Awesome Cloud Security
βοΈπ‘οΈβοΈ Awesome curated list of cloud security resources including relevant penetration testing tools for Cloud Security
Contents
Standards
Compliances
Benchmarks
Tools
Infrastrcture
- aws_pwn: A collection of AWS penetration testing junk
- aws_ir: Python installable command line utility for mitigation of instance and key compromises.
- aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
- awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
- azucar: A security auditing tool for Azure environments
- checkov: A static code analysis tool for infrastructure-as-code.
- CloudBrute: A multiple cloud enumerator.
- cloud-forensics-utils: A python lib for DF & IR on the cloud.
- cloudlist: Listing Assets from multiple Cloud Providers.
- cloudgoat: "Vulnerable by Design" AWS deployment tool.
- Cloudmapper: Analyze your AWS environments.
- cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
- Cloudsploit Scans: Cloud security configuration checks.
- Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
- cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
- diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
- ElectricEye: Continuously monitor AWS services for configurations.
- Forseti security: GCP inventory monitoring and policy enforcement tool.
- Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
- kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
- Leonidas: A framework for executing attacker actions in the cloud.
- Open policy agent: Policy-based control tool.
- pacbot: Policy as Code Bot.
- pacu: The AWS exploitation framework.
- Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
- ScoutSuite: Multi-cloud security auditing tool.
- Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.
- SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
- Smogcloud: Find cloud assets that no one wants exposed.
- TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
- Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
- tfsec: Static analysis powered security scanner for Terraform code.
- Zeus: AWS Auditing & Hardening Tool.
Container
- auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
- ccat: Cloud Container Attack Tool.
- Falco: Container runtime security.
- mkit: Managed kubernetes inspection tool.
- Open policy agent: Policy-based control tool.
SaaS
- Function Shield: Protection/destection lib of aws lambda and gcp function.
- FestIN: S3 bucket finder and content discover.
- GCPBucketBrute: A script to enumerate Google Storage buckets.
- Lambda Guard: AWS Lambda auditing tool.
- Policy Sentry: IAM Least Privilege Policy Generator.
- S3 Inspector: Tool to check AWS S3 bucket permissions.
- Serverless Goat: A serverless application demonstrating common serverless security flaws
Native tools
- AWS
- Artifact: Compliance report selfservice.
- Certificate Manager: Private CA and certificate management service.
- CloudTrail: Record and log API call on AWS.
- Config: Configuration and resources relationship monitoring.
- Detective: Analyze and visualize security data and help security investigations.
- Firewall Manager: Firewall management service.
- GuardDuty: IDS service
- CloudHSM: HSM service.
- Inspector: Vulnerability discover and assessment service.
- KMS: KMS service
- Macie: Fully managed data security and data privacy service for S3.
- Network Firewall: Network firewall service.
- Secret Manager: Credential management service.
- Security Hub: Integration service for other AWS and third-party security service.
- Shield: DDoS protection service.
- VPC Flowlog: Log of network traffic.
- WAF: Web application firewall service.
- Azure
- Application Gateway: L7 load balancer with optional WAF function.
- DDoS Protection: DDoS protection service.
- Dedicated HSM: HSM service.
- Key Vault: KMS service
- Monitor: API log and monitoring related service.
- Security Center: Integration service for other Azure and third-party security service.
- Sentinel: SIEM service.
- GCP
- Access Transparency: Transparency log and control of GCP.
- Apigee Sense: API security monitoring, detection, mitigation.
- Armor: DDoS protection and WAF service
- Asset Inventory: Asset monitoring service.
- Audit Logs: API logs.
- Cloud HSM: HSM service
- Context-aware Access: Enable zero trust access to applications and infrastructure.
- DLP: DLP service:
- EKM: External key management service
- Identity-Aware Proxy: Identity-Aware Proxy for protect the internal service.
- KMS: KMS service
- Policy Intelligence: Detect the policy related risk.
- Security Command Center: Integration service for other GCP security service.
- Security Scanner: Application security scanner for GAE, GCE, GKE.
- Event Threat Detection: Threat dection service.
- VPC Service Controls: GCP service security perimeter control.
Penetration Testing
Enumeration
- o365creeper - Enumerate valid email addresses
- CloudBrute - Tool to find a cloud infrastructure of a company on top Cloud providers
- cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud
- Azucar - Security auditing tool for Azure environments
- CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard to find permissions and configuration settings
- ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.
- BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs
- Grayhat Warfare - Open Azure blobs and AWS bucket search
Information Gathering
- o365recon - Information gathering with valid credentials to Azure
- Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members
- ROADtools - Framework to interact with Azure AD
- PowerZure - PowerShell framework to assess Azure security
- Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud
- Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment
- Hawk - Powershell based tool for gathering information related to O365 intrusions and potential breaches
Lateral Movement
- Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
- AzureADLateralMovement - Lateral Movement graph for Azure Active Directory
- SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS
Exploitation
- MicroBurst - A collection of scripts for assessing Microsoft Azure security
- azuread_decrypt_msol_v2.ps1 - Decrypt Azure AD MSOL service account
Credential Attacks
- MSOLSpray - A password spraying tool for Microsoft Online accounts (Azure/O365)
- MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services Resources
- adconnectdump - Dump Azure AD Connect credentials for Azure AD and Active Directory
Reading Materials
AWS
- Overiew of AWS Security
- AWS-IAM-Privilege-Escalation by RhinoSecurityLabs: A centralized source of all AWS IAM privilege escalation methods.
- MITRE ATT&CK Matrices of AWS
- AWS security workshops
- Bucket search by grayhatwarfare
Azure
- Overiew of Azure Security
- Azure security fundamentals
- MicroBurst by NetSPI: A collection of scripts for assessing Microsoft Azure security
- MITRE ATT&CK Matrices of Azure
- Abusing Azure AD SSO with the Primary Refresh Token
- Abusing dynamic groups in Azure AD for Privilege Escalation
- Attacking Azure, Azure AD, and Introducing PowerZure
- Attacking Azure & Azure AD, Part II
- Azure AD Connect for Red Teamers
- Azure AD Introduction for Red Teamers
- Azure AD Pass The Certificate
- Azure AD privilege escalation - Taking over default application permissions as Application Admin
- Defense and Detection for Attacks Within Azure
- Hunting Azure Admins for Vertical Escalation
- Impersonating Office 365 Users With Mimikatz
- Lateral Movement from Azure to On-Prem AD
- Malicious Azure AD Application Registrations
- Moving laterally between Azure AD joined machines
- CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
- Privilege Escalation Vulnerability in Azure Functions
GCP
Others
- Cloud Security Research by RhinoSecurityLabs
- CSA cloud security guidance v4
- Appsecco provides training
- Mapping of On-Premises Security Controls vs. Major Cloud Providers Services
Resources
Lists and Cheat Sheets
- Azure Articles from NetSPI
- Azure Cheat Sheet on CloudSecDocs
- Resources about Azure from Cloudberry Engineering
- Resources from PayloadsAllTheThings
- Encyclopedia on Hacking the Cloud - (No content yet for Azure)
Lab Exercises
- azure-security-lab - Securing Azure Infrastructure - Hands on Lab Guide
- AzureSecurityLabs - Hands-on Security Labs focused on Azure IaaS Security
- Building Free Active Directory Lab in Azure
Talks and Videos
- Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD
- TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory
- Dirk Jan Mollema - Im In Your Cloud Pwning Your Azure Environment - DEF CON 27 Conference
- Adventures in Azure Privilege Escalation Karl Fosaaen
- Introducing ROADtools - Azure AD exploration for Red Teams and Blue Teams
Books
Tips and Tricks
- Replace COMPANYNAME with the company name of your choice to check if they use Azure. If the NameSpaceType indicates "Managed", then the company is using Azure AD:
https://login.microsoftonline.com/[email protected]&xml=1