Cloud

Cloud - Multi-Cloud Methodology and Benchmarks

Basic Methodology

Services Enumeration

  • Discover the services being used in the cloud environment.
  • Look for any unanticipated misconfigurations not covered by benchmark tests.

Check Exposed Assets

  • Identify all assets potentially exposed to the Internet.
  • Manually check for exposed infrastructure like instances with web pages or open ports.
  • Evaluate other cloud-managed services that may be configured for exposure, such as databases or buckets.
  • Assess the security of exposed resources, including the presence of confidential information, vulnerabilities, and misconfigurations.

Check Permissions

  • Investigate the permissions of each role/user within the cloud and how they are utilized.
  • Pay attention to highly privileged accounts and unused keys.
  • Inquire about the assignment of roles, especially in federated systems (e.g., OpenID or SAML).
  • Go beyond identifying admin permissions and consider other sensitive permissions.
  • Investigate application identities, permissions, secrets and scope.
  • Explore potential privilege escalation paths.

Check Integrations

  • Examine integrations with other clouds or SaaS platforms.
  • Determine who has access to and can utilize these integrations.
  • Assess the sensitivity of actions performed through integrations.
  • Scrutinize data usage and access in cross-platform integrations.

Benchmark Checks

  • Understand the size of the environment and services used.
  • Identify quick misconfigurations that can be tested with automated tools.
  • Prowler and CloudSploit are good for this, they have plguins for specific frameworks

Frameworks and Descriptions

CIS (Center for Internet Security)
  • CIS provides a set of security benchmarks and best practices designed to safeguard systems against cyber threats. It’s known for its practical, concise, and widely applicable security configurations.
NIST 800
  • Developed by the National Institute of Standards and Technology, NIST 800 is a series of documents that describe United States federal government computer security policies, procedures, and guidelines. It’s comprehensive and often used in government and commercial organizations.
NIST CSF (Cybersecurity Framework)
  • NIST’s Cybersecurity Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. It’s used for improving critical infrastructure cybersecurity.
CISA (Cybersecurity Infrastructure Security Agency)
  • CISA is an operational component under the Department of Homeland Security, providing guidelines to protect against, respond to, and recover from the nation’s cyber threats. CISA frameworks are more focused on resilience and response to cyber incidents.
FedRAMP (Federal Risk and Authorization Management Program)
  • FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. It’s specifically designed for cloud services used by federal agencies.
PCI-DSS (Payment Card Industry Data Security Standard)
  • PCI-DSS is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It’s essential for any business that handles credit card transactions.
GDPR (General Data Protection Regulation)
  • The GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union. It emphasizes data privacy and consent, impacting how organizations handle personal data.
HIPAA (Health Insurance Portability and Accountability Act)
  • HIPAA sets the standard for protecting sensitive patient data in the U.S. It requires the appropriate safeguarding of any Protected Health Information (PHI) handled by healthcare providers, insurers, and their business associates.
FFIEC (Federal Financial Institutions Examination Council)
  • The FFIEC provides guidelines for U.S. financial institutions in the areas of cybersecurity, risk management, and compliance. It focuses on ensuring the security and stability of the nation’s financial system.
SOC2 (Service Organization Control 2)
  • SOC2 is a framework for managing data privacy based on five “trust service principles” — security, availability, processing integrity, confidentiality, and privacy. It’s particularly relevant for technology and cloud computing organizations.
GXP (Good Practice)
  • GXP encompasses various regulations like Good Laboratory Practices (GLP), Good Clinical Practices (GCP), and Good Manufacturing Practices (GMP). These are guidelines for ensuring the safety and efficacy of pharmaceutical and biomedical products.
Well-Architected Security
  • Security pillar of the AWS Well-Architected Framework, which focuses on key concepts, design principles, and architectural best practices for securing applications and workloads on AWS. It’s a comprehensive approach to cloud security.

Multi-Cloud Tools

Scout-Suite - Install

sudo apt-get install virtualenv
git clone https://github.com/nccgroup/ScoutSuite
cd ScoutSuite
virtualenv –p python3 venv
source venv/bin/activate
pip install –r requirements.txt

ScoutSuite - Azure

User Credentials

Run Scout using —user-account Scout will prompt you for your credentials

User Credentials via Browser

Run Scout using —user-account-browser Through a browser, pick your azure account This authentication method is mostly useful for users which have MFA enabled.

Service Principal

Set up a Service Principal on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) Run Scout with the —service-principal flag. Scout will prompt you for the required information

File-Based Authentication

Create a Service Principal for azure SDK. You can do this with azure-cli by running:

az ad sp create-for-rbac --sdk-auth > mycredentials.json

Run Scout while providing it with the credentials file using —file-auth path/to/mycredentials.json

Managed Service Identity

Configure your identity on the Azure portal (you can refer to https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/) Run Scout with the —msi flag

ScoutSuite - Azure w/ JQ Examples

scout azure --user-account-browser --all-subscriptions

### List All Azure App Service Host Names
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -r '.services.appservice.subscriptions[].web_apps[].host_names[]'

### List All Azure SQL Servers
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -jr '.services.sqldatabase.subscriptions[].servers[] | .name,".database.windows.net","\n"'

### List All Azure Virtual Machine Hostnames 
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -jr '.services.virtualmachines.subscriptions[].instances[] | .name,".",.location,".cloudapp.windows.net","\n"'

### List Storage Accounts
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -r '.services.storageaccounts.subscriptions[].storage_accounts[] | .name'

### List Storage and containers for mangle script
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq -r '.services.storageaccounts.subscriptions[].storage_accounts[] | .blob_containers_count,.name,.blob_containers[].id' > /root/Desktop/storage.txt

### List disks encrypted with PMKs
tail scoutsuite_results_azure-tenant-*.js -n +2 | jq '.services.virtualmachines.subscriptions[].disks[] | select(.encryption_type = "EncryptionAtRestWithPlatformKey") | .name' > disks-with-pmks.txt

ScoutSuite - AWS w/ JQ Examples

aws configure --profile=scout

# script
python scout.py aws --profile=scout

# or if installed...

scout aws --profile=scout

# session-token is used for temp creds i.e. role assumption
python scout.py aws --access-keys --access-key-id <AKIAIOSFODNN7EXAMPLE> --secret-access-key <wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY>  # --session-token <token>

### Find all ec2 ebs volumes unencrypted

for d in scoutsuite_results_aws-* ;do tail $d -n +2 | jq -r '.services.ec2.regions[].volumes[] | select(.Encrypted == false) | .arn' >> ec2-ebs-volume-not-encrypted.txt; done


### Find all ec2 ebs snapshots unencrypted

for d in scoutsuite_results_aws-* ;do tail $d -n +2 | jq -r '.services.ec2.regions[].snapshots[] | select(.encrypted == false) | .arn' >> ec2-ebs-snapshot-not-encrypted.txt; done


### Inline Role Policy Contains NotActions

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Inline role Policy Allows \"NotActions\"")) | .items[]' | sed 's/\.inline_policies.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-inline-role-policy-contains-notactions.txt; done; done


### Inline Role Policy Allows iam:PassRole for All Resources

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Inline role Policy Allows \"iam:PassRole\" For All Resources")) | .items[]' | sed 's/\.inline_policies.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-inline-role-policy-allows-iampassrole-for-all-resources.txt; done; done


### Inline Role Policy Allows sts:AssumeRole for All Resources

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Inline role Policy Allows \"sts:AssumeRole\" For All Resources")) | .items[]' | sed 's/\.inline_policies.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-inline-role-policy-allows-stsassumerole-for-all-resources.txt; done; done


### Managed Policy Allows iam:PassRole for All Resources (without account numbers to get count)

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"iam:PassRole\" For All Resources")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-iampassrole-for-all-resources-NOACCOUNTNUMBERS.txt; done; done


### Managed Policy Allows iam:PassRole for All Resources (with account numbers)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-managed-policy-allows-iampassrole-for-all-resources.txt;for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"iam:PassRole\" For All Resources")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-iampassrole-for-all-resources.txt; done; done


### Managed Policy Allows NotActions (without account numbers to get counts)

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"NotActions\"")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-notactions-NOACCOUNTNUMBERS.txt; done; done


### Managed Policy Allows NotActions (with account numbers)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-managed-policy-allows-notactions.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"NotActions\"")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-notactions.txt; done; done


### Managed Policy Allows sts:AssumeRole for All Resources (without account numbers)

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"sts:AssumeRole\" For All Resources")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-stsassumerole-for-all-resources-NOACCOUNTNUMBERS.txt; done; done


### Managed Policy Allows sts:AssumeRole for All Resources (with account numbers)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-managed-policy-allows-stsassumerole-for-all-resources.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows \"sts:AssumeRole\" For All Resources")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-stsassumerole-for-all-resources.txt; done; done


### Managed Policy Allows All Actions (without account numbers)

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows All Actions")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-allactions-NOACCOUNTNUMBERS.txt; done; done


### Managed Policy Allows All Actions (with account numbers)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-managed-policy-allows-allactions.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Managed Policy Allows All Actions")) | .items[]' | sed 's/\.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-managed-policy-allows-allactions.txt; done; done


### Cross-Account AssumeRole Policy Lacks External ID and MFA (without account numbers)

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Cross-Account AssumeRole Policy Lacks External ID and MFA")) | .items[]' | sed 's/\.assume_role_policy.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-cross-account-policy-lacks-external-id-and-mfa-NOACCOUNTNUMBERS.txt; done; done


### Cross-Account AssumeRole Policy Lacks External ID and MFA (with account numbers)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-cross-account-policy-lacks-external-id-and-mfa.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Cross-Account AssumeRole Policy Lacks External ID and MFA")) | .items[]' | sed 's/\.assume_role_policy.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-cross-account-policy-lacks-external-id-and-mfa.txt; done; done


### Assume Role Policy Allows All Principals

for d in scoutsuite_results_aws-* ; do for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("AssumeRole Policy Allows All Principals")) | .items[]' | sed 's/\.assume_role_policy.PolicyDocument.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-assumerole-policy-allows-allprincipals-NOACCOUNTNUMBERS.txt; done; done


### Lack of Key Rotation for Active Days

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-lack-of-key-rotation-for-active-days.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Lack of Key Rotation for (Active) Days")) | .items[]' | sed 's/\.AccessKeys.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-lack-of-key-rotation-for-active-days.txt; done; done


### Lack of Key Rotation for Active Days (with create date)

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-lack-of-key-rotation-for-active-days-WITHCREATEDATE.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("Lack of Key Rotation for (Active) Days")) | .items[]' | sed 's/\.AccessKeys.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn,.AccessKeys[].CreateDate" >> iam-lack-of-key-rotation-for-active-days-WITHCREATEDATE.txt; done; done


### Users Without MFA

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-user-without-mfa.txt; for item in $(tail $d -n +2 | jq -r '.services.iam.findings[] | select (.description | contains("User without MFA")) | .items[]' | sed 's/\.mfa_enabled.*//'); do tail $d -n +2 | jq -r ".services.$item | .arn" >> iam-user-without-mfa.txt; done; done


### Password Policy

for d in scoutsuite_results_aws-* ; do tail $d -n +2 | jq -r '.account_id' >> iam-password-policy.txt; tail $d -n +2 | jq -r '.services.iam.password_policy' >> iam-password-policy.txt; done


### CloudTrail Service Not Configured

for d in scoutsuite_results_aws-* ; do echo " " >> cloudtrail-service-not-configured.txt; tail $d -n +2 | jq -r '.account_id' >> cloudtrail-service-not-configured.txt; tail $d -n +2 | jq -r '.services.cloudtrail.findings[] | select (.description | contains("Service Not Configured")) | .items[]' | sed 's/\.NotConfigured*//' >> cloudtrail-service-not-configured.txt; done

Cloud-enum - Install

git clone https://github.com/initstring/cloud_enum
cd cloud_enum
pip3 install -r ./requirements.txt

Cloud-Enum - Run

Let’s say you were researching “somecompany” whose website is “somecompany.io” that makes a product called “blockchaindoohickey”. You could run the tool like this: IMPORTANT: Some resources (Azure Containers, GCP Functions) are discovered per-region. To save time scanning, there is a “REGIONS” variable defined in cloudenum/azure_regions.py and cloudenum/gcp_regions.py that is set by default to use only 1 region. You may want to look at these files and edit them to be relevant to your own work.

./cloud_enum.py -k somecompany -k somecompany.io -k blockchaindoohickey

PurplePanda

PurplePanda - Install and Run
git clone https://github.com/carlospolop/PurplePanda
cd PurplePanda
python3 -m venv .
source bin/activate
python3 -m pip install -r requirements.txt
export PURPLEPANDA_NEO4J_URL="bolt://neo4j@localhost:7687"
export PURPLEPANDA_PWD="neo4j_pwd_4_purplepanda"
python3 main.py -h # Get help
PurplePanda - GCP Usage
export GOOGLE_DISCOVERY=$(echo 'google:
- file_path: ""

- file_path: ""
  service_account_id: "some-sa-email@sidentifier.iam.gserviceaccount.com"' | base64)

python3 main.py -a -p google #Get basic info of the account to check it's correctly configured
python3 main.py -e -p google #Enumerate the env

Prowler - CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security
pip install prowler
prowler -v
Prowler - AWS
# scan specific regions
prowler aws --profile custom-profile -f us-east-1 us-east-2
Prowler - Azure
# To use service principal authentication
prowler azure --sp-env-auth

# To use az cli authentication
prowler azure --az-cli-auth

# To use browser authentication
prowler azure --browser-auth --tenant-id "XXXXXXXX"

# To use managed identity auth
prowler azure --managed-identity-auth
Prowler - GCP
prowler gcp --credentials-file path
Prowler - Specific Checks
# Output Formats
./prowler -M mono > monochrome.txt
./prowler -M text
./prowler -M csv,json,json-asff,junit-xml,html


# For a single check use option -c:
./prowler -c check310

# With Docker:
docker run -ti --rm --name prowler --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest "-c check310"
docker run -ti --rm --name prowler --volume "$(pwd)":/prowler/output --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN toniblyx/prowler:latest -M csv,json


# or multiple checks separated by comma:
./prowler -c check310,check722

# or all checks but some of them:
./prowler -E check42,check43

# or for custom profile and region:
./prowler -p custom-profile -r us-east-1 -c check11

# or for a group of checks use group name:
./prowler -g group1 # for iam related checks

#or exclude some checks in the group:
./prowler -g group4 -E check42,check43

Valid check numbers are based on the AWS CIS Benchmark guide, so 1.1 is check11 and 3.10 is check310

SkyArk

SkyArk - Find Highest Priv Users
# clone and run Azure checks
git clone https://github.com/cyberark/SkyArk.git
cd SkyArk

# Azure - Works Read-Only 
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth
Scan-AzureAdmins -UseCurrentCred 

# Azure Checks from cloudshell
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
Scan-AzureAdmins 

# AWS - Works Read-Only 
Import-Module .\AWStealth.ps1 -force
Start-AWSStealth

Scan-AWShadowAdmins -accesskeyid $accId -secretkey $secKey -defaultregion $region

CloudFox

CloudFox - Mostly AWS Attack paths, Azure stuff too
go install github.com/BishopFox/cloudfox@latest
CloudFox - Limited Azure commands
# Displays information on the tenant, subscriptions and resource groups available to your current Azure CLI session.
cloudfox azure --profile $profile whoami

# Enumerates useful information for Compute instances in all available resource groups and subscriptions.
cloudfox azure --profile $profile instances

# Lists Azure RBAC role assignments at subscription or tenant level.
cloudfox azure --profile $profile rbac

# The storage command is still under development. Currently, it only displays limited data about the storage accounts.
cloudfox azure --profile $profile storage
CloudFox - AWS Commands
# Run all of the other commands using reasonable defaults.
cloudfox aws --profile $profile all-checks

# Lists active access keys for all users.
cloudfox aws --profile $profile access-keys

# Lists API gateway endpoints and gives you custom curl commands including API tokens if they are stored in metadata.
cloudfox aws --profile $profile api-gws

# Lists the buckets in the account and gives you handy commands for inspecting them further.
cloudfox aws --profile $profile buckets

# Lists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output - look for secrets.
cloudfox aws --profile $profile cloudformation

# List the most recently pushed image URI from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection.
cloudfox aws --profile $profile ecr

# List all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal.
cloudfox aws --profile $profile ecs-tasks

# List all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to each cluster or node group. Generates a loot file with the aws eks update-kubeconfig command needed to connect to each cluster.
cloudfox aws --profile $profile eks

# List all ENI information. This returns a list of eni ID, type, external IP, private IP, VPCID, attached instance and a description.
cloudfox aws --profile $profile elastic-network-interfaces

# Enumerates endpoints from various services. Scan these endpoints from both an internal and external position to look for things that don't require authentication, are misconfigured, etc.
cloudfox aws --profile $profile endpoints

# Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
cloudfox aws --profile $profile env-vars

# Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
cloudfox aws --profile $profile filesystems

# Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
cloudfox aws --profile $profile iam-simulator

# Enumerates useful information for EC2 Instances in all regions like name, public/private IPs, and instance profiles. Generates loot files you can feed to nmap and other tools for service enumeration.
cloudfox aws --profile $profile instances

# Gain a rough understanding of size of the account and preferred regions.
cloudfox aws --profile $profile inventory

# Lists the lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function.
cloudfox aws --profile $profile lambda

# Enumerates AWS services that are potentially exposing a network service. The security groups and the network ACLs are parsed for each resource to determine what ports are potentially exposed.
cloudfox aws --profile $profile network-ports

# List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
cloudfox aws --profile $profile outbound-assumed-roles

# Enumerates IAM permissions associated with all users and roles. Grep this output to figure out what permissions a particular principal has rather than logging into the AWS console and painstakingly expanding each policy attached to the principal you are investigating.
cloudfox aws --profile $profile permissions

# Looks for pmapper data stored on the local filesystem, in the locations defined here. If pmapper data has been found (you already ran pmapper graph create), then this command will use this data to build a graph in cloudfox memory let you know who can privesc to admin.
cloudfox aws --profile $profile pmapper

# Enumerates IAM users and Roles so you have the data at your fingertips.
cloudfox aws --profile $profile principals

# List all resources in this account that are shared with other accounts, or resources from other accounts that are shared with this account. Useful for cross-account attack paths.
cloudfox aws --profile $profile ram

# Enumerates IAM role trust policies so you can look for overly permissive role trusts or find roles that trust a specific service.
cloudfox aws --profile $profile role-trusts

# Enumerate all records from all route53 managed zones. Use this for application and service enumeration.
cloudfox aws --profile $profile route53

# List secrets from SecretsManager and SSM. Look for interesting secrets in the list and then see who has access to them using use cloudfox iam-simulator and/or pmapper.
cloudfox aws --profile $profile secrets

# This command enumerates all of the sns topics and gives you the commands to subscribe to a topic or send messages to a topic (if you have the permissions needed). This command only deals with topics, and not the SMS functionality. This command also attempts to summarize topic resource policies if they exist.
cloudfox aws --profile $profile sns

# This command enumerates all of the sqs queues and gives you the commands to receive messages from a queue and send messages to a queue (if you have the permissions needed). This command also attempts to summarize queue resource policies if they exist.
cloudfox aws --profile $profile sqs

# List all resources with tags, and all of the tags. This can be used similar to inventory as another method to identify what types of resources exist in an account.
cloudfox aws --profile $profile tags

# List all of the compute workloads and what role they have. Tells you if any of the roles are admin (bad) and if you have pmapper data locally, it will tell you if any of the roles can privesc to admin (also bad).
cloudfox aws --profile $profile workloads

Cloudsploit

Cloudsploit Configs

dit the config file by uncommenting the relevant sections for the cloud provider you are testing. Each cloud has both a credential_file option, as well as inline options.

cp config_example.js config.js

# AWS and Azure Credentials
{
  "accessKeyId": "YOURACCESSKEY",
  "secretAccessKey": "YOURSECRETKEY"
}
{
  "ApplicationID": "YOURAZUREAPPLICATIONID",
  "KeyValue": "YOURAZUREKEYVALUE",
  "DirectoryID": "YOURAZUREDIRECTORYID",
  "SubscriptionID": "YOURAZURESUBSCRIPTIONID"
}
Cloudsploit - Scans
# Scan
./index.js

./index.js --compliance=hipaa
./index.js --compliance=pci
./index.js --compliance=cis1 --compliance=cis2 --compliance=cis
./index.js --compliance=hipaa

# Print a table to the console and save a CSV file
./index.js --csv=file.csv --console=table

# Print text to the console and save a JSON and JUnit file while ignoring passing results
./index.js --json=file.json --junit=file.xml --console=text --ignore-ok

CloudBrute - Discover Multi-Cloud resources

CloudBrute - Config.yaml
providers: ["amazon","alibaba","amazon","microsoft","digitalocean","linode","vultr","google"] # supported providers
environments: [ "test", "dev", "prod", "stage" , "staging" , "bak" ] # used for mutations
proxytype: "http"  # socks5 / http
ipinfo: ""      # IPINFO.io API KEY
CloudBrute - Scans

Create your own wordlist for best effect Please note -k keyword used to generate URLs, so if you want the full domain to be part of mutation, you have used it for both domain (-d) and keyword (-k) arguments

CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"

If a cloud provider not detected or want force searching on a specific provider, you can use -c option.

CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt

Source-Code Analysis

TFSEC - Terraform - Install
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash

choco install tfsec

go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
TFSEC - Terraform - Scan project files
# cli if project is in current dir
tfsec .

# docker
docker run --rm -it -v "$(pwd):/src" aquasec/tfsec /src