AWS Cloud Security Testing and Auditing Solutions

The following outlines a list of software that have been developed in cloud security auditing for optimizing security in Google Cloud platforms. A list of solutions is presented with their respective github descriptions.

Picture of the article

Cartography

Picture of the article

Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your services assets so that you may validate assumptions about security risks.

ROADrecon is a tool for exploring information in Azure AD from both a Red Team and Blue Team perspective. In short, this is what it does:

Detailed information and setup information: https://github.com/lyft/cartography

Pacu

Picture of the article

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

Many modules in Pacu are available, here are some we found most interesting and useful:

  • AWS Account Enumeration
    • Enumerates data About the account itself.
    • Determines information about the AWS account itself.
  • AWS Financial Spending Enumeration
    • Enumerates account spending by service
    • Display what services the account uses and how much is spent. Data is pulled from CloudWatch metrics and the AWS/Billing Namespace.
  • AWS EBS volumes snapshots Enumeration
    • Enumerates EBS volumes and snapshots and logs any without encryption.
    • This module will enumerate all of the Elastic Block Store volumes, snapshots, and snapshot permissions in the account and save the data to the current session. It will also note whether or not each volume/snapshot is encrypted, then write a list of the unencrypted volumes to csv files.
  • AWS EC2 Termination Protection Check
    • Collects a list of EC2 instances without termination protection.
    • This module will check to see if EC2 instance termination protection is enabled for a set of instances. By default, this module will run against all instances. All instances with termination protection disabled will be written to a csv file.
  • AWS EC2 Enumeration
    • Enumerates various relevant EC2 info.
    • The module is used to enumerate the following EC2 data from a set of regions on an AWS account: instances, security groups, elastic IP addresses, VPN customer gateways, dedicated hosts, network ACLs, NAT gateways, network interfaces, route tables, subnets, VPCs, and VPC endpoints. By default, all data will be enumerated, but if any arguments are passed in indicating what data to enumerate, only that specific data will be enumerated.
  • AWS IAM Permissions Enumeration
    • Tries to get a confirmed list of permissions for the current (or all) user(s).
    • This module will attempt to use IAM APIs to enumerate a confirmed list of IAM permissions for the current user. This is done by checking attached and inline policies for the user and the groups they are in.
  • AWS IAM Users, Roles, Policies, and Groups Enumeration
    • Enumerates users, roles, customer-managed policies, and groups.
    • This module requests the info for all users, roles, customer-managed policies, and groups in the account. If no arguments are supplied, it will enumerate all four, if any are supplied, it will enumerate those only.
  • AWS Inspector Reports
    • Captures vulnerabilities found when running a preconfigured inspector report.
    • This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
  • AWS Detection Enumeration Services
    • Detects monitoring and logging capabilities.
  • AWS IAM Privilege escalation scanner
    • This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen.
    • This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen.

Detailed information and setup information: https://github.com/RhinoSecurityLabs/pacu

Smogcloud

Picture of the article

Find exposed AWS cloud assets that you did not know you had. A comprehensive asset inventory is step one to any capable security program. We made Smogcloud to enable security engineers, penetration testers, and AWS administrators to monitor the collective changes that create dynamic and ephemeral internet-facing assets on a more frequent basis. May be useful to identify:

  • Internet-facing FQDNs and IPs across one or hundreds of AWS accounts
  • Misconfigurations or vulnerabilities
  • Assets that are no longer in use
  • Services not currently monitored
  • Shadow IT

Detailed information and setup information: https://github.com/BishopFox/smogcloud

Dufflebag

Picture of the article

Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!

Detailed information and setup information: https://github.com/bishopfox/dufflebag