Defensive (Hardening, Security Assessment, Inventory)
- ScoutSuite: https://github.com/nccgroup/ScoutSuite - Multi-Cloud Security auditing tool for AWS, Google Cloud and Azure environments (Python)
- Prowler: https://github.com/toniblyx/prowler - CIS benchmarks and additional checks for security best practices in AWS (Shell Script)
- CloudSploit: https://github.com/cloudsploit/scans - AWS security scanning checks (NodeJS)
- CloudMapper: https://github.com/duo-labs/cloudmapper - helps you analyze your AWS environments (Python)
- CloudTracker: https://github.com/duo-labs/cloudtracker - helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
- AWS Security Benchmarks: https://github.com/awslabs/aws-security-benchmark - scrips and templates guidance related to the AWS CIS Foundation framework (Python)
- AWS Public IPs: https://github.com/arkadiyt/aws_public_ips - Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services (Ruby)
- PMapper: https://github.com/nccgroup/PMapper - Advanced and Automated AWS IAM Evaluation (Python)
- AWS-Inventory: https://github.com/nccgroup/aws-inventory - Make a inventory of all your resources across regions (Python)
- Resource Counter: https://github.com/disruptops/resource-counter - Counts number of resources in categories across regions
- ICE: https://github.com/Teevity/ice - Ice provides insights from a usage and cost perspective, with high detail dashboards.
- SkyArk: https://github.com/cyberark/SkyArk - SkyArk provides advanced discovery and security assessment for the most privileged entities in the tested AWS.
- Trailblazer AWS: https://github.com/willbengtson/trailblazer-aws - Trailblazer AWS, determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
- Lunar: https://github.com/lateralblast/lunar - Security auditing tool based on several security frameworks (it does some AWS checks)
- Cloud-reports: https://github.com/tensult/cloud-reports - Scans your AWS cloud resources and generates reports
- Pacbot: https://github.com/tmobile/pacbot - Platform for continuous compliance monitoring, compliance reporting and security automation for the cloud
- cs-suite: https://github.com/SecurityFTW/cs-suite - Integrates tools like Scout2 and Prowler among others
- aws-key-disabler: https://github.com/te-papa/aws-key-disabler - A small lambda script that will disable access keys older than a given amount of days
- Antiope: https://github.com/turnerlabs/antiope/ - AWS Inventory and Compliance Framework
Offensive:
- weirdALL: https://github.com/carnal0wnage/weirdAAL - AWS Attack Library
- Pacu: https://github.com/RhinoSecurityLabs/pacu - AWS penetration testing toolkit
- Cred Scanner: https://github.com/disruptops/cred_scanner
- AWS PWN: https://github.com/dagrz/aws_pwn
- Cloudfrunt: https://github.com/MindPointGroup/cloudfrunt
- Cloudjack: https://github.com/prevade/cloudjack
- Nimbostratus: https://github.com/andresriancho/nimbostratus
- GitLeaks: https://github.com/zricethezav/gitleaks - Audit git repos for secrets
- TruffleHog: https://github.com/dxa4481/truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
- DumpsterDiver: https://github.com/securing/DumpsterDiver - Tool to search secrets in various filetypes, like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords.
- Mad-King: https://github.com/ThreatResponse/mad-king - Proof of Concept Zappa Based AWS Persistence and Attack Platform
- Cloud-Nuke: https://github.com/gruntwork-io/cloud-nuke - A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
- MozDef: The Mozilla Defense Platform https://github.com/mozilla/MozDef - The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
- Lambdashell: http://www.lambdashell.com/ - This is a simple AWS lambda function that does a straight exec. Essentially giving you a shell directly in my AWS infrastructure to just run your commands.
Continuous Security Auditing:
- Security Monkey: https://github.com/Netflix/security_monkey
- Krampus (as Security Monkey complement) https://github.com/sendgrid/krampus
- Cloud Inquisitor: https://github.com/RiotGames/cloud-inquisitor
- CloudCustodian: https://github.com/capitalone/cloud-custodian
- Disable keys after X days: https://github.com/te-papa/aws-key-disabler
- Repokid Least Privilege: https://github.com/Netflix/repokid
- Wazuh CloudTrail module: https://documentation.wazuh.com/current/amazon/index.html
- Hammer: https://github.com/dowjones/hammer
- Streamalert: https://github.com/airbnb/streamalert
- Billing Alerts CFN templates: https://github.com/btkrausen/AWS/tree/master/CloudFormation/Billing%20Alerts
DFIR:
- AWS IR: https://github.com/ThreatResponse/aws_ir - AWS specific Incident Response and Forensics Tool
- Margaritashotgun: https://github.com/ThreatResponse/margaritashotgun - Linux memory remote acquisition tool
- LiMEaide: https://kd8bny.github.io/LiMEaide/ - Linux memory remote acquisition tool
- Diffy: https://github.com/Netflix-Skunkworks/diffy - Triage tool used during cloud-centric security incidents
- AWS Security Automation: https://github.com/awslabs/aws-security-automation - AWS scripts and resources for DevSecOps and automated incident response
- GDPatrol: https://github.com/ansorren/GDPatrol - Automated Incident Response based off AWS GuardDuty findings
- AWSlog: https://github.com/jaksi/awslog - Show the history and changes between configuration versions of AWS resources using AWS Config
- AWS_Responder https://github.com/prolsen/aws_responder - AWS Digital Forensic and Incident Response (DFIR) Response Python Scripts
- SSM-Acquire: https://github.com/mozilla/ssm-acquire - A python module for orchestrating content acquisitions and analysis via Amazon SSM
Development Security:
- CFN NAG: https://github.com/stelligent/cfn_nag - CloudFormation security test (Ruby)
- Git-secrets: https://github.com/awslabs/git-secrets
- Repository of sample Custom Rules for AWS Config: https://github.com/awslabs/aws-config-rules
- asecure.cloud: https://asecure.cloud - A repository of cutomizable AWS security configurations (Cloudformation and CLI templates)
- CFripper: https://github.com/Skyscanner/cfripper/ - Lambda function to "rip apart" a CloudFormation template and check it for security compliance.
- Assume: https://github.com/SanderKnape/assume - A simple CLI utility that makes it easier to switch between different AWS roles
- Terrascan: https://github.com/cesar-rodriguez/terrascan - A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate
- pytest-services: https://github.com/mozilla-services/pytest-services - Unit testing framework for test driven security of AWS configurations and more
S3 Buckets Auditing:
- https://github.com/Parasimpaticki/sandcastle
- https://github.com/smiegles/mass3
- https://github.com/koenrh/s3enum
- https://github.com/tomdev/teh_s3_bucketeers/
- https://github.com/Quikko/BuQuikker (multi threading for teh_s3_bucketeers)
- https://github.com/eth0izzle/bucket-stream
- https://github.com/gwen001/s3-buckets-finder
- https://github.com/aaparmeggiani/s3find
- https://github.com/bbb31/slurp
- https://github.com/random-robbie/slurp
- https://github.com/kromtech/s3-inspector
- https://github.com/petermbenjamin/s3-fuzzer
- https://github.com/jordanpotti/AWSBucketDump
- https://github.com/bear/s3scan
- https://github.com/sa7mon/S3Scanner
- https://github.com/magisterquis/s3finder
- https://github.com/abhn/S3Scan
- https://breachinsider.com/honey-buckets/
- https://www.buckhacker.com [Currently Offline]
- https://www.thebuckhacker.com/
- https://buckets.grayhatwarfare.com/
- https://github.com/whitfin/s3-meta
- https://github.com/vr00n/Amazon-Web-Shenanigans/tree/master/S3PublicBucketCheck
- https://github.com/FishermansEnemy/bucket_finder
- https://github.com/brianwarehime/inSp3ctor
- https://github.com/Atticuss/bucketcat
- https://github.com/Ucnt/aws-s3-bruteforce
- https://github.com/nahamsec/lazys3
- https://github.com/securing/BucketScanner
- https://digi.ninja/projects/bucket_finder.php
Training:
- http://flaws.cloud/ - flAWS challenge to learn through a series of levels about common mistakes and gotchas when using AWS
- flaws2.cloud - flAWS 2 has two paths this time: Attacker and Defender! In the Attacker path, you'll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path, that target is now viewed as the victim and you'll work as an incident responder for that same app, understanding how an attack happened.
- https://github.com/RhinoSecurityLabs/cloudgoat - Vulnerable by Design AWS infrastructure setup tool
- https://github.com/m6a-UdS/dvca - Damn Vulnerable Cloud Application more info
- https://github.com/sonofagl1tch/AWSDetonationLab - Scripts and templates to generate some basic detections of the AWS security services
Honey-token:
- https://bitbucket.org/asecurityteam/spacecrab
- https://breachinsider.com/honey-buckets/
- https://github.com/0x4D31/honeyLambda
- https://github.com/thinkst/canarytokens-docker
Others:
- https://github.com/nagwww/s3-leaks - a list of some biggest leaks recorded