Skip to content
/ aws-sec-tools Public

Docker container bundling tools for manual AWS security reviews

License

View license
13 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dachiefjustice/aws-sec-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
PACU_LICENSE
PACU_LICENSE
 
 
README.md
README.md
 
 
tool_launcher.py
tool_launcher.py
 
 

Repository files navigation

AWS Security Auditing Container

Background

This Docker container aims to ease the process of auditing AWS environments for security issues. It bundles handy open-source AWS security analysis tools (plus the AWS CLI/Shell), handles their installation/dependencies, and provides a convenience launcher script. The focus is on finding issues by interrogating AWS APIs and analyzing the results (rather than e.g. looking inside EC2 instances, at application code, or other resources that are opaque to the AWS APIs).

Tools Included

Thanks to the tool authors for their efforts!

  • AWS CLI: manually interrogate AWS APIs
  • AWS Shell: manually interrogate AWS APIs, in a helpful interactive environment
  • Scout2: call various AWS APIs, assess security posture, generate report
  • Prowler: call various AWS APIs, assess security posture focusing on the AWS CIS Foundations Benchmark, generate report
  • CloudSploit Scans: call various AWS APIs, assess security posture, report to STDOUT
  • s3-inspector: examine S3 bucket permissions, report to STDOUT
  • AWS Bucket Dump: unauthenticated, wordlist-based S3 bucket enumeration and loot search.
  • Pacu: AWS exploitation framework. "Metasploit for AWS"

Prerequisites

  • Docker (for building/running the container)
  • git (for cloning this repo)
  • Read-only AWS credentials (convenient if they're in ~/.aws on your Docker host)
  • Internet access (for tool/dependency installation, and running tools)

Building the Container

On a host meeting the prereqs:

  1. Clone this repo: git clone https://github.com/dachiefjustice/aws-sec-tools aws-sec-tools && cd aws-sec-tools (or manually download/extract)
  2. Build the container from the directory containing the Dockerfile: docker build -t aws-sec-tools:01 . (or whatever tag you want)
  3. (Optional, but recommended) Make a directory for storing tool output: mkdir ~/aws-reports

Running the Container

Once you have the container built, on a host meeting the prereqs:

  1. Run the container interactively. It's easiest to bind-mount your AWS dir and a reports dir into the container (adjust container name/tag and volume mounts as needed): docker run -it -v ~/.aws:/home/awssec/.aws -v ~/aws-reports:/home/awssec/reports aws-sec-tools:01
  2. Decide if you want want to run a tool manually, or use the launcher to get started quickly.

Manual Tool Launch

Inside an interactive shell in the container:

  1. cd ~/toolname
  2. Activate the virtualenv: source ~/toolname/bin/activate (for Python-based tools, i.e. most of them)
  3. Run the tool
  4. Deactivate the virtualenv: deactivate (for Python-based tools)

Tool Launcher Convenience Script

Inside an interactive shell in the container:

  1. ./tool_launcher.py
  2. Select the tool you want to run
  3. After running a tool from the launcher, you might find yourself in the tool's virtualenv (handy for re-running the tool with different parameters, maybe to redirect STDOUT to a file in ~/reports, etc.). Alternately, exit the bash shell invoked by the launcher script, re-run ~/tool_launcher.py, and choose another tool.

Notes

  • Familiarize yourself with the tools included in this image before running them.
  • Use read-only AWS credentials. The AWS-managed SecurityAudit policy (arn:aws:iam::aws:policy/SecurityAudit) is a good starting point; customize as appropriate to your AWS environment/the tools you're using.
  • To get the latest tool versions, delete the container image and re-build. The Dockerfile installs each tool via pip or clones the tool's GitHub default branch.
  • Some tools launch automatically when invoked from the tool launcher script (they're labeled as such in the launcher).
  • CloudSploit Scans needs AWS credentials, but doesn't check ~/.aws/credentials for them. The tool launcher script assumes you're using an IAM user (rather than role or other temporary credential), prompts for access key and secret key, and sets the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables before invoking the tool. Alternately, set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, then run the tool manually.
  • To manually run a tool, cd into the tool's directory (under ~) and (for Python-based tools with a ~/toolname/bin directory) activate the tool's virtualenv with source ~/toolname/bin/activate. deactivate when you're done using a tool with a virtualenv.
  • tmux is available (for convenience/running multiple tools at once in a single container instance).
  • git is available.

About

Docker container bundling tools for manual AWS security reviews

Topics

docker dockerfile aws security alpine s3 audit cloud-computing aws-security security-tools cloud-security

Resources

Readme

License

View license
Activity

Stars

13 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages