Security auditing tool for AWS environments
JavaScript Python HTML CSS
Latest commit b00edce Jan 8, 2017 @l01cd3v l01cd3v committed on GitHub Merge pull request #125 from nccgroup/dev
Merge latest changes - including support for SNS
Failed to load latest commit information.
AWSScout2 Proper version bump... Jan 8, 2017
filters Basic filter functionality with several filters for IAM roles Oct 24, 2016
html Update policy partial Jan 8, 2017
inc-bootstrap alpha version Dec 22, 2013
inc-handlebars Update jQuery Feb 12, 2015
inc-jquery Update jQuery Feb 12, 2015
inc-scout2 Fetch notifications and show the list in the HTML report Jan 7, 2017
listall-configs Update listall config file to match Scout2's behavior : add condition… Aug 12, 2015
recurse_configs Add default group non empty check and fix get_value_at Nov 23, 2015
rules Fix RulesGenerator for parameterized rules that are not referenced in… Jan 3, 2017
rulesets Add NFS and SMTP to list of specific ports open to all Nov 14, 2016
tests Fix build ? Remove ListItem test case as the tool was removed Feb 27, 2016
.gitignore adding requirements file, ignore virtualenv, updating readme Sep 5, 2014
.gitmodules Update Scout2 to use the opinel package Jul 30, 2015
.travis.yml Run against python nightly is broken - shouldn't prevent from merging… Sep 3, 2016
LICENSE Add license Feb 19, 2014 Fix ListAll Nov 17, 2016 Issue #114 Nov 9, 2016 Fix RulesGenerator for parameterized rules that are not referenced in… Jan 3, 2017 SNS basics: fetch topics Jan 6, 2017
metadata.json SNS basics: fetch topics Jan 6, 2017
requirements.txt SNS basics: fetch topics Jan 6, 2017
ruleset-generator.html Enable "cloudtrail not configured" rule Aug 12, 2016 Updates to ListAll and setup script for AWSScout2 module May 9, 2016

AWS Scout2

Build Status


Scout2 is a security tool that lets AWS administrators assess their environment's security posture. Using the AWS API, Scout2 gathers configuration data for manual inspection and highlights high-risk areas automatically. Rather than pouring through dozens of pages on the web, Scout2 supplies a clear view of the attack surface automatically.

Note: Scout2 is stable and actively maintained, but a number of features and internals may change. As such, please bear with us as we find time to work on, and improve, the tool. Feel free to report a bug with details, request a new feature, or send a pull request.


To install Scout2:

# Clone this repository.
$ git clone

# install required packages:
$ pip install -r requirements.txt



Scout2 is written in Python and supports the following versions:

  • 2.7
  • 3.3
  • 3.4
  • 3.5

AWS Credentials

To run Scout2, you will need valid AWS credentials (Access Key). The role, or user account, associated with this Access Key requires read-only access for all resources in a number of services, including but not limited to CloudTrail, EC2, IAM, RDS, Redshift, and S3.

If you are not sure what permissions to grant, the Scout2-Default IAM policy lists the permissions necessary for a default run of Scout2.

Note: If you are running the tool using new credentials, DO NOT ATTEMPT TO CREATE YOUR OWN CSV FILE. Instead, configure your computer using the aws_recipes_configure_iam tool or refer to the AWS documentation for information about configuring credentials for the AWS CLI.

Compliant with AWS' Acceptable Use Policy

Use of Scout2 does not require AWS users to complete and submit the AWS Vulnerability / Penetration Testing Request Form. Scout2 only performs AWS API calls to fetch configuration data and identify security gaps, which is not considered security scanning as it does not impact AWS' network and applications.


From an EC2 instance with an appropriate IAM role

$ python

From a computer configured to use the AWS CLI, boto, or another AWS SDK (default profile)

$ python

From a computer configured to use the AWS CLI, boto, or another AWS SDK (other profile)

$ python --profile <PROFILE_NAME>

From a computer not configured to use the AWS CLI, using a CSV file downloaded from AWS

To run Scout2 using an access key downloaded from AWS, run the following command:

$ python --csv-credentials <CREDENTIALS.CSV>

When MFA-Protected API Access is Enforced

Initiate an STS session using the aws_recipes_init_sts_session tool OR Add the following parameters to your command:

--mfa-serial <ARN_MFA_SERIAL_NUMBER> --mfa-code <MFA CODE>

To view the report, simply open report.html in your browser.

Format of the CSV file that contains credentials

AWS allows users to download access keys in a CSV file. If you downloaded the file from the AWS web console, this should just work. If you were handed credentials outside of a CSV file, the expected format is as follow (credentials must be on line 2):

User Name,Access Key Id,Secret Access Key (,MFA Serial)

Note: The fourth value is not standard, but supported for convenience if you have enabled MFA-protected API access and want to avoid entering your MFA serial everytime you run Scout2.

Advanced documentation

The following command will provide the list of available command line options:

$ python --help

For further details, checkout our GitHub pages at