Awesome Cloud Security

🛡️ Awesome Cloud Security Resources ⚔️

Contents

• Standards
• Tools
• Reading materials
• Resource
• Contributing

Standards

• Compliances
• Benchmarks

Compliances

• CSA STAR
• ISO/IEC 27017:2015
• ISO/IEC 27018:2019
• MTCS SS 584

Benchmarks

• CIS Benchmark

Tools

• Infrastructure
• Container
• SaaS
• Penetration testing/learning
• Native tools

Infrastructure

• aws_pwn: A collection of AWS penetration testing junk
• aws_ir: Python installable command line utility for mitigation of instance and key compromises.
• aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.
• aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
• awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
• azucar: A security auditing tool for Azure environments
• checkov: A static code analysis tool for infrastructure-as-code.
• cloud-forensics-utils: A python lib for DF & IR on the cloud.
• Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.
• cloudlist: Listing Assets from multiple Cloud Providers.
• Cloud Sniper: A platform designed to manage Cloud Security Operations.
• Cloudmapper: Analyze your AWS environments.
• Cloudmarker: A cloud monitoring tool and framework.
• Cloudsploit: Cloud security configuration checks.
• CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.
• Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
• consoleme: A Central Control Plane for AWS Permissions and Access
• cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
• Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
• dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.
• diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
• ElectricEye: Continuously monitor AWS services for configurations.
• Forseti security: GCP inventory monitoring and policy enforcement tool.
• Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
• kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
• Matano: Open source serverless security lake platform on AWS that lets you ingest, store, and analyze data into an Apache Iceberg data lake and run realtime Python detections as code.
• Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
• Open policy agent: Policy-based control tool.
• pacbot: Policy as Code Bot.
• pacu: The AWS exploitation framework.
• Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
• ScoutSuite: Multi-cloud security auditing tool.
• Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
• SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
• Smogcloud: Find cloud assets that no one wants exposed.
• Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.
• Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
• tfsec: Static analysis powered security scanner for Terraform code.
• Zeus: AWS Auditing & Hardening Tool.

Container

• auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
• Falco: Container runtime security.
• mkit: Managed kubernetes inspection tool.
• Open policy agent: Policy-based control tool.

SaaS

• aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.
• binaryalert: Serverless S3 yara scanner.
• cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
• Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.
• Function Shield: Protection/destection lib of aws lambda and gcp function.
• FestIN: S3 bucket finder and content discover.
• GCPBucketBrute: A script to enumerate Google Storage buckets.
• IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.
• Lambda Guard: AWS Lambda auditing tool.
• Policy Sentry: IAM Least Privilege Policy Generator.
• S3 Inspector: Tool to check AWS S3 bucket permissions.
• Serverless Goat: A serverless application demonstrating common serverless security flaws.
• SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.

Penetration testing/learning

• ccat: Cloud Container Attack Tool.
• CloudBrute: A multiple cloud enumerator.
• cloudgoat: "Vulnerable by Design" AWS deployment tool.
• Leonidas: A framework for executing attacker actions in the cloud.
• Sadcloud: Tool for spinning up insecure AWS infrastructure with Terraform.
• TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
• WrongSecrets: A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.

Native tools

• AWS
  • Artifact: Compliance report selfservice.
  • Audit manager: Continuously audit for AWS usage.
  • Certificate Manager: Private CA and certificate management service.
  • CloudTrail: Record and log API call on AWS.
  • Config: Configuration and resources relationship monitoring.
  • Elastic Disaster Recovery: Application recovery service.
  • Detective: Analyze and visualize security data and help security investigations.
  • Firewall Manager: Firewall management service.
  • GuardDuty: IDS service
  • CloudHSM: HSM service.
  • Inspector: Vulnerability discover and assessment service.
  • KMS: KMS service
  • Macie: Fully managed data security and data privacy service for S3.
  • Network Firewall: Network firewall service.
  • Secret Manager: Credential management service.
  • Security Hub: Integration service for other AWS and third-party security service.
  • Shield: DDoS protection service.
  • Single Sign-On: Service of centrally manage access AWS or application.
  • ThreatMapper: Identify vulnerabilities in running containers, images, hosts and repositories.
  • VPC Flowlog: Log of network traffic.
  • WAF: Web application firewall service.
• Azure
  • Application Gateway: L7 load balancer with optional WAF function.
  • DDoS Protection: DDoS protection service.
  • Dedicated HSM: HSM service.
  • Key Vault: KMS service
  • Monitor: API log and monitoring related service.
  • Security Center: Integration service for other Azure and third-party security service.
  • Sentinel: SIEM service.
• GCP
  • Access Transparency: Transparency log and control of GCP.
  • Apigee Sense: API security monitoring, detection, mitigation.
  • Armor: DDoS protection and WAF service
  • Asset Inventory: Asset monitoring service.
  • Assured workloads: Secure and compliant workloads.
  • Audit Logs: API logs.
  • Binanry Authorization: Binary authorization service for containers and serverless.
  • Cloud HSM: HSM service.
  • Cloud IDS: IDS service.
  • Confidential VM: Encrypt data in use with VM.
  • Context-aware Access: Enable zero trust access to applications and infrastructure.
  • DLP: DLP service:
  • EKM: External key management service
  • Identity-Aware Proxy: Identity-Aware Proxy for protect the internal service.
  • KMS: KMS service
  • Policy Intelligence: Detect the policy related risk.
  • Security Command Center: Integration service for other GCP security service.
  • Security Scanner: Application security scanner for GAE, GCE, GKE.
  • Shielded VM: VM with secure boot and vTPM.
  • Event Threat Detection: Threat dection service.
  • VPC Service Controls: GCP service security perimeter control.

Reading Materials

• AWS
• Azure
• GCP
• Others

AWS

1. Overiew of AWS Security
2. AWS-IAM-Privilege-Escalation by RhinoSecurityLabs: A centralized source of all AWS IAM privilege escalation methods.
3. MITRE ATT&CK Matrices of AWS
4. AWS security workshops
5. ThreatModel for Amazon S3: Library of all the attack scenarios on Amazon S3, and how to mitigate them following a risk-based approach

Azure

1. Overiew of Azure Security
2. Azure security fundamentals
3. MicroBurst by NetSPI: A collection of scripts for assessing Microsoft Azure security
4. MITRE ATT&CK Matrices of Azure
5. Azure security center workflow automation

GCP

1. Overiew of GCP Security
2. GKE security scenarios demo
3. MITRE ATT&CK Matrices of GCP
4. Security response automation

Others

1. Cloud Security Research by RhinoSecurityLabs
2. CSA cloud security guidance v4
3. Appsecco provides training
4. Cloud Risk Encyclopedia by Orca Security: 900+ documented cloud security risks, with ability to filter by cloud vendor, compliance framework, risk category, and criticality.

Resource

• AWS
• Others

AWS

1. Bucket search by grayhatwarfare

Others

1. Mapping of On-Premises Security Controls vs. Major Cloud Providers Services

Contributing

See contributing