Contribute

Do you want to contribute to this list? Feel free to send a PR and make sure your tool is Open Source.

Name	Description	Popularity	Metadata
My Arsenal of AWS Security Tools	This list of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

Defensive: Hardening, Security Assessment and Inventory

Name	Description	Popularity	Metadata
Prowler	Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more. (Python)
CloudMapper	helps you analyze your AWS environments (Python)
ScoutSuite	Multi-Cloud Security auditing tool for AWS Google Cloud and Azure environments (python)
CloudCustodian	Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
ICE	Ice provides insights from a usage and cost perspective with high detail dashboards.
CloudSploit Scans	AWS security scanning checks (NodeJS)
AWS Network Access Analyzer	Automation for Amazon VPC Network Access Analyzer to identify all possible Internet Gateway reachability for your resources across all your AWS accounts
CloudTracker	helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies (Python)
AWS Security Benchmarks	scripts and templates guidance related to the AWS CIS Foundation framework (Python)
AWS Public IPs	Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6 Classic/VPC networking and across all AWS services (Ruby)
PMapper	Advanced and Automated AWS IAM Evaluation (Python)
nccgroup AWS-Inventory	Make a inventory of all your resources across regions (Python)
Resource Counter	Counts number of resources in categories across regions
SkyArk	SkyArk provides advanced discovery and security assessment for the most privileged entities in the tested AWS.
findmytakeover	find dangling domains in a multi cloud environment
Trailblazer AWS	Trailblazer AWS determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
Lunar	Security auditing tool based on several security frameworks (it does some AWS checks)
Cloud-reports	Scans your AWS cloud resources and generates reports
Pacbot	Platform for continuous compliance monitoring compliance reporting and security automation for the cloud
cs-suite	Integrates tools like Scout2 and Prowler among others
aws-key-disabler	A small lambda script that will disable access keys older than a given amount of days
Antiope	AWS Inventory and Compliance Framework
Cloud Reports	Scans your AWS cloud resources and generates reports and includes security best practices.
Terraform AWS Secure Baseline	Terraform module to set up your AWS account with the secure
ZeusCloud	Discover, prioritize, and remediate security risks in your AWS cloud environments.
Cartography	Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
TrailScraper	A command-line tool to get valuable information out of AWS CloudTrail
Komiser	Cloud Environment Inspector analyze and manage cloud cost usage security and governance in one place.
Perimeterator	AWS perimeter monitoring. Periodically scan internet facing AWS resources to detect misconfigured services
PolicySentry	IAM Least Privilege Policy Generator auditor and analysis database
Zeus	AWS Auditing & Hardening Tool
janiko71 AWS-inventory	Python script for AWS resources inventory
awspx	A graph-based tool for visualizing effective access and resource relationships in AWS environments
clinv	DevSecOps command line asset inventory tool
aws-gate	Enhanced AWS SSM Session manager CLI client
Detecting Credential Compromise	Detecting of your compromised credential in AWS
AWS-Security-Toolbox (AST)	AWS Security Toolbox (Docker Image) for Security Assessments
iam-lint	Github action for linting AWS IAM policy documents for correctness and possible security issues
aws-security-viz	A tool to visualize aws security groups.
AirIAM	Least privilege AWS IAM using Terraform
Cloudsplaining	AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
iam-policy-generator	A simple library to generate IAM policy statements with no need to remember all the actions APIs
SkyWrapper	SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
aws-recon	Multi-threaded AWS inventory collection tool
iam-policies-cli	A CLI tool for building simple to complex IAM policies
Aaia	AWS Identity and Access Management Visualizer and Anomaly Finder
iam-floyd	IAM policy statement generator with fluent interface - Available for Node.js, Python, .Net and Java
rpCheckup	AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
S3 Exif Cleaner	Remove EXIF data from all objects in an S3 bucket
Steampipe	Use SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required. (SQL)
access-undenied-aws	Parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps.
Metabadger	Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
AWS-Firewall Factory	Deploy, update, and stage your WAFs while managing them centrally via FMS (CDK)
IAMSpy	A library that utilises the Z3 prover to attempt to answer questions about AWS IAM.
nuvola	Dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax
aws-security-architectures	Architectures for AWS security. (Detect, Alarm, Macie, etc.) Many architectures will be added in the future.
MetaHub for AWS Security Hub	MetaHub is the CLI utility for AWS Security Hub which provides you with extra functionality like grouping your findings by affected reources, executing MetaChecks and MetaTags directly in the affected resource for enriching your findings, filters on top of MetaChecks and MetaTags, different reports like CSV, JSON and HTML, bulk updates, and enriching your findings directly in AWS Security Hub.
Matano	Matano is an open source cloud-native security lake platform (SIEM alternative) for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS.
aws-list-resources	Uses the AWS Cloud Control API to list resources that are present in a given AWS account and region(s). Discovered resources are written to a JSON output file.
aws-summarize-account-activity	Analyzes CloudTrail data of a given AWS account and generates a summary of recently active IAM principals, API calls they made and regions that were used. The summary is written to a JSON output file and can optionally be visualized as PNG files.
aws-lint-iam-policies	Runs IAM policy linting checks against either a single AWS account or all accounts of an AWS Organization. Reports on policies that violate security best practices or contain errors. Supports both identity-based and resource-based policies.

Offensive

Name	Description	Popularity	Metadata
cloudfox	Find exploitable attack paths in cloud infrastructure
WeirdAAL	AWS Attack Library
Pacu	AWS penetration testing toolkit
Cred Scanner	A simple file-based scanner to look for potential AWS access and secret keys in files
AWS PWN	A collection of AWS penetration testing junk
Cloudfrunt	A tool for identifying misconfigured CloudFront domains
Cloudjack	Route53/CloudFront Vulnerability Assessment Utility
Nimbostratus	Tools for fingerprinting and exploiting Amazon cloud infrastructures
GitLeaks	Audit git repos for secrets
TruffleHog	Searches through git repositories for high entropy strings and secrets digging deep into commit history
DumpsterDiver	"Tool to search secrets in various filetypes like keys (e.g. AWS Access Key Azure Share Key or SSH keys) or passwords."
Mad-King	Proof of Concept Zappa Based AWS Persistence and Attack Platform
Cloud-Nuke	A tool for cleaning up your cloud accounts by nuking (deleting) all resources within it
MozDef - The Mozilla Defense Platform	The Mozilla Defense Platform (MozDef) seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
Lambda-Proxy	A bridge between SQLMap and AWS Lambda which lets you use SQLMap to natively test AWS Lambda functions for SQL Injection vulnerabilities.
CloudCopy	Cloud version of the Shadow Copy attack against domain controllers running in AWS using only the EC2:CreateSnapshot permission
enumerate-iam	Enumerate the permissions associated with AWS credential set
Barq	A post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure
CCAT	Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments
Dufflebag	Search exposed EBS volumes for secrets
attack_range	A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
whispers	Identify hardcoded secrets and dangerous behaviours
Redboto	Red Team AWS Scripts
CloudBrute	A tool to find a company (target) infrastructure, files, and apps on the top cloud providers

Purple Teaming & Adversary Emulation

Name	Description	Popularity	Metadata
Stratus Red Team	Granular, Actionable Adversary Emulation for the Cloud
Leonidas	Automated Attack Simulation in the Cloud complete with detection use cases.
Amazon Guardduty Tester	This script is used to generate some basic detections of the GuardDuty service

Continuous Security Auditing

Name	Description	Popularity	Metadata
Security Monkey
Krampus
Cloud Inquisitor
Disable keys after X days
Repokid Least Privilege
Wazuh CloudTrail module
Hammer
Streamalert
Billing Alerts CFN templates
Watchmen	AWS account compliance using centrally managed Config Rules
ElectricEye	Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability
SyntheticSun	a defense-in-depth security automation and monitoring framework which utilizes threat intelligence, machine learning, managed AWS security services and, serverless technologies to continuously prevent, detect and respond to threats
CloudQuery	cloudquery exposes your cloud configuration and metadata as sql tables, providing powerful analysis and monitoring for compliance and security
PrismX	Cloud Security Dashboard for AWS - based on ScoutSuite
Falco	Threat detection and response for containers, hosts, Kubernetes and the cloud

Digital Forensics and Incident Response

Name	Description	Popularity	Metadata
AWS IR	AWS specific Incident Response and Forensics Tool
Margaritashotgun	Linux memory remote acquisition tool
Diffy	Triage tool used during cloud-centric security incidents
AWS Security Automation	AWS scripts and resources for DevSecOps and automated incident response
GDPatrol	Automated Incident Response based off AWS GuardDuty findings
AWSlog	Show the history and changes between configuration versions of AWS resources using AWS Config
DataCop	Automated IR process that mitigates vulnerable AWS S3 buckets that are defined by AWS Macie results.
AWS_Responder	AWS Digital Forensic and Incident Response (DFIR) Response Python Scripts
SSM-Acquire	A python module for orchestrating content acquisitions and analysis via Amazon SSM
cloudtrail-partitioner	This project sets up partitioned Athena tables for your CloudTrail logs and updates the partitions nightly. Makes CloudTrail logs queries easier.
fargate-ir	Proof of concept incident response demo using SSM and AWS Fargate.
aws-logsearch	Search AWS CloudWatch logs all at once on the command line.
Varna	Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
aws-auto-remediate	Open source application to instantly remediate common security issues through the use of AWS Config
panther-labs	Detect threats with log data and improve cloud security posture
aws-incident-response	This page is a collection of useful things to look for in CloudTrail using Athena for AWS incident response
cloud-forensics-utils	Python library to carry out DFIR analysis on the Cloud
aws-fast-fixes	Scripts to quickly fix security and compliance issues

Development Security

Name	Description	Popularity	Metadata
Automated Security Helper (ASH)	ASH is a one stop shop for code security scans, and does not require any installation. It will identify the relevant frameworks, and download the relevant, up to date tools. ASH is running on isolated Docker containers, keeping the user environment clean, with a single aggregated report. The following frameworks are supported: Git, Python, Javascript, Cloudformation, Terraform and Jupyter notebook.
CFN NAG	CloudFormation security test (Ruby)
Git-secrets
Repository of sample Custom Rules for AWS Config
CFripper	"Lambda function to ""rip apart"" a CloudFormation template and check it for security compliance."
Assume	A simple CLI utility that makes it easier to switch between different AWS roles
Terrascan	A collection of security and best practice tests for static code analysis of terraform templates using terraform_validate
tfsec	Provides static analysis of your terraform templates to spot potential security issues
Checkov	Terraform, Cloudformation and Kubernetes static analysis written in python
Yor	Automatically tag and trace infrastructure as code frameworks (Terraform, Cloudformation and Serverless)
pytest-services	Unit testing framework for test driven security of AWS configurations and more
IAM Least-Privileged Role Generator	A Serverless framework plugin that statically analyzes AWS Lambda function code and automagically generates least-privileged IAM roles.
AWS Vault	A vault for securely storing and accessing AWS credentials in development environments
AWS Service Control Policies	Collection of semi-useful Service Control Policies and scripts to manage them
Terraform-compliance	A lightweight security focused BDD test framework against terraform (with helpful code for AWS)
Get a List of AWS Managed Policies	a way to get a list of all AWS managed policies
Parliament	AWS IAM linting library
AWS-ComplianceMachineDontStop	Proof of Value Terraform Scripts to utilize Amazon Web Services (AWS) Security Identity & Compliance Services to Support your AWS Account Security Posture
detect-secrets	An enterprise friendly way of detecting and preventing secrets in code.
tf-parliament	Run Parliament AWS IAM Checker on Terraform Files
aws-gate	Better AWS SSM Session manager CLI client
iam-lint	Github action for linting AWS IAM policy documents for correctness and possible security issues
Regula	Regula checks Terraform for AWS security and compliance using Open Policy Agent/Rego
whispers	Identify hardcoded secrets and dangerous behaviours
cloudformation-guard	A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax.
IAMFinder	Enumerates and finds users and IAM roles in a target AWS account
iamlive	Generate a basic IAM policy from AWS client-side monitoring (CSM)
aws-allowlister	Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Leapp	Cross-platform app for managing AWS credentials programmatically, based on Electron
KICS	Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code
SecurityHub CIS Compliance Automator	Automatically configure your AWS Account to meet 95% of the 200+ controls for CIS Compliance, PCI DSS Compliance and AWS Security Best Practice
SCPkit	A SCP management tool that helps condense policies
Codemodder	A pluggable framework for building expressive codemods. Use Codemodder when you need more than a linter or code formatting tool. Use it to fix non-trivial security issues and other code quality problems

S3 Buckets Auditing

Name	Description	Popularity	Metadata
mass3	enumerate through a pre-compiled list of AWS S3 buckets using DNS instead of HTTP with a list of DNS resolvers and multi-threading
teh_s3_bucketeers
bucket-stream	Find interesting Amazon S3 Buckets by watching certificate transparency logs
s3-buckets-finder	brute force Amazon S3 bucket
s3find	find S3 public buckets
slurp-robbie	Enumerate S3 buckets via certstream, domain, or keywords
s3-inspector	check AWS S3 bucket permissions
s3-fuzzer
AWSBucketDump	Look For Interesting Files in S3 Buckets
s3scan	scan s3 buckets for security issues
S3Scanner	Scan for open AWS S3 buckets and dump the contents
s3finder	open S3 bucket finder
S3Scan	spider a website and find publicly open S3 buckets
s3-meta	Gather metadata about your S3 buckets
s3-utils	Utilities and tools based around Amazon S3 to provide convenience APIs in a CLI
S3PublicBucketsCheck	A lambda function that checks your account for Public buckets and emails you whenever a new public s3 bucket is created
bucket_finder	Amazon bucket brute force tool
inSp3ctor	AWS S3 Bucket/Object Finder
bucketcat	Brute-forces objects within a given bucket using Hashcat mask-like syntax
aws-s3-data-finder	AWS S3 Sensitive Data Search
lazys3	bruteforce AWS s3 buckets using different permutations
BucketScanner	Test objects' permissions in AWS buckets
aws-externder-cli	Test S3 buckets as well as Google Storage buckets and Azure Storage containers to find interesting files
festin	S3 bucket weakness discovery
S3Insights	a platform for efficiently deriving security insights about S3 data through metadata analysis
s3_objects_check	Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.

Training

Name	Description	Popularity	Metadata
Flaws.cloud	flAWS challenge to learn through a series of levels about common mistakes and gotchas when using AWS
Flaws2.cloud	flAWS 2 has two paths this time Attacker and Defender! In the Attacker path you'll exploit your way through misconfigurations in serverless (Lambda) and containers (ECS Fargate). In the Defender path that target is now viewed as the victim and you'll work as an incident responder for that same app understanding how an attack happened
CloudGoat	Vulnerable by Design AWS infrastructure setup tool
dvca	Damn Vulnerable Cloud Application more info
AWSDetonationLab	Scripts and templates to generate some basic detections of the AWS security services
OWASPServerlessGoat	OWASP ServerlessGoat is a deliberately insecure realistic AWS Lambda serverless application maintained by OWASP for educational purposes. Single click installation through the AWS Serverless Application Repository.
Sadcloud	A tool for spinning up insecure AWS infrastructure with Terraform. It supports approx. 84 misconfigurations across 22 AWS Services.
BigOrange Actions	Paste your IAM Policy and get a list of Actions it can effectively perform
IncidentResponseGenerator	Incident response generator for training classes
Breaking and Pwning Apps and Servers on AWS and Azure	Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training!
terragoat	"Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
cfngoat	"Vulnerable by Design" cloudformation repository. CfnGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
CDKgoat	"Vulnerable by Design" AWS CDK repository. CDKGoat is a learning and training project that demonstrates how common configuration errors can find their way into impartive IAC such as AWS CDK.
aws_exposable_resources	Resource types that can be publicly exposed on AWS
IAM Vulnerable	Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground
PenTesting.Cloud	Free AWS Security Labs - CTF Style
AWSGoat : A Damn Vulnerable AWS Infrastructure	AWSGoat is a vulnerable by design AWS infrastructure featuring OWASP Top 10 web application security risks (2021) and AWS service based misconfigurations.

Other interesting tools/code

Honey-token:

https://bitbucket.org/asecurityteam/spacecrab
https://breachinsider.com/honey-buckets/
https://github.com/0x4D31/honeyLambda
https://github.com/thinkst/canarytokens-docker

More Resources:

asecure.cloud https://github.com/asecure.cloud A repository of cutomizable AWS security configurations (Cloudformation and CLI templates)
s3-leaks https://github.com/nagwww/s3-leaks - a list of some biggest leaks recorded
Model Risk AWS https://magoo.github.io/model-risk-aws/ - POC about probabilistic risk model for AWS
asecure.cloud https://asecure.cloud/ - a great place for security resources regarding AWS Security.
honeybuckets https://github.com/honey-buckets/
thebuckhacker https://github.com/thebuckhacker
buckets.grayhatwarfare https://github.com/buckets.grayhatwarfare
Cloud Security Newsletter by Marco Lancini https://cloudseclist.com/
Cloud Security Podcast by Ashish Rajan https://www.cloudsecuritypodcast.tv
AWS Security Primer By Michael Wittig https://cloudonaut.io/aws-security-primer/
Hacking The Cloud https://hackingthe.cloud/
ThreatModel for Amazon S3 https://github.com/trustoncloud/threatmodel-for-aws-s3 - Library of all the attack scenarios on Amazon S3 and how to mitigate them, following a risk-based approach

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Table of Contents

Contribute

Defensive: Hardening, Security Assessment and Inventory

Files

README.md

Latest commit

History

README.md

File metadata and controls

Table of Contents

Contribute

Defensive: Hardening, Security Assessment and Inventory