The 'Cloud' aka Someone's Else's Data Center


Table of Contents


Cloud Provider Agnostic

  • 101
    • Cloud Security Wiki - NotSoSecure
      • Cloud Security Wiki is an initiative to provide all Cloud security related resources to Security Researchers and developers at one place.
  • Attacking/Assessing Security of
    • Articles/Blogposts/Writeups

    • Tools

      • ScoutSuite
        • Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
      • Containers
  • Cloud Migrations
  • Compliance Monitoring
    • PacBot Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.
  • Hardening
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
    • Tools
      • LUNAR
        • "This scripts generates a scored audit report of a Unix host's security. It is based on the CIS and other frameworks. Where possible there are references to the CIS and other benchmarks in the code documentation."
  • IAM
    • SkyArk
      • SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
  • Logging
    • Articles/Blogposts/Writeups
      • Logging in the Cloud: From Zero to (Incident Response) Hero - Jonathon Poling(2020)
        • Slides
        • So many logs, so little time. What logs even exist? Which are enabled by default? Which are the most critical to enable and configure for effective incident response? AWS. Azure. GCP. My. Dear. God. Send help! And, help you this presentation shall. This session will walk through the most important logging to enable (and how) in each cloud provider to take you from zero to incident response hero!Pre-Requisites: Basic familiarity operating with the three major Cloud providers: AWS, Azure, and GCP.
    • Talks/Presentations/Videos
    • Tools
  • Monitoring
  • Rules Engine
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
    • Tools
      • Cloud Custodian
        • Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management. Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions. It integrates with the cloud native serverless capabilities of each provider to provide for real time enforcement of policies with builtin provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
  • Security Auditing
    • Articles/Blogposts/Writeups
    • Tools
      • Cloud Security Suite
        • One stop tool for auditing the security posture of AWS & GCP infrastructure.
      • CloudSploit Scans
        • CloudSploit scans is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). These scripts are designed to return a series of potential misconfigurations and security risks.
  • "Serverless"
    • Peeking Behind the Curtains of Serverless Platforms - Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift
      • Taking on the viewpoint of a serverless customer, we conduct the largest measurement study to date, launching more than 50,000 function instances across these three services, in order to characterize their architectures, performance, and resource management efficiency. We explain how the platforms isolate the functions of different accounts, using either virtual machines or containers, which has important security implications. We characterize performance in terms of scalability, coldstart latency, and resource efficiency, with highlights including that AWS Lambda adopts a bin-packing-like strategy to maximize VM memory utilization, that severe contention between functions can arise in AWS and Azure, and that Google had bugs that allow customers to use resources for free.

AWS

  • 101
  • Attacking
    • Articles/Blogposts/Writeups
    • Talks/Presentations/Videos
    • Tools
      • My Arsenal of AWS Security Tools - toniblyx

      • Prowler: AWS CIS Benchmark Tool

        • Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.
      • AWS pwn

        • This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
      • Active Directory

        • CloudCopy
          • This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS. Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.
      • CloudFront

        • CloudFrunt
          • CloudFrunt is a tool for identifying misconfigured CloudFront domains.
        • CloudJack
          • CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations. This vulnerability exists if a Route53 alias references 1) a deleted CloudFront web distribution or 2) an active CloudFront web distribution with deleted CNAME(s). If this decoupling is discovered by an attacker, they can simply create a CloudFront web distribution and/or CloudFront NAME(s) in their account that match the victim account's Route53 A record host name. Exploitation of this vulnerability results in the ability to spoof the victim's web site content, which otherwise would have been accessed through the victim's account.
      • Discovery

        • cred_scanner
          • A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
        • gitleaks
          • Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks aims to be the easy-to-use, all-in-one solution for finding secrets, past or present, in your code.
        • truffleHog
          • Searches through git repositories for high entropy strings and secrets, digging deep into commit history
        • DumpsterDiver
          • DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.
        • Whispers
          • Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.
        • Dufflebag
          • Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!
      • Frameworks

        • weirdAAL
          • The WeirdAAL project has two goals: 1. Answer what can I do with this AWS Keypair [blackbox]?; 2. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
        • Pacu
          • Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
        • barq
          • barq is a post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure. It allows you to attack running EC2 instances without having the original instance SSH keypairs. It also allows you to perform enumeration and extraction of stored Secrets and Parameters in AWS.
      • IAM

      • Nuking

        • cloud-nuke
          • This repo contains a CLI tool to delete all resources in an AWS account. cloud-nuke was created for situations when you might have an account you use for testing and need to clean up leftover resources so you're not charged for them. Also great for cleaning out accounts with redundant resources. Also great for removing unnecessary defaults like default VPCs and permissive ingress/egress rules in default security groups.
      • Persistence

      • Scripts & One-offs

        • RedDolphin
          • RedDolphin is a collection of scripts that use the Amazon SDK for Python boto3 to perform red team operations against the AWS API.
  • Auditing/Compliance Monitoring
    • Hammer
      • Dow Jones Hammer is a multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. It has near real-time reporting capabilities (e.g. JIRA, Slack) to provide quick feedback to engineers and can perform auto-remediation of some misconfigurations. This helps to protect products deployed on cloud by creating secure guardrails.
    • ElectricEye
      • ElectricEye is a set of Python scripts (affectionately called Auditors) that continuously monitor your AWS infrastructure looking for configurations related to confidentiality, integrity and availability that do not align with AWS best practices. All findings from these scans will be sent to AWS Security Hub where you can perform basic correlation against other AWS and 3rd Party services that send findings to Security Hub. Security Hub also provides a centralized view from which account owners and other responsible parties can view and take action on findings. ElectricEye supports both AWS commercial and GovCloud Regions, however, Auditors for services not supported in GovCloud were not removed. Running these scans in Fargate will not fail the entire task if a service is not supported in GovCloud, in those cases they will fail gracefully.
  • Detecting Credential Compromise
    • See Defense
    • SkyWrapper
      • SkyWrapper is an open-source project which analyzes behaviors of temporary tokens created in a given AWS account. The tool is aiming to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account. The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens. A summary of the finding printed to the screen after each run.
  • EBS
    • Dufflebag
      • Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!
  • External-Monitoring
    • aws_public_ips
      • Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services
  • IAM * AWS IAM Policy Generator for AWS CDK * A simple library to generate IAM policy statements with no need to remember all the actions APIs. Remembering IAM policy actions is nearly impossible and sticking to the documentation is time consuming. This library provides a set of predefined constants to be used with any IDE intellisense for autocompletion and a factory class that builds a AWS CDK PolicyStatement with ease. This project goal is to offer simple code handlers, so developers won't have to remember al the complex syntax. This library primary intention is to be used as an helper when writing AWS CDK stack scripts, but it can be used also as a standalone utility in any script. * PMapper * Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) in an AWS account. PMapper allows users to identify which IAM users and roles have access to certain actions and resources in an AWS account. This is important for ensuring that sensitive resources, such as S3 objects with PII, are isolated. * AWS Lambda - IAM Access Key Disabler * The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
    • Least-Privileges
      • AirIAM
        • AirIAM is an AWS IAM to least privilege Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method. AirIAM was created to promote immutable and version-controlled IAM management to replace today's manual and error prone methods.
      • Policy Sentry
        • IAM Least Privilege Policy Generator and analysis database.
      • CloudTracker
        • CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
        • Blogpost
      • repokid
        • AWS Least Privilege for Distributed, High-Velocity Deployment
  • Inventory
    • Tools
      • aws-inventory(janiko71)
        • This python script lists all the main resources of your AWS account. This inventory may be uncomplete, but it should help you to find what I call "main" resources that are, in my mind, resources that should affect billing and/or security. Intended for personal use (even if I added some professional features like logging), and for only one account.
      • clinv
        • command line inventory for DevSecOps resources in AWS.
      • aws-inventory(NCCGroup)
        • This is a tool that tries to discover all AWS resources created in an account. AWS has many products (a.k.a. services) with new ones constantly being added and existing ones expanded with new features. The ecosystem allows users to piece together many different services to form a customized cloud experience. The ability to instantly spin up services at scale comes with a manageability cost. It can quickly become difficult to audit an AWS account for the resources being used. It is not only important for billing purposes, but also for security. Dormant resources and unknown resources are more prone to security configuration weaknesses. Additionally, resources with unexpected dependencies pose availability, access control, and authorization issues.
      • resource-counter
        • This command line tool counts the number of resources in different categories across Amazon regions. This is a simple Python app that will count resources across different regions and display them on the command line. It first shows the dictionary of the results for the monitored services on a per-region basis, then it shows totals across all regions in a friendlier format. It tries to use the most-efficient query mechanism for each resource in order to manage the impact of API activity. I wrote this to help me scope out assessments and know where resources are in a target account.
      • antiope
        • AWS Inventory and Compliance Framework - intended to be an open sourced framework for managing resources across hundreds of AWS Accounts. From a trusted Security Account, Antiope will leverage Cross Account Assume Roles to gather up resource data and store them in an inventory bucket. This bucket can then be index by ELK or your SEIM of choice to provide easy searching of resources across hundreds of AWS accounts.
  • Lambda
  • Logging
    • Tools
      • trailscraper
        • A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
      • TrailBlazer
        • TrailBlazer is a tool written to determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
      • StreamAlert
        • StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. ]
  • Mapping
    • Tools
      • Cartography
        • Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
      • awspx
        • awspx is a graph-based tool for visualizing effective access and resource relationships within AWS. It resolves policy information to determine what actions affect which resources, while taking into account how these actions may be combined to produce attack paths. Unlike tools like Bloodhound, awspx requires permissions to function — it is not expected to be useful in cases where these privileges have not been granted.
      • CloudMapper
        • CloudMapper generates network diagrams of Amazon Web Services (AWS) environments and displays them via your browser. It helps you understand visually what exists in your accounts and identify possible network misconfigurations.
  • Resource Usage Tracking
    • Ice
      • Ice provides a birds-eye view of our large and complex cloud landscape from a usage and cost perspective. It consists of three parts: processor, reader and UI. Processor processes the Amazon detailed billing file into data readable by reader. Reader reads data generated by processor and renders them to UI. UI queries reader and renders interactive graphs and tables in the browser.
  • S3 Buckets
    • Articles/Blogposts/Writeups
    • General Tools
      • s3-utils
        • Utilities and tools based around Amazon S3 to provide convenience APIs in a CLI.
      • Amazon-Web-Shenanigans
        • A lambda function that checks your account for Public buckets and emails you whenever a new public s3 bucket is created
    • Discovery/Enumeration of
      • Teh S3 Bucketeers
        • Script to scan for buckets with given creds
      • BuQuikker
        • This project is intended to show how easy it is to find poorly configured AWS buckets. This project is build on top of bucketeer. It should make the life of a bugbounty hunter much easier. The user needs to provide a list and each word in the list will be used in combination with the teh_s3_bucketeers script. Whenever the script finds an open bucket, the teh_s3_bucketeers script will write it into result-<name-of-searchword>.txt
      • Bucket Stream
        • This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
      • slurp
        • Enumerates S3 buckets manually or via certstream
      • s3finder
        • Yet another program to find readable S3 buckets. Can search using a wordlist or by monitoring the certstream network for domain names from certificate transparency logs. If a name contains dots, a name with the dots replaced by dashes will be tried, as well. All queries are done via HTTPS. Found buckets will be written to stdout. All other messages are written to stderr, to make for easy logging.
      • S3scan
        • A simple script to find open Amazon AWS S3 buckets in your target websites. S3 buckets are a popular way of storing static contents among web developers. Often, developers tend to set the bucket permissions insecurely during development, and forget to set them correctly in prod, leading to (security) issues.
      • s3-buckets-bruteforcer
        • PHP tool to brute force Amazon S3 bucket
      • s3-fuzzer
        • A concurrent, command-line AWS S3 Fuzzer. Written in Go.
      • buckethead.py
        • buckethead.py searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they're listable.
      • lazys3
        • A Ruby script to bruteforce for AWS s3 buckets using different permutations.
      • inSp3ctor
        • AWS S3 Bucket/Object Finder
    • Permissions
    • Searching Contents of
      • AWSBucketDump
        • AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.
      • S3Scanner
        • A tool to find open S3 buckets and dump their contents
      • bucketcat
        • Brute-forces objects within a given bucket using Hashcat mask-like syntax
      • aws-s3-data-finder
        • Find suspicious files (e.g. data backups, PII, credentials) across a large set of AWS S3 buckets and write the first 200k keys (by default) of listable buckets to a .json or .xml file (in buckets/) via awscli OR unauthenticated via HTTP requests.
      • Bucketlist
        • Bucketlist is a quick project I threw together to find and crawl Amazon S3 buckets and put all the data into a PostgreSQL database for querying.
  • Security Groups
    • aws-security-viz
      • Need a quick way to visualize your current aws/amazon ec2 security group configuration? aws-security-viz does just that based on the EC2 security group ingress configuration.
  • Securing & Hardening
    • 101
      • CIS Amazon Web Services Foundations
      • asecure.cloud
        • A free repository of customizable AWS security configurations and best practices
      • aws-security-benchmark
        • Collection of resources related to security benchmark frameworks.
      • AWS Security Primer
      • AWS Security Hub
        • AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts.
      • Amazon Inspector
        • Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
    • Articles/Blogposts/Writeups
    • Tools
      • Cloudsplaining
        • Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
      • LambdaGuard
        • LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.
      • Cloud-Reports
        • Collects info about various cloud resources and analyzes them against best practices and give a JSON, CSV, HTML, or PDF reports.
      • Zeus
        • Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices. It checks security settings according to the profiles the user creates and changes them to recommended settings based on the CIS AWS Benchmark source at request of the user.
      • terraform-aws-secure-baseline
        • Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations.
  • Tools
    • aws_pwn
      • This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
    • Nimbostratus
      • Tools for fingerprinting and exploiting Amazon cloud infrastructures
    • cloudfrunt
      • A tool for identifying misconfigured CloudFront domains
    • cred_scanner
      • A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
  • Training
    • AWS Security Workshops
      • Here you'll find a collection of security workshops and other hands-on content that will guide you through prepared scenarios that represent common use cases and security operational tasks on Amazon Web Services (AWS). The workshops closely align with the NIST Cyber Security Framework and will provide a deep dive into a variety of AWS security services, techniques, and best practices that'll you'll be able to apply to your own environments to better improve your security posture.
    • Serverless Security Workshop
      • In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora.

Microsoft Azure


Google Cloud