Introduction
This is the second part of the series Open source tools
. If this is the first article of this series that you are reading, I recommend you to review the first one Getting started with AWS open-source tools
here
Some open source tool could appear in several categories (in this same article or among the 3 open source tools articles). I thought it was better not to mix information between categories when a tool could be part of several of them.
Inventory and analyze your environment
These open source tools are useful to analyze all your AWS environment:
- General
- cloudmapper:
Analyze
your AWS environment - prowler:
Quick analysis
of your AWS environment
- cloudmapper:
- IAM (specific)
- AirIAM: Detect
IAM unused resources
: users, access keys, roles, groups, policies and policy attachments
- AirIAM: Detect
cloudmapper
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Based on Python components.
Why use it: Analyze your AWS environment: review status of the account, resource inventory (all resources in all the regions and region usage), IAM resources (active/inactive), public resources (ec2, elb, elbv2, rds, redshift, ecs, autoscaling, cloudfront and apigateway) and finally findings of security (a few).
List of the commands of this tool:
The shortcut is:
Run the
collect
command to get your resources (you can filter the regions that you want using the--regions 'eu-west-1,eu-west-2'
… us-east-1 will be always added)Then run the
report
command (an html page will be generated with all the information)A specific command that I like is the
iam_report
because it allows you review unused permissions in your IAM resources:
Is it popular?: On github: Watch 135; Fork 759; Stars 5.3K
Recently updated? No. The last commit was on Jul 25, 2022 (956 commits). Also, some original functionality of this tools is now deprecated (generation of networking diagrams).
URL: https://github.com/duo-labs/cloudmapper
There is a CDK project to run in Fargate service the CloudMapper’s collection and audit capabilities nightly, across multiple accounts, sending any audit findings to a Slack channel and keeping a copy of the collected metadata in an S3 bucket. This is the diagram of the solution https://github.com/duo-labs/cloudmapper/blob/main/auditor/README.md
prowler
Prowler is an Open Source security tool… and you will find all this information in the following section (this is for inventory and analysis of the environment).
prowler has a functionality to perform a quick inventory check. It will give you in the console information about the number of each resource that you have, and in json/csv generated files you will find information about what is the specific resource (region, aws service, resource type, resource id and ARN)
Is it popular?: On github: Watch 122; Fork 1.1k; Stars 7.6K
Recently updated? Last commit yesterday (in the time I am writing this post). Total commits 2271
URL: https://github.com/prowler-cloud/prowler
AirIAM
AirIAM scans existing IAM usage patterns and provides a simple method to migrate IAM configurations into a right-sized Terraform plan. It identifies unused users, roles, groups, policies and policy attachments
and replaces them with a Least Privileges Terraform code modelled to manage AWS IAM.
AirIAM was created to promote immutable and version-controlled IAM management to replace today’s manual and error prone methods.
Is it popular?: On github: Watch 15; Fork 68; Stars 673
Recently updated? No. Last commit the Aug 2, 2022. In total, 426 commits
URL: https://github.com/bridgecrewio/AirIAM
Updated:
First time I used this tool the terraform template generation functionality works fine, now now I receive an error and I was not able to use it. However, I think that this tool is useful to find this iam unused resources
Summary: Which tool should I use to analyze my environment?
This is my personal opinion. If you have a different one, let me know in the comments at the end of this article!
It depends what you want to do:
- Full analysis of the AWS environment:
cloudmapper
- Get a quick inventory of the AWS environment:
prowler
- Fast IAM unused resources analysis:
AirIAM
- Apply least-privilege to IAM roles (review which permissions you are not using):
cloudmapper
Security Assessment
There are many different tools to realize a security assessment of your environment.
- General
- prowler:
security best practices assessments
, audits, incident response, continuous monitoring, hardening and forensics readiness - Scoutsuite: multi-cloud
security-auditing tool
, which enables security posture assessment of cloud environments - cloudsploit: Cloud Security Scans to detect
potential misconfigurations and security risks
- steampipe yes, AGAIN. Ensure that cloud resources comply with security benchmarks such as CIS, NIST, and SOC2.
- prowler:
- IAM
- cloudsplaining:
IAM Security Assessment tool
- cloudsplaining:
prowler
This is the second time I mention prowler in this article in two different categories.
Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness
.
It contains more than 240 controls
covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.
There are 4 available categories:
- secrets
- trust-boundaries
- internet-exposed
- forensics-ready
There are 3 available Compliance Frameworks:
- cis_1.4_aws
- cis_1.5_aws
- ens_rd2022_aws
severity:
- informational
- low
- medium
- high
- critical
Why use it: Security tool to perform security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
By default, prowler will scan all AWS regions. If you want analyze only a few regions you can use the following command
-f us-east-1 eu-west-1 ...
And this is the HTML file report:
Is it popular?: On github: Watch 122; Fork 1.1k; Stars 7.6K
Recently updated? Last commit yesterday (in the time I am writing this post). Total commits 2271
URL: https://github.com/prowler-cloud/prowler
Scoutsuite
Scout Suite is an open source multi-cloud security-auditing tool
, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
Scout Suite was designed by security consultants/auditors. It is meant to provide a point-in-time security-oriented view of the cloud account it was run in. Once the data has been gathered, all usage may be performed offline.
Is it popular?: On github: Watch 113; Fork 816; Stars 5K
Recently updated?: No. Last commit was on Sep 5, 2022 (6101 commits in total)
URL: https://github.com/nccgroup/ScoutSuite
I didn’t found information about what security frameworks is using or more information about the security controls. However, the findings in the audit report are useful and you have to review them!
cloudsploit
CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks
.
Compliance:
- hipaa
- PCI
- CIS (level 1 and 2)
Is it popular?: On github: Watch 70; Fork 575; Stars 2.5k
Recently updated?: Yes. Last commit was 3 weeks ago (3449 commits in total)
URL: https://github.com/aquasecurity/cloudsploit
I didn’t found how to scan only a few regions. In the official documentation only is included how to suppress all one region results
./index.js --suppress *:us-east-1:*
. And to exclude more than one region you can use something like this--suppress "*:ap-*-*:*" --suppress "*:af-*-*:*" ...
steampipe
I mention this tool in my first article about open source, when I talked about Extend CLI
capabilities here
Steampipe is the universal interface to APIs, and we can use SQL to query cloud infrastructure, SaaS, code, logs, and more.
Besides, I am going to show you two new capabilities:
- Check:
Ensure that cloud resources comply with security benchmarks
such as CIS, NIST, and SOC2.- AWS security best practices contains 180 controls
- CIS v1.50 contains 63 controls
- Visualize: View
prebuilt dashboards
or build your own.
Is it popular?: On github: Watch 32; Fork 171; Stars 4.6k
Recently updated? Yes, last commit 2 days ago. Total commits 2007
URL: https://github.com/turbot/steampipe
More information (checks and dashboard):
- https://steampipe.io/docs/check/overview
- https://steampipe.io/docs/dashboard/overview
- https://aws.amazon.com/blogs/opensource/compliance-auditing-with-steampipe-and-sql/
cloudsplaining
Cloudsplaining is an AWS IAM Security Assessment tool
that identifies violations of least privilege and generates a risk-prioritized HTML report.
The assessment identifies where resource ARN constraints are not used and identifies other risks in IAM policies:
- Privilege Escalation
- Resource Exposure
- Infrastructure Modificationº
- Data Exfiltration
CloudMapper helps you analyze your Amazon Web Services (AWS) environments (using python)
Is it popular?: On github: Watch 29; Fork 143; Stars 1.6K
Recently updated? Yes. Last commit 3 days ago (347 commits in total)
URL: https://github.com/salesforce/cloudsplaining
Summary: Which tool should I use to perform security assessments on my account?
This is my personal opinion. If you have a different one, let me know in the comments at the end of this article!
- General security assessment:
prowler
orsteampipe
- Security assessment based on CIS 1.5:
steampipe
, prowler or cloudsploit - Richer tool security assessment based on frameworks:
steampipe
- IAM specific security assessment:
cloudsplaining
Next steps
The next article related with open source tools will be:
- How to help you with your code: to generate it (IaC), validate it (policy as code and compliance) and analyze it (static analysis/credentials) - here