AWS EC2 and S3 Security Auditing Tool
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
src/scout Fix #1. Jul 16, 2012
.gitignore Initial commit Jul 12, 2012
LICENSE.txt Initial commit Jul 12, 2012 Formatting Feb 19, 2014
project.clj Initial commit Jul 12, 2012

AWS Scout


NOTE: Due to API changes, this software no longer works on modern AWS. Please see Scout2 for a modern equivalent.

The scale and variety of Amazon Web Servers (AWS) has created a constantly changing landscape. What was previously managed by enterprise IT groups is now done through a variety of Amazon-based services, leaving many questions concerning the risk and security of these environments unanswered.

Scout is a security tool that lets AWS administrators asses their environments security posture. Using the AWS API, Scout gathers configuration data for manual inspection or highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, Scout supplies a clear view of the attack surface automatically.


To install Scout, simply grab the latest jar from the downloads page. You may want to put it somewhere in your $PATH to make it easier to run.


Scout is packaged as an executable jar. To run it, type

$ java -jar scout-0.9.5-standalone.jar

This will print a short message describing the commands Scout supports.


java -jar scout-0.9.5-standalone.jar ACTION [OPTIONS]

The action argument will be explained in detail for each action below. The -c arguments specifies the credentials the tool will use to make requests to the AWS API.



Output a list of every instance in your EC2 account, grouped by security group, along with selected attributes of the instance.


Output a list of every security group, broken down permission by permission.


Output a list of notable or dangerous security group permissions. Permissions are rated as critical, warning, or info depending on the service exposed and how much of the internet the service is exposed to (a /8 is more "critical" than a /24). For more information regarding this rating algorithm, consult the wiki.


Output the difference between what is configured in EC2 and the supplied ruleset file. Permissions marked "+" are configured in EC2 but missing from the ruleset, while permissions marked "-" are missing from EC2 but defined in the ruleset.

compare-groups requires that you specify a ruleset file for it to compare against. Here's an example ruleset:

  (group :websrv
         (permission :tcp [80] "")
         (permission :tcp [443] "")
         (permission :tcp [22] ""))
  (group :appsrv
         (permission :tcp [8080 8083] :websrv)
         (permission :tcp [22] ""))
  (group :dbsrv
         (permission :tcp [5432] :appsrv)
         (permission :tcp [22] "")))


Output a list of S3 bucket permissions, organized by policy.


Output a list of every bucket permission opening any resource to the public. This may or may not be useful, depending on how S3 is used.


-c <file>

A file containing the IAM credentials of the AWS account to audit, and, optionally lists of ports to flag and/or ignore while auditing security groups.

The very least required to use Scout is a set of IAM credentials, which are supplied in this sample:

  (iam-credentials "ACCESS KEY ID" "SECRET ACCESS KEY"))

Optionally, you can instruct Scout to flag certain ports and/or ignore certain ports while auditing, which is done in this example:

  (iam-credentials "ACCESS KEY ID" "SECRET ACCESS KEY")
  (flag-ports 53 8080)
  (ignore-ports 80 443))

-f <ruleset-file>

The file containing the ruleset to compare against the security groups configured in EC2.


GPLv2: See LICENSE.txt.