I’ve been using and collecting a list of helpful tools for AWS security. This list is about the ones that I have tried at least once and I think they are good to look at for your own benefit and most important: to make your AWS cloud environment more secure.
They are not in any specific order, I just wanted to group them somehow. I have my favorites depending on the requirements but you can also have yours once you test them.
New additions at https://github.com/toniblyx/my-arsenal-of-aws-security-tools
Defensive (Hardening, Security Assessment, Inventory)
- Scout2: https://github.com/nccgroup/Scout2 – Security auditing tool for AWS environments (Python)
- Prowler: https://github.com/toniblyx/prowler – CIS benchmarks and additional checks for security best practices in AWS (Shell Script)
- Scans: https://github.com/cloudsploit/scans – AWS security scanning checks (NodeJS)
- CloudMapper: https://github.com/duo-labs/cloudmapper – helps you analyze your AWS environments (Python)
- CloudTracker: https://github.com/duo-labs/cloudtracker – helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
- AWS Security Benchmarks: https://github.com/awslabs/aws-security-benchmark – scrips and templates guidance related to the AWS CIS Foundation framework (Python)
- AWS Public IPs: https://github.com/arkadiyt/aws_public_ips – Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services (Ruby)
- PMapper: https://github.com/nccgroup/PMapper – Advanced and Automated AWS IAM Evaluation (Python)
- AWS-Inventory: https://github.com/nccgroup/aws-inventory – Make a inventory of all your resources across regions (Python)
- Resource Counter: https://github.com/disruptops/resource-counter – Counts number of resources in categories across regions
Offensive:
- weirdALL: https://github.com/carnal0wnage/weirdAAL – AWS Attack Library
- Pacu: https://github.com/RhinoSecurityLabs/pacu – AWS penetration testing toolkit
- Cred Scanner: https://github.com/disruptops/cred_scanner
- AWS PWN: https://github.com/dagrz/aws_pwn
- Cloudfrunt: https://github.com/MindPointGroup/cloudfrunt
- Cloudjack: https://github.com/prevade/cloudjack
- Nimbostratus: https://github.com/andresriancho/nimbostratus
Continuous Security Auditing:
- Security Monkey: https://github.com/Netflix/security_monkey
- Krampus (as Security Monkey complement) https://github.com/sendgrid/krampus
- Cloud Inquisitor: https://github.com/RiotGames/cloud-inquisitor
- CloudCustodian: https://github.com/capitalone/cloud-custodian
- Disable keys after X days: https://github.com/te-papa/aws-key-disabler
- Repokid Least Privilege: https://github.com/Netflix/repokid
- Wazuh CloudTrail module: https://documentation.wazuh.com/current/amazon/index.html
DFIR:
- AWS IR: https://github.com/ThreatResponse/aws_ir – AWS specific Incident Response and Forensics Tool
- Margaritashotgun: https://github.com/ThreatResponse/margaritashotgun – Linux memory remote acquisition tool
- LiMEaide: https://kd8bny.github.io/LiMEaide/ – Linux memory remote acquisition tool
- Diffy: https://github.com/Netflix-Skunkworks/diffy – Triage tool used during cloud-centric security incidents
Development Security:
- CFN NAG: https://github.com/stelligent/cfn_nag – CloudFormation security test (Ruby)
- Git-secrets: https://github.com/awslabs/git-secrets
- Repository of sample Custom Rules for AWS Config: https://github.com/awslabs/aws-config-rules
S3 Buckets Auditing:
- https://github.com/Parasimpaticki/sandcastle
- https://github.com/smiegles/mass3
- https://github.com/koenrh/s3enum
- https://github.com/tomdev/teh_s3_bucketeers/
- https://github.com/eth0izzle/bucket-stream
- https://github.com/gwen001/s3-buckets-finder
- https://github.com/aaparmeggiani/s3find
- https://github.com/bbb31/slurp
- https://github.com/random-robbie/slurp
- https://github.com/kromtech/s3-inspector
- https://github.com/petermbenjamin/s3-fuzzer
- https://github.com/jordanpotti/AWSBucketDump
- https://github.com/bear/s3scan
- https://github.com/sa7mon/S3Scanner
- https://github.com/magisterquis/s3finder
- https://github.com/abhn/S3Scan
- https://breachinsider.com/honey-buckets/
- https://www.buckhacker.com [Currently Offline]
- https://www.thebuckhacker.com/
- https://buckets.grayhatwarfare.com/
Training:
Others:
- https://github.com/nagwww/s3-leaks – a list of some biggest leaks recorded
Thanks for sharing the awesome list !
However all the links seems wrong 🙁 redirect 404
Thanks Shenril, I have just fixed them. Sorry about that!
Great work! Can you please let me know if there is a way to analyze the inbound logs of our VPC flowlogs and compare them with existing IP addresses of our EC2 instance fleet and alert us if there is a suspected intrusions or exfiltrations. Thank you!
Can you also add our tool: https://github.com/tensult/cloud-reports to this list.
Hi Vamshi, I don’t know about any but you can look at this tool Trailblazer AWS: https://github.com/willbengtson/trailblazer-aws that may help you with IP addresses and the actions they are doing.
Thanks for let me know Dilip! I have just added it to the list.