AWS Security Tools

AWS

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

The aws security tools is a github repository by Toni de la Fuente

Defensive: Hardening, Security Assessment and Inventory

NameURLDescription
ScoutSuitehttps://github.com/nccgroup/ScoutSuiteMulti-Cloud Security auditing tool for AWS Google Cloud and Azure environments (python)
Prowlerhttps://github.com/toniblyx/prowlerCIS benchmarks and additional checks for security best practices in AWS (bash and python components)
CloudSploit Scanshttps://github.com/cloudsploit/scansAWS security scanning checks (NodeJS)
CloudMapperhttps://github.com/duo-labs/cloudmapperhelps you analyze your AWS environments (Python)
CloudTrackerhttps://github.com/duo-labs/cloudtrackerhelps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
AWS Security Benchmarkshttps://github.com/awslabs/aws-security-benchmarkscripts and templates guidance related to the AWS CIS Foundation framework (Python)
AWS Public IPshttps://github.com/arkadiyt/aws_public_ipsFetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6 Classic/VPC networking and across all AWS services (Ruby)
PMapperhttps://github.com/nccgroup/PMapperAdvanced and Automated AWS IAM Evaluation (Python)
nccgroup AWS-Inventoryhttps://github.com/nccgroup/aws-inventoryMake a inventory of all your resources across regions (Python)
Resource Counterhttps://github.com/disruptops/resource-counterCounts number of resources in categories across regions
ICEhttps://github.com/Teevity/iceIce provides insights from a usage and cost perspective with high detail dashboards.
SkyArkhttps://github.com/cyberark/SkyArkSkyArk provides advanced discovery and security assessment for the most privileged entities in the tested AWS.
Trailblazer AWShttps://github.com/willbengtson/trailblazer-awsTrailblazer AWS determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
Lunarhttps://github.com/lateralblast/lunarSecurity auditing tool based on several security frameworks (it does some AWS checks)
Cloud-reportshttps://github.com/tensult/cloud-reportsScans your AWS cloud resources and generates reports
Pacbothttps://github.com/tmobile/pacbotPlatform for continuous compliance monitoring compliance reporting and security automation for the cloud
cs-suitehttps://github.com/SecurityFTW/cs-suiteIntegrates tools like Scout2 and Prowler among others
aws-key-disablerhttps://github.com/te-papa/aws-key-disablerA small lambda script that will disable access keys older than a given amount of days
Antiopehttps://github.com/turnerlabs/antiopeAWS Inventory and Compliance Framework
Cloud Reportshttps://github.com/tensult/cloud-reportsScans your AWS cloud resources and generates reports and includes security best practices.
Terraform AWS Secure Baselinehttps://github.com/nozaq/terraform-aws-secure-baselineTerraform module to set up your AWS account with the secure
Cartographyhttps://github.com/lyft/cartographyCartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
TrailScraperhttps://github.com/flosell/trailscraperA command-line tool to get valuable information out of AWS CloudTrail
LambdaGuardhttps://github.com/Skyscanner/LambdaGuardAn AWS Lambda auditing tool designed to create asset visibility and provide actionable results.
Komiserhttps://github.com/mlabouardy/komiserCloud Environment Inspector analyze and manage cloud cost usage security and governance in one place.
Perimeteratorhttps://github.com/darkarnium/perimeteratorAWS perimeter monitoring. Periodically scan internet facing AWS resources to detect misconfigured services
PolicySentryhttps://github.com/salesforce/policy_sentryIAM Least Privilege Policy Generator auditor and analysis database
Zeushttps://github.com/DenizParlak/ZeusAWS Auditing & Hardening Tool
janiko71 AWS-inventoryhttps://github.com/janiko71/aws-inventoryPython script for AWS resources inventory
awspxhttps://github.com/fsecurelabs/awspxA graph-based tool for visualizing effective access and resource relationships in AWS environments
clinvhttps://github.com/lyz-code/clinvDevSecOps command line asset inventory tool
aws-gatehttps://github.com/xen0l/aws-gateEnhanced AWS SSM Session manager CLI client
Detecting Credential Compromisehttps://github.com/Netflix-Skunkworks/aws-credential-compromise-detectionDetecting of your compromised credential in AWS
AWS-Security-Toolbox (AST)https://github.com/z0ph/aws-security-toolboxAWS Security Toolbox (Docker Image) for Security Assessments
iam-linthttps://github.com/xen0l/iam-lintGithub action for linting AWS IAM policy documents for correctness and possible security issues
aws-security-vizhttps://github.com/anaynayak/aws-security-vizA tool to visualize aws security groups.
AirIAMhttps://github.com/bridgecrewio/AirIAMLeast privilege AWS IAM using Terraform
Cloudsplaininghttps://github.com/salesforce/cloudsplainingAWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
iam-policy-generatorhttps://github.com/aletheia/iam-policy-generatorA simple library to generate IAM policy statements with no need to remember all the actions APIs
SkyWrapperhttps://github.com/cyberark/SkyWrapperSkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
aws-reconhttps://github.com/darkbitio/aws-reconMulti-threaded AWS inventory collection tool
iam-policies-clihttps://github.com/mhlabs/iam-policies-cliA CLI tool for building simple to complex IAM policies
Aaiahttps://github.com/rams3sh/AaiaAWS Identity and Access Management Visualizer and Anomaly Finder
iam-floydhttps://github.com/udondan/iam-floydIAM policy statement generator with fluent interface – Available for Node.js, Python, .Net and Java
rpCheckuphttps://github.com/goldfiglabs/rpCheckupAWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
S3 Exif Cleanerhttps://github.com/seisvelas/S3-Exif-CleanerRemove EXIF data from all objects in an S3 bucket
Steampipehttps://github.com/turbot/steampipeUse SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required. (SQL)

Offensive

NameURLDescription
WeirdAALhttps://github.com/carnal0wnage/weirdAALAWS Attack Library
Pacuhttps://github.com/RhinoSecurityLabs/pacuAWS penetration testing toolkit
Cred Scannerhttps://github.com/disruptops/cred_scannerA simple file-based scanner to look for potential AWS access and secret keys in files
AWS PWNhttps://github.com/dagrz/aws_pwnA collection of AWS penetration testing junk
Cloudfrunthttps://github.com/MindPointGroup/cloudfruntA tool for identifying misconfigured CloudFront domains
Cloudjackhttps://github.com/prevade/cloudjackRoute53/CloudFront Vulnerability Assessment Utility
Nimbostratushttps://github.com/andresriancho/nimbostratusTools for fingerprinting and exploiting Amazon cloud infrastructures
GitLeakshttps://github.com/zricethezav/gitleaksAudit git repos for secrets
TruffleHoghttps://github.com/dxa4481/truffleHogSearches through git repositories for high entropy strings and secrets digging deep into commit history
DumpsterDiverhttps://github.com/securing/DumpsterDiver“Tool to search secrets in various filetypes like keys (e.g. AWS Access Key Azure Share Key or SSH keys) or passwords.”
Mad-Kinghttps://github.com/ThreatResponse/mad-kingProof of Concept Zappa Based AWS Persistence and Attack Platform
Cloud-Nukehttps://github.com/gruntwork-io/cloud-nukeA tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
MozDef – The Mozilla Defense Platformhttps://github.com/mozilla/MozDefThe Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
Lambda-Proxyhttps://github.com/puresec/lambda-proxyA bridge between SQLMap and AWS Lambda which lets you use SQLMap to natively test AWS Lambda functions for SQL Injection vulnerabilities.
CloudCopyhttps://github.com/Static-Flow/CloudCopyCloud version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission
enumerate-iamhttps://github.com/andresriancho/enumerate-iamEnumerate the permissions associated with AWS credential set
Barqhttps://github.com/Voulnet/barqA post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure
CCAThttps://github.com/RhinoSecurityLabs/ccatCloud Container Attack Tool (CCAT) is a tool for testing security of container environments
Dufflebaghttps://github.com/bishopfox/dufflebagSearch exposed EBS volumes for secrets
attack_rangehttps://github.com/splunk/attack_rangeA tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
whispershttps://github.com/Skyscanner/whispersIdentify hardcoded secrets and dangerous behaviours
Redbotohttps://github.com/elitest/RedbotoRed Team AWS Scripts
CloudBrutehttps://github.com/0xsha/cloudbruteA tool to find a company (target) infrastructure, files, and apps on the top cloud providers

Purple Teaming & Adversary Emulation

NameURLDescription
Stratus Red Teamhttps://github.com/datadog/stratus-red-teamGranular, Actionable Adversary Emulation for the Cloud
Leonidashttps://github.com/fsecurelabs/leonidasAutomated Attack Simulation in the Cloud complete with detection use cases.
Amazon Guardduty Testerhttps://github.com/awslabs/amazon-guardduty-testerThis script is used to generate some basic detections of the GuardDuty service

Continuous Security Auditing

NameURLDescription
Security Monkeyhttps://github.com/Netflix/security_monkey
Krampushttps://github.com/sendgrid/krampus
Cloud Inquisitorhttps://github.com/RiotGames/cloud-inquisitor
CloudCustodianhttps://github.com/cloud-custodian/cloud-custodian/Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Disable keys after X dayshttps://github.com/te-papa/aws-key-disabler
Repokid Least Privilegehttps://github.com/Netflix/repokid
Wazuh CloudTrail modulehttps://github.com/wazuh/wazuh
Hammerhttps://github.com/dowjones/hammer
Streamalerthttps://github.com/airbnb/streamalert
Billing Alerts CFN templateshttps://github.com/btkrausen/AWS
Watchmenhttps://github.com/iagcl/watchmenAWS account compliance using centrally managed Config Rules
ElectricEyehttps://github.com/jonrau1/ElectricEyeContinuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability
SyntheticSunhttps://github.com/jonrau1/SyntheticSuna defense-in-depth security automation and monitoring framework which utilizes threat intelligence, machine learning, managed AWS security services and, serverless technologies to continuously prevent, detect and respond to threats
CloudQueryhttps://github.com/cloudquery/cloudquery/cloudquery exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring for compliance and security
PrismXhttps://github.com/omaidf/PrismXCloud Security Dashboard for AWS – based on ScoutSuite

Digital Forensics and Incident Response

NameURLDescription
AWS IRhttps://github.com/ThreatResponse/aws_irAWS specific Incident Response and Forensics Tool
Margaritashotgunhttps://github.com/ThreatResponse/margaritashotgunLinux memory remote acquisition tool
Diffyhttps://github.com/Netflix-Skunkworks/diffyTriage tool used during cloud-centric security incidents
AWS Security Automationhttps://github.com/awslabs/aws-security-automationAWS scripts and resources for DevSecOps and automated incident response
GDPatrolhttps://github.com/ansorren/GDPatrolAutomated Incident Response based off AWS GuardDuty findings
AWSloghttps://github.com/jaksi/awslogShow the history and changes between configuration versions of AWS resources using AWS Config
AWS_Responderhttps://github.com/prolsen/aws_responderAWS Digital Forensic and Incident Response (DFIR) Response Python Scripts
SSM-Acquirehttps://github.com/mozilla/ssm-acquireA python module for orchestrating content acquisitions and analysis via Amazon SSM
cloudtrail-partitionerhttps://github.com/duo-labs/cloudtrail-partitionerThis project sets up partitioned Athena tables for your CloudTrail logs and updates the partitions nightly. Makes CloudTrail logs queries easier.
fargate-irhttps://github.com/andrewkrug/fargate-irProof of concept incident response demo using SSM and AWS Fargate.
aws-logsearchhttps://github.com/endgameinc/aws-logsearchSearch AWS CloudWatch logs all at once on the command line.
Varnahttps://github.com/endgameinc/varnaQuick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
aws-auto-remediatehttps://github.com/servian/aws-auto-remediateOpen source application to instantly remediate common security issues through the use of AWS Config
panther-labshttps://github.com/panther-labs/panther-analysisDetect threats with log data and improve cloud security posture
aws-incident-responsehttps://github.com/easttimor/aws-incident-responseThis page is a collection of useful things to look for in CloudTrail using Athena for AWS incident response
cloud-forensics-utilshttps://github.com/google/cloud-forensics-utilsPython library to carry out DFIR analysis on the Cloud
aws-fast-fixeshttps://github.com/WarnerMedia/aws-fast-fixesScripts to quickly fix security and compliance issues

Development Security

NameURLDescription
CFN NAGhttps://github.com/stelligent/cfn_nagCloudFormation security test (Ruby)
Git-secretshttps://github.com/awslabs/git-secrets
Repository of sample Custom Rules for AWS Confighttps://github.com/awslabs/aws-config-rules
CFripperhttps://github.com/Skyscanner/cfripper“Lambda function to “”rip apart”” a CloudFormation template and check it for security compliance.”
Assumehttps://github.com/SanderKnape/assumeA simple CLI utility that makes it easier to switch between different AWS roles
Terrascanhttps://github.com/cesar-rodriguez/terrascanA collection of security and best practice tests for static code analysis of terraform templates using terraform_validate
tfsechttps://github.com/liamg/tfsecProvides static analysis of your terraform templates to spot potential security issues
Checkovhttps://github.com/bridgecrewio/checkovTerraform, Cloudformation and Kubernetes static analysis written in python
Yorhttps://github.com/bridgecrewio/yorAutomatically tag and trace infrastructure as code frameworks (Terraform, Cloudformation and Serverless)
pytest-serviceshttps://github.com/mozilla-services/pytest-servicesUnit testing framework for test driven security of AWS configurations and more
IAM Least-Privileged Role Generatorhttps://github.com/puresec/serverless-puresec-cliA Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles.
AWS Vaulthttps://github.com/99designs/aws-vaultA vault for securely storing and accessing AWS credentials in development environments
AWS Service Control Policieshttps://github.com/jchrisfarris/aws-service-control-policiesCollection of semi-useful Service Control Policies and scripts to manage them
LambdaGuardhttps://github.com/Skyscanner/LambdaGuardAWS Lambda auditing tool that provides a meaningful overview in terms of statistical analysis AWS service dependencies and configuration checks from the security perspective
Terraform-compliancehttps://github.com/eerkunt/terraform-complianceA lightweight security focused BDD test framework against terraform (with helpful code for AWS)
Get a List of AWS Managed Policieshttps://github.com/RyPeck/aws_managed_policiesa way to get a list of all AWS managed policies
Parliamenthttps://github.com/duo-labs/parliamentAWS IAM linting library
AWS-ComplianceMachineDontStophttps://github.com/jonrau1/AWS-ComplianceMachineDontStopProof of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security Identity & Compliance Services to Support your AWS Account Security Posture
detect-secretshttps://github.com/Yelp/detect-secretsAn enterprise friendly way of detecting and preventing secrets in code.
tf-parliamenthttps://github.com/rdkls/tf-parliamentRun Parliament AWS IAM Checker on Terraform Files
aws-gatehttps://github.com/xen0l/aws-gateBetter AWS SSM Session manager CLI client
iam-linthttps://github.com/xen0l/iam-lintGithub action for linting AWS IAM policy documents for correctness and possible security issues
Regulahttps://github.com/fugue/regulaRegula checks Terraform for AWS security and compliance using Open Policy Agent/Rego
whispershttps://github.com/Skyscanner/whispersIdentify hardcoded secrets and dangerous behaviours
cloudformation-guardhttps://github.com/aws-cloudformation/cloudformation-guardA set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax.
IAMFinderhttps://github.com/prisma-cloud/IAMFinderEnumerates and finds users and IAM roles in a target AWS account
iamlivehttps://github.com/iann0036/iamliveGenerate a basic IAM policy from AWS client-side monitoring (CSM)
aws-allowlisterhttps://github.com/salesforce/aws-allowlisterAutomatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Leapphttps://github.com/Noovolari/leappCross-platform app for managing AWS credentials programmatically, based on Electron
KICShttps://github.com/Checkmarx/kicsFind security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code
SecurityHub CIS Compliance Automatorhttps://github.com/NickTheSecurityDude/AWS-SecurityHub-CIS-Compliance-AutomationAutomatically configure your AWS Account to meet 95% of the 200+ controls for CIS Compliance, PCI DSS Compliance and AWS Security Best Practice

S3 Buckets Auditing

NameURLDescription
sandcastlehttps://github.com/Parasimpaticki/sandcastleS3 bucket enumeration
mass3https://github.com/smiegles/mass3enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading
teh_s3_bucketeershttps://github.com/tomdev/teh_s3_bucketeers
bucket-streamhttps://github.com/eth0izzle/bucket-streamFind interesting Amazon S3 Buckets by watching certificate transparency logs
s3-buckets-finderhttps://github.com/gwen001/s3-buckets-finderbrute force Amazon S3 bucket
s3findhttps://github.com/aaparmeggiani/s3findfind S3 public buckets
slurp-robbiehttps://github.com/random-robbie/slurpEnumerate S3 buckets via certstream, domain, or keywords
s3-inspectorhttps://github.com/clario-tech/s3-inspectorcheck AWS S3 bucket permissions
s3-fuzzerhttps://github.com/pbnj/s3-fuzzer
AWSBucketDumphttps://github.com/jordanpotti/AWSBucketDumpLook For Interesting Files in S3 Buckets
s3scanhttps://github.com/bear/s3scanscan s3 buckets for security issues
S3Scannerhttps://github.com/sa7mon/S3ScannerScan for open AWS S3 buckets and dump the contents
s3finderhttps://github.com/magisterquis/s3finderopen S3 bucket finder
S3Scanhttps://github.com/abhn/S3Scanspider a website and find publicly open S3 buckets
s3-metahttps://github.com/whitfin/s3-metaGather metadata about your S3 buckets
s3-utilshttps://github.com/whitfin/s3-utilsUtilities and tools based around Amazon S3 to provide convenience APIs in a CLI
S3PublicBucketsCheckhttps://github.com/vr00n/Amazon-Web-ShenanigansA lambda function that checks your account for Public buckets and emails you whenever a new public s3 bucket is created
bucket_finderhttps://github.com/FishermansEnemy/bucket_finderAmazon bucket brute force tool
inSp3ctorhttps://github.com/brianwarehime/inSp3ctorAWS S3 Bucket/Object Finder
bucketcathttps://github.com/Atticuss/bucketcatBrute-forces objects within a given bucket using Hashcat mask-like syntax
aws-s3-data-finderhttps://github.com/Ucnt/aws-s3-data-finderAWS S3 Sensitive Data Search
lazys3https://github.com/nahamsec/lazys3bruteforce AWS s3 buckets using different permutations
BucketScannerhttps://github.com/securing/BucketScannerTest objects’ permissions in AWS buckets
aws-externder-clihttps://github.com/VirtueSecurity/aws-extender-cliTest S3 buckets as well as Google Storage buckets and Azure Storage containers to find interesting files
festinhttps://github.com/cr0hn/festinS3 bucket weakness discovery
S3Insightshttps://github.com/kurmiashish/S3Insightsa platform for efficiently deriving security insights about S3 data through metadata analysis
s3_objects_checkhttps://github.com/nccgroup/s3_objects_checkWhitebox evaluation of effective S3 object permissions, to identify publicly accessible files.

Training

NameURLDescription
Flaws.cloudhttp://flaws.cloud/flAWS challenge to learn through a series of levels about common mistakes and gotchas when using AWS
Flaws2.cloudhttp://flaws2.cloud/flAWS 2 has two paths this time Attacker and Defender! In the Attacker path you’ll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path that target is now viewed as the victim and you’ll work as an incident responder for that same app understanding how an attack happened
CloudGoathttps://github.com/RhinoSecurityLabs/cloudgoatVulnerable by Design AWS infrastructure setup tool
dvcahttps://github.com/m6a-UdS/dvcaDamn Vulnerable Cloud Application more info
AWSDetonationLabhttps://github.com/sonofagl1tch/AWSDetonationLabScripts and templates to generate some basic detections of the AWS security services
OWASPServerlessGoathttps://github.com/OWASP/Serverless-GoatOWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application maintained by OWASP for educational purposes. Single click installation through the AWS Serverless Application Repository.
Sadcloudhttps://github.com/nccgroup/sadcloudA tool for spinning up insecure AWS infrastructure with Terraform. It supports approx. 84 misconfigurations across 22 AWS Services.
BigOrange Actionshttps://bigorange.cloud/actions/Paste your IAM Policy and get a list of Actions it can effectively perform
IncidentResponseGeneratorhttps://github.com/disruptops/IncidentResponseGeneratorIncident response generator for training classes
Breaking and Pwning Apps and Servers on AWS and Azurehttps://github.com/appsecco/breaking-and-pwning-apps-and-servers-aws-azure-trainingCourse content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!
terragoathttps://github.com/bridgecrewio/terragoat“Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
cfngoathttps://github.com/bridgecrewio/cfngoat“Vulnerable by Design” cloudformation repository. CfnGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
CDKgoathttps://github.com/bridgecrewio/cdkgoat“Vulnerable by Design” AWS CDK repository. CDKGoat is a learning and training project that demonstrates how common configuration errors can find their way into impartive IAC such as AWS CDK.
aws_exposable_resourceshttps://github.com/SummitRoute/aws_exposable_resourcesResource types that can be publicly exposed on AWS

Other interesting tools/code

Honey-token:

More Resources: