your AWS accounts and workloads. One of the few things to provide visibility of your external perimeter in AWS.
Great list, Here are a few more Mark!
Cloudfront subdomain hijacking:
@disloops CloudFrunt for Subdomain hijacking works great! https://github.com/MindPointGroup/cloudfrunt
CloudJack: https://github.com/prevade/cloudjack
Visualization /governance
@0xdabbad00 and duo's Cloudmapper and CloudTracker https://github.com/duo-labs/cloudmapper and https://github.com/duo-labs/cloudtracker
training: http://flaws.cloud/
Offensive:
AWS Attack Library; https://github.com/carnal0wnage/weirdAAL/wiki
aws_pwn: https://github.com/dagrz/aws_pwn
Least Privileged
https://github.com/Netflix/repokid
Repokid-extras: https://github.com/Netflix-Skunkworks/repokid-extras
S3 hunting:
Slurp: https://github.com/random-robbie/slurp
Bucket-stream: https://github.com/eth0izzle/bucket-stream
BucketFinder: https://digi.ninja/projects/bucket_finder.php