Awesome Cloud Security

⚔️🛡️⚔️ Awesome curated list of cloud security resources including relevant penetration testing tools for Cloud Security

Contents

• Standards
  • Compliances
  • Benchmarks
• Tools
  • Infrastrcture
  • Container
  • SaaS
  • Native tools
  • Penetration Testing
    • Enumeration
    • Information Gathering
    • Lateral Movement
    • Exploitation
      • Credential Attacks
• Reading materials
  • AWS
  • Azure
  • GCP
  • Others
• Resources
  • Lists and Cheat Sheets
  • Lab Exercises
  • Talks & Videos
  • Books
  • Tips and Tricks

Standards

Compliances

• CSA STAR
• ISO/IEC 27017:2015
• ISO/IEC 27018:2019
• MTCS SS 584

Benchmarks

• CIS Benchmark

Tools

Infrastrcture

• aws_pwn: A collection of AWS penetration testing junk
• aws_ir: Python installable command line utility for mitigation of instance and key compromises.
• aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
• awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
• azucar: A security auditing tool for Azure environments
• checkov: A static code analysis tool for infrastructure-as-code.
• CloudBrute: A multiple cloud enumerator.
• cloud-forensics-utils: A python lib for DF & IR on the cloud.
• cloudlist: Listing Assets from multiple Cloud Providers.
• cloudgoat: "Vulnerable by Design" AWS deployment tool.
• Cloudmapper: Analyze your AWS environments.
• cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
• Cloudsploit Scans: Cloud security configuration checks.
• Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
• cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
• diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
• ElectricEye: Continuously monitor AWS services for configurations.
• Forseti security: GCP inventory monitoring and policy enforcement tool.
• Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
• kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
• Leonidas: A framework for executing attacker actions in the cloud.
• Open policy agent: Policy-based control tool.
• pacbot: Policy as Code Bot.
• pacu: The AWS exploitation framework.
• Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
• ScoutSuite: Multi-cloud security auditing tool.
• Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
• SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.
• SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
• Smogcloud: Find cloud assets that no one wants exposed.
• TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
• Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
• tfsec: Static analysis powered security scanner for Terraform code.
• Zeus: AWS Auditing & Hardening Tool.

Container

• auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
• ccat: Cloud Container Attack Tool.
• Falco: Container runtime security.
• mkit: Managed kubernetes inspection tool.
• Open policy agent: Policy-based control tool.

SaaS

• Function Shield: Protection/destection lib of aws lambda and gcp function.
• FestIN: S3 bucket finder and content discover.
• GCPBucketBrute: A script to enumerate Google Storage buckets.
• Lambda Guard: AWS Lambda auditing tool.
• Policy Sentry: IAM Least Privilege Policy Generator.
• S3 Inspector: Tool to check AWS S3 bucket permissions.
• Serverless Goat: A serverless application demonstrating common serverless security flaws

Native tools

• AWS
  • Artifact: Compliance report selfservice.
  • Certificate Manager: Private CA and certificate management service.
  • CloudTrail: Record and log API call on AWS.
  • Config: Configuration and resources relationship monitoring.
  • Detective: Analyze and visualize security data and help security investigations.
  • Firewall Manager: Firewall management service.
  • GuardDuty: IDS service
  • CloudHSM: HSM service.
  • Inspector: Vulnerability discover and assessment service.
  • KMS: KMS service
  • Macie: Fully managed data security and data privacy service for S3.
  • Network Firewall: Network firewall service.
  • Secret Manager: Credential management service.
  • Security Hub: Integration service for other AWS and third-party security service.
  • Shield: DDoS protection service.
  • VPC Flowlog: Log of network traffic.
  • WAF: Web application firewall service.
• Azure
  • Application Gateway: L7 load balancer with optional WAF function.
  • DDoS Protection: DDoS protection service.
  • Dedicated HSM: HSM service.
  • Key Vault: KMS service
  • Monitor: API log and monitoring related service.
  • Security Center: Integration service for other Azure and third-party security service.
  • Sentinel: SIEM service.
• GCP
  • Access Transparency: Transparency log and control of GCP.
  • Apigee Sense: API security monitoring, detection, mitigation.
  • Armor: DDoS protection and WAF service
  • Asset Inventory: Asset monitoring service.
  • Audit Logs: API logs.
  • Cloud HSM: HSM service
  • Context-aware Access: Enable zero trust access to applications and infrastructure.
  • DLP: DLP service:
  • EKM: External key management service
  • Identity-Aware Proxy: Identity-Aware Proxy for protect the internal service.
  • KMS: KMS service
  • Policy Intelligence: Detect the policy related risk.
  • Security Command Center: Integration service for other GCP security service.
  • Security Scanner: Application security scanner for GAE, GCE, GKE.
  • Event Threat Detection: Threat dection service.
  • VPC Service Controls: GCP service security perimeter control.

Penetration Testing

Enumeration

• o365creeper - Enumerate valid email addresses
• CloudBrute - Tool to find a cloud infrastructure of a company on top Cloud providers
• cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud
• Azucar - Security auditing tool for Azure environments
• CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard to find permissions and configuration settings
• ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.
• BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs
• Grayhat Warfare - Open Azure blobs and AWS bucket search

Information Gathering

• o365recon - Information gathering with valid credentials to Azure
• Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members
• ROADtools - Framework to interact with Azure AD
• PowerZure - PowerShell framework to assess Azure security
• Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud
• Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment
• Hawk - Powershell based tool for gathering information related to O365 intrusions and potential breaches

Lateral Movement

• Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
• AzureADLateralMovement - Lateral Movement graph for Azure Active Directory
• SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS

Exploitation

• MicroBurst - A collection of scripts for assessing Microsoft Azure security
• azuread_decrypt_msol_v2.ps1 - Decrypt Azure AD MSOL service account

Credential Attacks

• MSOLSpray - A password spraying tool for Microsoft Online accounts (Azure/O365)
• MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services Resources
• adconnectdump - Dump Azure AD Connect credentials for Azure AD and Active Directory

Reading Materials

AWS

• Overiew of AWS Security
• AWS-IAM-Privilege-Escalation by RhinoSecurityLabs: A centralized source of all AWS IAM privilege escalation methods.
• MITRE ATT&CK Matrices of AWS
• AWS security workshops
• Bucket search by grayhatwarfare

Azure

• Overiew of Azure Security
• Azure security fundamentals
• MicroBurst by NetSPI: A collection of scripts for assessing Microsoft Azure security
• MITRE ATT&CK Matrices of Azure
• Abusing Azure AD SSO with the Primary Refresh Token
• Abusing dynamic groups in Azure AD for Privilege Escalation
• Attacking Azure, Azure AD, and Introducing PowerZure
• Attacking Azure & Azure AD, Part II
• Azure AD Connect for Red Teamers
• Azure AD Introduction for Red Teamers
• Azure AD Pass The Certificate
• Azure AD privilege escalation - Taking over default application permissions as Application Admin
• Defense and Detection for Attacks Within Azure
• Hunting Azure Admins for Vertical Escalation
• Impersonating Office 365 Users With Mimikatz
• Lateral Movement from Azure to On-Prem AD
• Malicious Azure AD Application Registrations
• Moving laterally between Azure AD joined machines
• CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure Active Directory
• Privilege Escalation Vulnerability in Azure Functions

GCP

• Overiew of GCP Security
• GKE security scenarios demo
• MITRE ATT&CK Matrices of GCP

Others

• Cloud Security Research by RhinoSecurityLabs
• CSA cloud security guidance v4
• Appsecco provides training
• Mapping of On-Premises Security Controls vs. Major Cloud Providers Services

Resources

Lists and Cheat Sheets

• Azure Articles from NetSPI
• Azure Cheat Sheet on CloudSecDocs
• Resources about Azure from Cloudberry Engineering
• Resources from PayloadsAllTheThings
• Encyclopedia on Hacking the Cloud - (No content yet for Azure)

Lab Exercises

• azure-security-lab - Securing Azure Infrastructure - Hands on Lab Guide
• AzureSecurityLabs - Hands-on Security Labs focused on Azure IaaS Security
• Building Free Active Directory Lab in Azure

Talks and Videos

• Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD
  • Presentation Slides
• TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory
  • Presentation Slides
• Dirk Jan Mollema - Im In Your Cloud Pwning Your Azure Environment - DEF CON 27 Conference
  • Presentation Slides
• Adventures in Azure Privilege Escalation Karl Fosaaen
  • Presentation Slides
• Introducing ROADtools - Azure AD exploration for Red Teams and Blue Teams

Books

• Pentesting Azure Applications

Tips and Tricks

• Replace COMPANYNAME with the company name of your choice to check if they use Azure. If the NameSpaceType indicates "Managed", then the company is using Azure AD:

https://login.microsoftonline.com/[email protected]&xml=1