AWS Security Tools



List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

The aws security tools is a github repository by Toni de la Fuente

Defensive: Hardening, Security Assessment and Inventory

ScoutSuite Security auditing tool for AWS Google Cloud and Azure environments (python)
Prowler benchmarks and additional checks for security best practices in AWS (bash and python components)
CloudSploit Scans security scanning checks (NodeJS)
CloudMapper you analyze your AWS environments (Python)
CloudTracker you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
AWS Security Benchmarks and templates guidance related to the AWS CIS Foundation framework (Python)
AWS Public IPs all public IP addresses tied to your AWS account. Works with IPv4/IPv6 Classic/VPC networking and across all AWS services (Ruby)
PMapper and Automated AWS IAM Evaluation (Python)
nccgroup AWS-Inventory a inventory of all your resources across regions (Python)
Resource Counter number of resources in categories across regions
ICE provides insights from a usage and cost perspective with high detail dashboards.
SkyArk provides advanced discovery and security assessment for the most privileged entities in the tested AWS.
Trailblazer AWS AWS determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
Lunar auditing tool based on several security frameworks (it does some AWS checks)
Cloud-reports your AWS cloud resources and generates reports
Pacbot for continuous compliance monitoring compliance reporting and security automation for the cloud
cs-suite tools like Scout2 and Prowler among others
aws-key-disabler small lambda script that will disable access keys older than a given amount of days
Antiope Inventory and Compliance Framework
Cloud Reports your AWS cloud resources and generates reports and includes security best practices.
Terraform AWS Secure Baseline module to set up your AWS account with the secure
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
TrailScraper command-line tool to get valuable information out of AWS CloudTrail
LambdaGuard AWS Lambda auditing tool designed to create asset visibility and provide actionable results.
Komiser Environment Inspector analyze and manage cloud cost usage security and governance in one place.
Perimeterator perimeter monitoring. Periodically scan internet facing AWS resources to detect misconfigured services
PolicySentry Least Privilege Policy Generator auditor and analysis database
Zeus Auditing & Hardening Tool
janiko71 AWS-inventory script for AWS resources inventory
awspx graph-based tool for visualizing effective access and resource relationships in AWS environments
clinv command line asset inventory tool
aws-gate AWS SSM Session manager CLI client
Detecting Credential Compromise of your compromised credential in AWS
AWS-Security-Toolbox (AST) Security Toolbox (Docker Image) for Security Assessments
iam-lint action for linting AWS IAM policy documents for correctness and possible security issues
aws-security-viz tool to visualize aws security groups.
AirIAM privilege AWS IAM using Terraform
Cloudsplaining IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
iam-policy-generator simple library to generate IAM policy statements with no need to remember all the actions APIs
SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
aws-recon AWS inventory collection tool
iam-policies-cli CLI tool for building simple to complex IAM policies
Aaia Identity and Access Management Visualizer and Anomaly Finder
iam-floyd policy statement generator with fluent interface – Available for Node.js, Python, .Net and Java
rpCheckup resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
S3 Exif Cleaner EXIF data from all objects in an S3 bucket
Steampipe SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required. (SQL)


WeirdAAL Attack Library
Pacu penetration testing toolkit
Cred Scanner simple file-based scanner to look for potential AWS access and secret keys in files
AWS PWN collection of AWS penetration testing junk
Cloudfrunt tool for identifying misconfigured CloudFront domains
Cloudjack Vulnerability Assessment Utility
Nimbostratus for fingerprinting and exploiting Amazon cloud infrastructures
GitLeaks git repos for secrets
TruffleHog through git repositories for high entropy strings and secrets digging deep into commit history
DumpsterDiver“Tool to search secrets in various filetypes like keys (e.g. AWS Access Key Azure Share Key or SSH keys) or passwords.”
Mad-King of Concept Zappa Based AWS Persistence and Attack Platform
Cloud-Nuke tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
MozDef – The Mozilla Defense Platform Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
Lambda-Proxy bridge between SQLMap and AWS Lambda which lets you use SQLMap to natively test AWS Lambda functions for SQL Injection vulnerabilities.
CloudCopy version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission
enumerate-iam the permissions associated with AWS credential set
Barq post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure
CCAT Container Attack Tool (CCAT) is a tool for testing security of container environments
Dufflebag exposed EBS volumes for secrets
attack_range tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
whispers hardcoded secrets and dangerous behaviours
Redboto Team AWS Scripts
CloudBrute tool to find a company (target) infrastructure, files, and apps on the top cloud providers

Purple Teaming & Adversary Emulation

Stratus Red Team, Actionable Adversary Emulation for the Cloud
Leonidas Attack Simulation in the Cloud complete with detection use cases.
Amazon Guardduty Tester script is used to generate some basic detections of the GuardDuty service

Continuous Security Auditing

Security Monkey
Cloud Inquisitor
CloudCustodian engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Disable keys after X days
Repokid Least Privilege
Wazuh CloudTrail module
Billing Alerts CFN templates
Watchmen account compliance using centrally managed Config Rules
ElectricEye monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability
SyntheticSun defense-in-depth security automation and monitoring framework which utilizes threat intelligence, machine learning, managed AWS security services and, serverless technologies to continuously prevent, detect and respond to threats
CloudQuery exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring for compliance and security
PrismX Security Dashboard for AWS – based on ScoutSuite

Digital Forensics and Incident Response

AWS IR specific Incident Response and Forensics Tool
Margaritashotgun memory remote acquisition tool
Diffy tool used during cloud-centric security incidents
AWS Security Automation scripts and resources for DevSecOps and automated incident response
GDPatrol Incident Response based off AWS GuardDuty findings
AWSlog the history and changes between configuration versions of AWS resources using AWS Config
AWS_Responder Digital Forensic and Incident Response (DFIR) Response Python Scripts
SSM-Acquire python module for orchestrating content acquisitions and analysis via Amazon SSM
cloudtrail-partitioner project sets up partitioned Athena tables for your CloudTrail logs and updates the partitions nightly. Makes CloudTrail logs queries easier.
fargate-ir of concept incident response demo using SSM and AWS Fargate.
aws-logsearch AWS CloudWatch logs all at once on the command line.
Varna & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
aws-auto-remediate source application to instantly remediate common security issues through the use of AWS Config
panther-labs threats with log data and improve cloud security posture
aws-incident-response page is a collection of useful things to look for in CloudTrail using Athena for AWS incident response
cloud-forensics-utils library to carry out DFIR analysis on the Cloud
aws-fast-fixes to quickly fix security and compliance issues

Development Security

CFN NAG security test (Ruby)
Repository of sample Custom Rules for AWS Config
CFripper“Lambda function to “”rip apart”” a CloudFormation template and check it for security compliance.”
Assume simple CLI utility that makes it easier to switch between different AWS roles
Terrascan collection of security and best practice tests for static code analysis of terraform templates using terraform_validate
tfsec static analysis of your terraform templates to spot potential security issues
Checkov, Cloudformation and Kubernetes static analysis written in python
Yor tag and trace infrastructure as code frameworks (Terraform, Cloudformation and Serverless)
pytest-services testing framework for test driven security of AWS configurations and more
IAM Least-Privileged Role Generator Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles.
AWS Vault vault for securely storing and accessing AWS credentials in development environments
AWS Service Control Policies of semi-useful Service Control Policies and scripts to manage them
LambdaGuard Lambda auditing tool that provides a meaningful overview in terms of statistical analysis AWS service dependencies and configuration checks from the security perspective
Terraform-compliance lightweight security focused BDD test framework against terraform (with helpful code for AWS)
Get a List of AWS Managed Policies way to get a list of all AWS managed policies
Parliament IAM linting library
AWS-ComplianceMachineDontStop of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security Identity & Compliance Services to Support your AWS Account Security Posture
detect-secrets enterprise friendly way of detecting and preventing secrets in code.
tf-parliament Parliament AWS IAM Checker on Terraform Files
aws-gate AWS SSM Session manager CLI client
iam-lint action for linting AWS IAM policy documents for correctness and possible security issues
Regula checks Terraform for AWS security and compliance using Open Policy Agent/Rego
whispers hardcoded secrets and dangerous behaviours
cloudformation-guard set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax.
IAMFinder and finds users and IAM roles in a target AWS account
iamlive a basic IAM policy from AWS client-side monitoring (CSM)
aws-allowlister compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Leapp app for managing AWS credentials programmatically, based on Electron
KICS security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code
SecurityHub CIS Compliance Automator configure your AWS Account to meet 95% of the 200+ controls for CIS Compliance, PCI DSS Compliance and AWS Security Best Practice

S3 Buckets Auditing

sandcastle bucket enumeration
mass3 through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading
bucket-stream interesting Amazon S3 Buckets by watching certificate transparency logs
s3-buckets-finder force Amazon S3 bucket
s3find S3 public buckets
slurp-robbie S3 buckets via certstream, domain, or keywords
s3-inspector AWS S3 bucket permissions
AWSBucketDump For Interesting Files in S3 Buckets
s3scan s3 buckets for security issues
S3Scanner for open AWS S3 buckets and dump the contents
s3finder S3 bucket finder
S3Scan a website and find publicly open S3 buckets
s3-meta metadata about your S3 buckets
s3-utils and tools based around Amazon S3 to provide convenience APIs in a CLI
S3PublicBucketsCheck lambda function that checks your account for Public buckets and emails you whenever a new public s3 bucket is created
bucket_finder bucket brute force tool
inSp3ctor S3 Bucket/Object Finder
bucketcat objects within a given bucket using Hashcat mask-like syntax
aws-s3-data-finder S3 Sensitive Data Search
lazys3 AWS s3 buckets using different permutations
BucketScanner objects’ permissions in AWS buckets
aws-externder-cli S3 buckets as well as Google Storage buckets and Azure Storage containers to find interesting files
festin bucket weakness discovery
S3Insights platform for efficiently deriving security insights about S3 data through metadata analysis
s3_objects_check evaluation of effective S3 object permissions, to identify publicly accessible files.


Flaws.cloud challenge to learn through a series of levels about common mistakes and gotchas when using AWS
Flaws2.cloud 2 has two paths this time Attacker and Defender! In the Attacker path you’ll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path that target is now viewed as the victim and you’ll work as an incident responder for that same app understanding how an attack happened
CloudGoat by Design AWS infrastructure setup tool
dvca Vulnerable Cloud Application more info
AWSDetonationLab and templates to generate some basic detections of the AWS security services
OWASPServerlessGoat ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application maintained by OWASP for educational purposes. Single click installation through the AWS Serverless Application Repository.
Sadcloud tool for spinning up insecure AWS infrastructure with Terraform. It supports approx. 84 misconfigurations across 22 AWS Services.
BigOrange Actions your IAM Policy and get a list of Actions it can effectively perform
IncidentResponseGenerator response generator for training classes
Breaking and Pwning Apps and Servers on AWS and Azure content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!
terragoat“Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
cfngoat“Vulnerable by Design” cloudformation repository. CfnGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
CDKgoat“Vulnerable by Design” AWS CDK repository. CDKGoat is a learning and training project that demonstrates how common configuration errors can find their way into impartive IAC such as AWS CDK.
aws_exposable_resources types that can be publicly exposed on AWS

Other interesting tools/code


More Resources: