Awesome Cloud Security

A curated list of cloud security tools for AWS, Azure, GCP, and Kubernetes.

Whether you're a penetration tester, cloud security engineer, DevSecOps professional, or security researcher, this list provides tools for offensive security, defensive security, compliance, and IAM analysis.

Contents

• Multi-Cloud Security
• Attack Path Analysis
• AWS Security
• Azure Security
• GCP Security
• Container and Kubernetes Security
• IAM Analysis
• Secrets Scanning
• Compliance and Governance
• Infrastructure as Code Security
• Serverless Security
• Training Labs

Multi-Cloud Security

• Nubicustos - Unified security platform orchestrating 24+ tools with attack path analysis and compliance across AWS, Azure, GCP, and Kubernetes.
• Prowler - Security assessment tool for AWS, Azure, GCP, and Kubernetes with CIS benchmark checks.
• ScoutSuite - Multi-cloud security auditing tool supporting AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud.
• CloudSploit - Cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud.
• CloudQuery - Open source cloud asset inventory with SQL-based policy engine.
• Steampipe - Query cloud APIs using SQL with pre-built compliance mods.
• Cloud Custodian - Rules engine for cloud security, cost optimization, and governance.
• Magpie - Cloud security posture management with data discovery.
• Cartography - Graph-based asset inventory and relationship mapping.
• cloudlist - Multi-cloud asset listing tool.
• Resoto - Infrastructure inventory with search and analytics.

Attack Path Analysis

• CloudFox - AWS attack surface enumeration for penetration testers.
• PMapper - AWS IAM privilege escalation path finder using graph analysis.
• Cloudmapper - AWS environment visualization and analysis.
• AzureHound - Azure data collector for BloodHound attack path analysis.

AWS Security

Offensive

• Pacu - AWS exploitation framework for penetration testing.
• aws_pwn - Collection of AWS penetration testing tools.
• Endgame - AWS resource policy exploitation tool for privilege escalation.
• Weirdaal - AWS attack library.
• ccat - Cloud Container Attack Tool.
• Nimbostratus - AWS security assessment tool.

Defensive

• ElectricEye - AWS security posture management with auto-remediation.
• Security Monkey - Security configuration monitoring.

IAM

• Cloudsplaining - AWS IAM policy analysis for least privilege violations.
• Parliament - AWS IAM linting library.
• enumerate-iam - Enumerate IAM permissions without logs.
• IAMFinder - Enumerate and identify IAM roles.
• aws-iam-tester - Test IAM permissions systematically.
• iamlive - Generate IAM policies from AWS calls.

S3

• S3Scanner - Scan for open S3 buckets.
• bucket-finder - S3 bucket discovery tool.
• AWSBucketDump - Quickly enumerate S3 buckets.
• s3-inspector - Check S3 bucket permissions.
• S3cret Scanner - Search for secrets in S3 buckets.

Azure Security

Offensive

• ROADtools - Azure AD exploration framework.
• MicroBurst - PowerShell toolkit for Azure security.
• Stormspotter - Azure Red Team tool for graphing resources.
• PowerZure - PowerShell framework for Azure security.
• AADInternals - Azure AD administration PowerShell module.

Defensive

• ScubaGear - M365 security configuration assessment.
• Monkey365 - Azure and Microsoft 365 security scanner.

IAM

• AzureADRecon - Azure AD enumeration and reconnaissance.

GCP Security

Offensive

• GCPBucketBrute - GCP bucket enumeration.
• gcp_enum - GCP enumeration tool.
• gcp-iam-collector - Collect and analyze GCP IAM data.
• Hayat - GCP penetration testing tool.

Defensive

• Forseti Security - GCP security tool suite.
• gcp-audit - GCP security auditing.

Container and Kubernetes Security

Image Scanning

• Trivy - Comprehensive vulnerability scanner for containers.
• Grype - Vulnerability scanner for container images.
• Clair - Static analysis of container vulnerabilities.
• Anchore - Container image analysis and policy enforcement.

Runtime Security

• Falco - Cloud-native runtime security.
• Tetragon - eBPF-based security observability.
• KubeArmor - Container-aware runtime security.
• Tracee - Linux runtime security with eBPF.

Kubernetes Audit

• kube-bench - CIS Kubernetes Benchmark checks.
• Kubescape - Kubernetes security platform with NSA and MITRE frameworks.
• kube-hunter - Kubernetes penetration testing.
• Polaris - Best practices validation.
• Popeye - Kubernetes cluster sanitizer.
• kube-linter - Static analysis for Kubernetes manifests.
• kubeaudit - Audit Kubernetes clusters for security concerns.
• Kubei - Kubernetes runtime vulnerability scanner.

IAM Analysis

• iam-policy-json-to-terraform - Convert IAM policies to Terraform.

Secrets Scanning

• TruffleHog - 700+ secret detectors with API verification.
• Gitleaks - Fast Git secrets scanner with extensive rule set.
• detect-secrets - Secrets detection in codebases.
• git-secrets - Prevent committing secrets to Git.
• ggshield - GitGuardian CLI for secrets detection.
• whispers - Static code analysis for secrets.

Compliance and Governance

• OpenSCAP - Security Content Automation Protocol implementation.
• InSpec - Infrastructure testing and compliance automation.

Infrastructure as Code Security

• Checkov - Static analysis for Terraform, CloudFormation, Kubernetes, Helm, and ARM templates.
• tfsec - Security scanner for Terraform code.
• Terrascan - Static code analyzer for IaC with 500+ policies.
• KICS - Infrastructure as Code scanner for security vulnerabilities.
• Regula - Policy engine for Terraform and CloudFormation using Rego.

Serverless Security

• Serverless Goat - OWASP serverless vulnerable application.
• DVSA - Damn Vulnerable Serverless Application.

Training Labs

AWS

• CloudGoat - Vulnerable by design AWS deployment tool.
• Sadcloud - Terraform for insecure AWS infrastructure.
• TerraGoat - Vulnerable Terraform repository.
• AWSGoat - Vulnerable AWS infrastructure.
• flaws.cloud - AWS CTF challenges.
• flaws2.cloud - AWS CTF challenges advanced.

Azure

• AzureGoat - Vulnerable Azure infrastructure.
• Purple Cloud - Azure Active Directory lab.

GCP

• GCPGoat - Vulnerable GCP infrastructure.
• thunder-ctf - GCP CTF framework.

Kubernetes

• Kubernetes Goat - Vulnerable Kubernetes cluster.
• kube-security-lab - Kubernetes security testing lab.

Multi-Cloud

• WrongSecrets - Demonstrate secret management failures across AWS, Azure, and GCP.
• Pwned Labs - Free hosted cloud security labs.
• HackTheBox Cloud Labs - Cloud penetration testing labs.

Contributing

Contributions welcome! Read the contribution guidelines first.