Open Source AWS Security Tools

Last Updated: about 3 hours ago

Logging & Monitoring

Parliament
Duo Labs | IAM
Parliament is an AWS IAM linting library. It reviews policies looking for problems such as: malformed json, missing required elements, incorrect prefix and action names, incorrect resources or conditions for the actions provided, type mismatches, bad policy patterns
CloudTracker
Duo Labs | IAM
CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Security Monkey
Netflix | AWS
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.
trusted-overlord
github.com/beeva | Multi
Trusted Overlord is a tool aimed to aggregate AWS Trusted Advisor alarms, AWS Health notifications and AWS Support cases from several AWS accounts and build a brief summary with the results.
Cloud Custodian
CapitalOne | Multi
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.
awslog
github.com/jaksi | AWS Config
A tool that shows the history and changes between configuration versions of AWS resources that are monitored by AWS Config.

Security Assessment

Parliament
Duo Labs | IAM
Parliament is an AWS IAM linting library. It reviews policies looking for problems such as: malformed json, missing required elements, incorrect prefix and action names, incorrect resources or conditions for the actions provided, type mismatches, bad policy patterns
s3audit
github.com/scalefactory | S3
A cli tool to check S3 Buckets in an AWS Account for security best practices.
AWS pwn
github.com/dagrz | AWS
A collection of scripts for performing various tasks related to penetration testing AWS.
Aaia
github.com/rams3sh | IAM
A tool to visualize AWS IAM in a graphical fashion with help of Neo4j. This helps in identifying the outliers easily, as well as the ability to query the graph using cypher queries to find the anomalies.
LambdaGuard
github.com/Skyscanner | Lambda
LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.
Scout Suite
NCC Group | Multi
A multi-cloud security auditing tool, which enables assessing the security posture of cloud environments. ScoutSuite is a security tool that lets AWS administrators assess their environment's security posture. Using the AWS API, ScoutSuite gathers configuration data for manual inspection and highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, ScoutSuite supplies a clear view of the attack surface automatically.
Cartography
Lyft | AWS
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph so that you may validate assumptions about security risks.
SkyArk
CyberArk | CloudTrail, IAM
SkyArk: SkyArk is a cloud security project with two helpful sub-modules: AWStealth and AWStrace. AWStealth discovers the most privileged entities in the scanned AWS environments including AWS Shadow Admins. While AWStrace analyzes AWS CloudTrail Logs - the module provides new valuable insights from CloudTrail logs. Security teams can use the results files to investigate sensitive actions, discover the entities that took those actions and reveal additional valuable details on each executed and logged action.
CloudTracker
Duo Labs | IAM
CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Cloud Reports
github.com/tensult | Multi
Collects info about various cloud resources and analyzes them against best practices and give a JSON, HTML or PDF reports.
Security Monkey
Netflix | AWS
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.
PacBot (Policy as Code Bot)
Tmobile | Multi
Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.
trusted-overlord
github.com/beeva | Multi
Trusted Overlord is a tool aimed to aggregate AWS Trusted Advisor alarms, AWS Health notifications and AWS Support cases from several AWS accounts and build a brief summary with the results.
aws_public_ips
github.com/arkadiyt/ | Multi
A tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account. It can be used as a library and as a CLI, and supports the following AWS services (all with both Classic & VPC flavors): APIGateway, CloudFront, EC2 (and as a result: ECS, EKS, Beanstalk, Fargate, Batch, & NAT Instances), ElasticSearch, ELB (Classic ELB), ELBv2 (ALB/NLB), and more.
Prowler
github.com/toniblyx | Multi
AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark and additional checks.
PMapper
NCC Group | IAM
This tool helps identify if the IAM policies in place will accomplish the intents of the account's owners. AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.
Aardvark
Netflix | IAM
Aardvark is a multi-account AWS IAM Access Advisor API (and caching layer). Aardvark uses PhantomJS to log into the AWS Console and obtain access advisor data. It then presents a RESTful API for other apps to query.
RepoKid
Netflix | IAM
Repokid uses Access Advisor provided by Aardvark to remove permissions granting access to unused services from the inline policies of IAM roles in an AWS account.

DevSecOps

tfsec
github.com/liamg | AWS
Static analysis powered security scanner for terraform templates
cfn-python-lint
AWS | CloudFormation
CloudFormation linting tool from AWS which includes a number of security focused checks that can be run to validate CloudFormation templates before deploying them.
Terrascan
github.com/cesar-rodriguez | AWS
A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate.
git-secrets
awslabs | AWS
A tool that prevents you from committing passwords and other sensitive information to a git repository.
cfripper
github.com/Skyscanner | CloudFormation
CFripper is a Python tool that aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.
TruffleHog
github.com/dxa4481 | CloudFormation
TruffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets (such as AWS Secret Keys) accidentally committed.
cfn-nag
https://github.com/stelligent/ | CloudFormation
The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Roughly speaking it will look for: IAM rules that are too permissive (wildcards), Security group rules that are too permissive (wildcards), Access logs that aren't enabled, Encryption that isn't enabled.

Authentication

awsume
github.com/trek10inc | IAM, AWS
A utility for easily assuming AWS IAM roles from the command line.
assume
github.com/SanderKnape | IAM, AWS
A simple CLI utility that makes it easier to switch between different AWS roles.
aws-vault
github.com/99designs | IAM, AWS
Securely store and access credentials for AWS. AWS Vault stores IAM credentials in your operating system's secure keystore and then generates temporary credentials from those to expose to your shell and applications. It's designed to be complementary to the aws cli tools, and is aware of your profiles and configuration in ~/.aws/config.
aws-okta
github.com/segmentio | IAM, AWS
This tool is similar to aws-vault but allows you to authenticate with AWS using Okta credentials
aws-azure-login
github.com/dtjohnson | IAM, AWS
This tools allows you to use the normal Azure AD login (including MFA) from a command line to create a federated AWS session and places the temporary credentials in the proper place for the AWS CLI and SDKs.
aws-adfs
github.com/venth/ | IAM, AWS
Command line tool to ease aws cli authentication against ADFS (including multi factor authentication with active directory)

Management

policy_sentry
Salesforce | IAM
IAM least privilege policy generator, auditor, and analysis database.
graffiti-monkey
github.com/Answers4AWS | EC2, Tags
A tool to automate tagging EC2 resources. For example, EBS volumes, EBS snapshots, etc.
AWS Auto Cleanup
github.com/servian | AWS
An Open source tool to programmatically clean an AWS Account's resources based on a whitelist and time to live (TTL) settings.
Serverless OpenVPN CA
github.com/empathybroker | VPC, AWS
A Serverless OpenVPN Certificate Authority running on AWS.
GuardDuty Multi-Account Manager
Mozilla | GuardDuty
GuardDuty Multi-Account Manager is a series of lambda functions designed to do the following: 1) Enable GuardDuty Masters in all AWS Regions present and future. 2) Empower account owners to decide to enable GuardDuty. 3) Manage the lifecycle of invitations to the member accounts. 4) Aggregate all findings from all detectors in all regions, normalize the data, and send to a single SQS queue.
BLESS - Bastion's Lambda Ephemeral SSH Service
Netflix | EC2
Bless is an SSH Certificate Authority that runs as a AWS Lambda function, and helps provide a way to authorize users to access a particular SSH host for a short-lived period

Identity & Access Management

policy_sentry
Salesforce | IAM
IAM least privilege policy generator, auditor, and analysis database.

Offensive Security

barq
github.com/Voulnet | AWS, EC2
A post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure. It allows you to attack running EC2 instances without having the original instance SSH keypairs. It also allows you to perform enumeration and extraction of stored Secrets and Parameters in AWS.
Cloud Container Attack Tool (CCAT)
RhinoSecurityLabs | ECS, ECR
A tool for testing security of container environments (ECS, ECR, EKS) on AWS by utilizing containers for exploitation in the cloud through backdoors and malicious Docker images
AWS pwn
github.com/dagrz | AWS
A collection of scripts for performing various tasks related to penetration testing AWS.
enumerate-iam
github.com/andresriancho | IAM
Enumerate the permissions associated with AWS credential set by brute forcing all API calls allowed by the IAM policy. The calls performed by this tool are all non-destructive (only get* and list* calls are performed).
SkyArk
CyberArk | CloudTrail, IAM
SkyArk: SkyArk is a cloud security project with two helpful sub-modules: AWStealth and AWStrace. AWStealth discovers the most privileged entities in the scanned AWS environments including AWS Shadow Admins. While AWStrace analyzes AWS CloudTrail Logs - the module provides new valuable insights from CloudTrail logs. Security teams can use the results files to investigate sensitive actions, discover the entities that took those actions and reveal additional valuable details on each executed and logged action.
Pacu
RhinoSecurityLabs | AWS
Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
TruffleHog
github.com/dxa4481 | CloudFormation
TruffleHog Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets (such as AWS Secret Keys) accidentally committed.

Visualization

Aaia
github.com/rams3sh | IAM
A tool to visualize AWS IAM in a graphical fashion with help of Neo4j. This helps in identifying the outliers easily, as well as the ability to query the graph using cypher queries to find the anomalies.
AWS Auto Cleanup
github.com/servian | AWS
An Open source tool to programmatically clean an AWS Account's resources based on a whitelist and time to live (TTL) settings.
Cartography
Lyft | AWS
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph so that you may validate assumptions about security risks.
PacBot (Policy as Code Bot)
Tmobile | Multi
Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.
cloudformation-graph
github.com/trek10inc | CloudFormation
CloudFormation Graph outputs serverless architecture and resources as a Graphviz dot compatible output
viz-cfn
github.com/jeshan/ | CloudFormation
A tool that helps visualise cloudformation templates in the browser. Supports both YAML and JSON.
cloudmapper
Duo Labs | Multi
CloudMapper helps you analyze your AWS Account by visualizing the environment and network connectivity. The original purpose was to generate network diagrams and display them in your browser. It now contains much more functionality.This blog post shows you how you can analyze AWS WAF logs using Amazon Elasticsearch Service (Amazon ES). It also shows how to find out in near-real time which AWS WAF rules get triggered, why, and by which request. Finally, it shows how to create a historical view of your web applications’ access trends for long-term analysis.
aws-inventory
NCC Group | Multi
This is a tool that tries to discover all AWS resources created in an account and provides a list of all resources in an AWS account and relationships between these resources.
PMapper
NCC Group | IAM
This tool helps identify if the IAM policies in place will accomplish the intents of the account's owners. AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.

Billing

Ariel
Yahoo | AWS
Ariel is an AWS Lambda designed to collect, analyze, and make recommendations about Reserved Instances for EC2.
Komiser
github.com/mlabouardy | AWS
Komiser is a tool to analyze and manage cloud cost, usage, security, and governance in one place. The tools helps stay under budget by uncovering hidden costs, monitoring increases in spend, and making impactful changes based on custom recommendations.

Incident Response

aws-auto-remediate
github.com/servian | AWS
An open source framework to instantly remediate common security issues through the use of AWS Config. Remediation rules include responses for violations for EC2, S3, RDS, and more.
AWS IR
github.com/ThreatResponse | EC2, IAM
Command line utiltity for mitigation of EC2 host and IAM key compromises. For IAM key compromises, it allows to quickly disable the compromised credentials. It can also be used to preserve forensic artifacts from a compromised instance after isolating the instance
ssm-acquire
Mozilla | EC2
A python module for orchestrating content acquisitions and analysis of compromised EC2 instances using Amazon Systems Manager (SSM).
MozDef
Mozilla | AWS
The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers. It can go beyond traditional SIEM systems in automating incident handling, information sharing, workflow, metrics and response automation

Compliance

Cloud Reports
github.com/tensult | Multi
Collects info about various cloud resources and analyzes them against best practices and give a JSON, HTML or PDF reports.
PacBot (Policy as Code Bot)
Tmobile | Multi
Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations.
Cloud Custodian
CapitalOne | Multi
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management.

EC2 Instance Security

ec2-metadata-filter
github.com/stefansundin | EC2
Enhance the security of the EC2 metadata service.

Operations

cloud-nuke
github.com/gruntwork-io | AWS
A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it.
Packer
Hashicorp | EC2
Packer is a tool for building identical machine images for multiple platforms from a single source configuration. Packer is lightweight, runs on every major operating system, and is highly performant, creating machine images for multiple platforms in parallel.
aminator
Netflix | EC2
Easily create application-specific custom AMIs. This tool currently works for CentOS/RedHat Linux images and is intended to run on an EC2 instance.

Troubleshooting

awslog
github.com/jaksi | AWS Config
A tool that shows the history and changes between configuration versions of AWS resources that are monitored by AWS Config.