OWASP Cloud Security - Enabling conversations through threat and control stories
Clone or download


OWASP Cloud Security

We believe that cyber security has a fundamental role to play in protecting the digital future. We also believe that cyber security isn't just about the technology; it's about the people. The customer, the developer, the designer, the security engineer, even the attacker. Not only is cyber security a never-ending process, it's also a conversation.

This project was created to enable that conversation, helping people secure their products and services running in the cloud by providing a set of easy to use threat and control stories that pool together the expertise and experience of the development, operations, and security communities.

You can find the main OWASP project page here: https://www.owasp.org/index.php/OWASP_Cloud_Security_Project

Using the project

This project provides the following for an ever-expanding list of cloud providers and services:

Threat stories


threat stories

Control stories


control stories

Proof-of-concept attack scripts and tools

Check out the tools directory in the provider/service directories.

For more information, take a look at the Using the project and Project structure Wiki pages.

Getting involved

This project was created to pool together the experience and expertise of people just like you, so that others can build better and more secure products and services in the cloud. Your contributions are essential!

Join the discussion

The simplest way to get involved is to reach out to other members of the community. If you would like to ask questions, discuss ideas or problems, or even just share your thoughts you can do so in a number of ways:

If you would like to get in touch with the project leader directly, you can do so via email to fraser.scott@owasp.org

Github issues and Pull Requests

This project uses Github issues as the primary way of tracking tasks, problems and ideas etc. If you're looking for a way to help out, but you're not sure where to start, take a look at the list of issues for something you could work on.

If you want to just get stuck straight in, you can create Github pull requests (PRs) with your changes. You don't need to create an issue first. Your PR will then be reviewed. If all is well, your PR will be merged into the repository. If there are questions, these will be done via the comments on the PR. For more information, see the Creating pull requests section.

What needs doing

This project is still in its infancy, so there's plenty of things to do. Also, as cloud security is an ever-expanding landscape, there will always be plenty of things to do ;)

  • Discovering new threats
  • Writing threat stories
  • Identifying controls
  • Writing control stories
  • Community development

For more information on how to get involved, see the Getting involved Wiki page.

Using the OWASP Cloud Security project

This project can be used in many different ways, but typically it will involve using the threats in your SDLC, then using the control stories to ensure you mitigated against identified threats.

For more information, see the Using the project Wiki page.