This tool will read the existing drift of a stack, iterate through the drifted resources and construct a patch document to change the actual (detected) property values to the expected (stack) values.

Tool for signing and verifying the integrity of CloudFormation templates

scans Amazon Route53 across an AWS Organization for domain records vulnerable to takeover

Patrolaroid snapshots AWS instances and buckets to uncover malware, backdoors, cryptominers, toolkits, and other attacker tomfoolery that you probably don’t want in your prod.

Leapp is a Cross-Platform Cloud access App, and is designed to manage and secure Cloud Access in multi-account environments.

An AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources. It makes it easy to reason about resource visibility across all the accounts in your org.

AWS IAM policy statement generator with fluent interface.

IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics.

A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies

SkyWrapper analyzes behaviors of temporary tokens created in a given AWS account. The tool is aiming to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account. The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens

An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.

IAM least privilege policy generator, auditor, and analysis database.

aws-gate is an AWS SSM Session Manager CLI client. It aims to provide richer user experience than official tooling.

Helpers to manage you systems with AWS Systems Manager suite of management tools. Includes ssm-run and ssm-session.

Enhance the security of the EC2 metadata service.

cloudquery transforms your cloud infrastructure into queryable SQL or Graphs for easy monitoring, governance and security.

IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics.

SpaceSiren is a honey token manager and alert system for AWS. With this fully serverless application, you can create and manage honey tokens at scale -- up to 10,000 per SpaceSiren instance -- at close to no cost

A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies

Parliament is an AWS IAM linting library. It reviews policies looking for problems such as: malformed json, missing required elements, incorrect prefix and action names, incorrect resources or conditions for the actions provided, type mismatches, bad policy patterns

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.

Trusted Overlord is a tool aimed to aggregate AWS Trusted Advisor alarms, AWS Health notifications and AWS Support cases from several AWS accounts and build a brief summary with the results.

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

A tool that shows the history and changes between configuration versions of AWS resources that are monitored by AWS Config.

cloudquery transforms your cloud infrastructure into queryable SQL or Graphs for easy monitoring, governance and security.

A tool to visualize AWS IAM in a graphical fashion with help of Neo4j. This helps in identifying the outliers easily, as well as the ability to query the graph using cypher queries to find the anomalies.

An Open source tool to programmatically clean an AWS Account's resources based on a whitelist and time to live (TTL) settings.

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph so that you may validate assumptions about security risks.

Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.

CloudFormation Graph outputs serverless architecture and resources as a Graphviz dot compatible output

A tool that helps visualise cloudformation templates in the browser. Supports both YAML and JSON.

CloudMapper helps you analyze your AWS Account by visualizing the environment and network connectivity. The original purpose was to generate network diagrams and display them in your browser. It now contains much more functionality.This blog post shows you how you can analyze AWS WAF logs using Amazon Elasticsearch Service (Amazon ES). It also shows how to find out in near-real time which AWS WAF rules get triggered, why, and by which request. Finally, it shows how to create a historical view of your web applications’ access trends for long-term analysis.

This is a tool that tries to discover all AWS resources created in an account and provides a list of all resources in an AWS account and relationships between these resources.

This tool helps identify if the IAM policies in place will accomplish the intents of the account's owners. AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.

Automated multi step offensive attack modules with Infrastructure as Code(IaC)

A collection of scripts that use the Amazon SDK for Python boto3 to perform red team operations against the AWS API.

A post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure. It allows you to attack running EC2 instances without having the original instance SSH keypairs. It also allows you to perform enumeration and extraction of stored Secrets and Parameters in AWS.

A tool for testing security of container environments (ECS, ECR, EKS) on AWS by utilizing containers for exploitation in the cloud through backdoors and malicious Docker images

A collection of scripts for performing various tasks related to penetration testing AWS.

Enumerate the permissions associated with AWS credential set by brute forcing all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed).

SkyArk: SkyArk is a cloud security project with two helpful sub-modules: AWStealth and AWStrace. AWStealth discovers the most privileged entities in the scanned AWS environments including AWS Shadow Admins. While AWStrace analyzes AWS CloudTrail Logs - the module provides new valuable insights from CloudTrail logs. Security teams can use the results files to investigate sensitive actions, discover the entities that took those actions and reveal additional valuable details on each executed and logged action.

Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

TruffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets (such as AWS Secret Keys) accidentally committed.

A tool to automate tagging EC2 resources. For example, EBS volumes, EBS snapshots, etc.

IAM least privilege policy generator, auditor, and analysis database.

A tool to automate tagging EC2 resources. For example, EBS volumes, EBS snapshots, etc.

An Open source tool to programmatically clean an AWS Account's resources based on a whitelist and time to live (TTL) settings.

A Serverless OpenVPN Certificate Authority running on AWS.

GuardDuty Multi-Account Manager is a series of lambda functions designed to do the following: 1) Enable GuardDuty Masters in all AWS Regions present and future. 2) Empower account owners to decide to enable GuardDuty. 3) Manage the lifecycle of invitations to the member accounts. 4) Aggregate all findings from all detectors in all regions, normalize the data, and send to a single SQS queue.

Bless is an SSH Certificate Authority that runs as a AWS Lambda function, and helps provide a way to authorize users to access a particular SSH host for a short-lived period

Cado Cloud Collector is a free solution to make forensic imaging of AWS EC2 instances a whole lot easier.

An application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.

Parliament is an AWS IAM linting library. It reviews policies looking for problems such as: malformed json, missing required elements, incorrect prefix and action names, incorrect resources or conditions for the actions provided, type mismatches, bad policy patterns

A cli tool to check S3 Buckets in an AWS Account for security best practices.

A collection of scripts for performing various tasks related to penetration testing AWS.

A tool to visualize AWS IAM in a graphical fashion with help of Neo4j. This helps in identifying the outliers easily, as well as the ability to query the graph using cypher queries to find the anomalies.

LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.

A multi-cloud security auditing tool, which enables assessing the security posture of cloud environments. ScoutSuite is a security tool that lets AWS administrators assess their environment's security posture. Using the AWS API, ScoutSuite gathers configuration data for manual inspection and highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, ScoutSuite supplies a clear view of the attack surface automatically.

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph so that you may validate assumptions about security risks.

SkyArk: SkyArk is a cloud security project with two helpful sub-modules: AWStealth and AWStrace. AWStealth discovers the most privileged entities in the scanned AWS environments including AWS Shadow Admins. While AWStrace analyzes AWS CloudTrail Logs - the module provides new valuable insights from CloudTrail logs. Security teams can use the results files to investigate sensitive actions, discover the entities that took those actions and reveal additional valuable details on each executed and logged action.

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

Collects info about various cloud resources and analyzes them against best practices and give a JSON, HTML or PDF reports.

Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.

Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.

Trusted Overlord is a tool aimed to aggregate AWS Trusted Advisor alarms, AWS Health notifications and AWS Support cases from several AWS accounts and build a brief summary with the results.

A tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account. It can be used as a library and as a CLI, and supports the following AWS services (all with both Classic & VPC flavors): APIGateway, CloudFront, EC2 (and as a result: ECS, EKS, Beanstalk, Fargate, Batch, & NAT Instances), ElasticSearch, ELB (Classic ELB), ELBv2 (ALB/NLB), and more.

AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and additional checks.

This tool helps identify if the IAM policies in place will accomplish the intents of the account's owners. AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.

Aardvark is a multi-account AWS IAM Access Advisor API (and caching layer). Aardvark uses PhantomJS to log into the AWS Console and obtain access advisor data. It then presents a RESTful API for other apps to query.

Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.

A collection of scripts & tooling that's executed from Lambda to backup your AWS Services such as Route53, EBS, RDS, EFS, etc into an S3 bucket.

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and CloudFormation and detects security and compliance misconfigurations.

Static analysis powered security scanner for terraform templates

CloudFormation linting tool from AWS which includes a number of security focused checks that can be run to validate CloudFormation templates before deploying them.

A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.

A tool that prevents you from committing passwords and other sensitive information to a git repository.

CFripper is a Python tool that aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.

TruffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets (such as AWS Secret Keys) accidentally committed.

The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Roughly speaking it will look for: IAM rules that are too permissive (wildcards), Security group rules that are too permissive (wildcards), Access logs that aren't enabled, Encryption that isn't enabled.

Static analysis powered security scanner for terraform templates

A utility for easily assuming AWS IAM roles from the command line.

A simple CLI utility that makes it easier to switch between different AWS roles.

Securely store and access credentials for AWS. AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the aws cli tools, and is aware of your profiles and configuration in ~/.aws/config.

This tool is similar to aws-vault but allows you to authenticate with AWS using Okta credentials

This tools allows you to use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.

Command line tool to ease aws cli authentication against ADFS (including multi factor authentication with active directory)

Ariel is an AWS Lambda designed to collect, analyze, and make recommendations about Reserved Instances for EC2.

Komiser is a tool to analyze and manage cloud cost, usage, security, and governance in one place. The tools helps stay under budget by uncovering hidden costs, monitoring increases in spend, and making impactful changes based on custom recommendations.

An open source framework to instantly remediate common security issues through the use of AWS Config. Remediation rules include responses for violations for EC2, S3, RDS, and more.

Command line utiltity for mitigation of EC2 host and IAM key compromises. For IAM key compromises, it allows to quickly disable the compromised credentials. It can also be used to preserve forensic artifacts from a compromised instance after isolating the instance

A python module for orchestrating content acquisitions and analysis of compromised EC2 instances using Amazon Systems Manager (SSM).

The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. It can go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Collects info about various cloud resources and analyzes them against best practices and give a JSON, HTML or PDF reports.

Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it.

Packer is a tool for building identical machine images for multiple platforms from a single source configuration. Packer is lightweight, runs on every major operating system, and is highly performant, creating machine images for multiple platforms in parallel.

Easily create application-specific custom AMIs. This tool currently works for CentOS/RedHat Linux images and is intended to run on an EC2 instance.

A tool that shows the history and changes between configuration versions of AWS resources that are monitored by AWS Config.