we are the experts

The following outlines a list of software that have been developed in cloud security auditing for optimizing security in Google Cloud platforms. A list of solutions is presented with their respective github descriptions.

1. Cartography

Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.

we are the experts

Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.

Detailed information and setup information: https://github.com/lyft/cartography

2. Pacu

Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.

we are the experts

Many modules in Pacu are available, here are some we found most interesting and useful:

  • AWS Account Enumeration
    • Enumerates data About the account itself.
    • Determines information about the AWS account itself.
  • AWS Financial Spending Enumeration
    • Enumerates account spending by service.
    • Display what services the account uses and how much is spent. Data is pulled from CloudWatch metrics and the AWS/Billing Namespace.
  • AWS EBS volumes snapshots Enumeration
    • Enumerates EBS volumes and snapshots and logs any without encryption.
    • This module will enumerate all of the Elastic Block Store volumes, snapshots, and snapshot permissions in the account and save the data to the current session. It will also note whether or not each volume/snapshot is encrypted, then write a list of the unencrypted volumes to csv files
  • AWS EC2 Termination Protection Check
    • Collects a list of EC2 instances without termination protection.
    • This module will check to see if EC2 instance termination protection is enabled for a set of instances. By default, this module will run against all instances. All instances with termination protection disabled will be written to a csv file
  • AWS EC2 Enumeration
    • Enumerates various relevant EC2 info.
    • The module is used to enumerate the following EC2 data from a set of regions on an AWS account: instances, security groups, elastic IP addresses, VPN customer gateways, dedicated hosts, network ACLs, NAT gateways, network interfaces, route tables, subnets, VPCs, and VPC endpoints. By default, all data will be enumerated, but if any arguments are passed in indicating what data to enumerate, only that specific data will be enumerated.
  • AWS IAM Permissions Enumeration
    • Tries to get a confirmed list of permissions for the current (or all) user(s).
    • This module will attempt to use IAM APIs to enumerate a confirmed list of IAM permissions for the current user. This is done by checking attached and inline policies for the user and the groups they are in.
  • AWS IAM Users, Roles, Policies, and Groups Enumeration
    • Enumerates users, roles, customer-managed policies, and groups.
    • This module requests the info for all users, roles, customer-managed policies, and groups in the account. If no arguments are supplied, it will enumerate all four, if any are supplied, it will enumerate those only.
  • AWS Inspector Reports
    • Captures vulnerabilities found when running a preconfigured inspector report.
    • This module captures findings for reports in regions that support AWS Inspector. The optional argument --download-reports will automatically download any reports found into the session downloads directory under a folder named after the run id of the inspector report.
  • AWS Detection Enumeration Services
    • Detects monitoring and logging capabilities.
  • AWS IAM Privilege escalation scanner
    • An IAM privilege escalation path finder and abuser.
    • This module will scan for permission misconfigurations to see where privilege escalation will be possible. Available attack paths will be presented to the user and executed on if chosen.

Detailed information and setup information: https://github.com/RhinoSecurityLabs/pacu

3. Smogcloud

we are the experts

Find exposed AWS cloud assets that you did not know you had. A comprehensive asset inventory is step one to any capable security program. We made Smogcloud to enable security engineers, penetration testers, and AWS administrators to monitor the collective changes that create dynamic and ephemeral internet-facing assets on a more frequent basis. May be useful to identify:

  • Internet-facing FQDNs and IPs across one or hundreds of AWS accounts
  • Misconfigurations or vulnerabilities
  • Assets that are no longer in use
  • Services not currently monitored
  • Shadow IT

Detailed information and setup information: https://github.com/BishopFox/smogcloud

4. Dufflebag

we are the experts

Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!

Detailed information and setup information: https://github.com/bishopfox/dufflebag

© 2022 SafeKeep.