Post

Open-source tools to analyze your AWS environment (2/3)


This article is part of a series about open-source tools and AWS, in which I will share those tools that I have tested and that I think you may find useful.

1/3: Getting Started with AWS open-source tools: main open-source tools and extend AWS CLI (this article).

2/3: Analyze your AWS environment: focus on the inventory, analysis and security assessment of the AWS environment.

3/3: How to help you with your code: to generate it (IaC), validate it (policy as code and compliance) and analyze it (static analysis/credentials).

Introduction

In this article, we will focus on the inventory, analysis and security assessment of the AWS environment.

Some open-source tool could appear in several categories (in this same article or among the 3 open-source tools articles). I thought it was better not to mix information between categories when a tool could be part of several of them.

Inventory and analyze your environment

These open-source tools are useful to analyze all of your AWS environment:

  • General
    • cloudmapper: Analyze your AWS environment
    • prowler: Quick analysis of your AWS environment
  • IAM (specific)
    • AirIAM: Detect IAM unused resources: users, access keys, roles, groups, policies and policy attachments

cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

Based on Python components.

Why use it: Analyze your AWS environment: review status of the account, resource inventory (all resources in all the regions and region usage), IAM resources (active/inactive), public resources (ec2, elb, elbv2, rds, redshift, ecs, autoscaling, cloudfront and apigateway) and finally findings of security (a few).

List of the commands of this tool: cloudmapper-commands

The shortcut is:

  1. Run the collect command to get your resources (you can filter the regions that you want using the --regions 'eu-west-1,eu-west-2'… us-east-1 will be always added)

  2. Then run the report command (an html page will be generated with all the information)

cloudmapper-report-1 cloudmapper-report-2 cloudmapper-report-3

A specific command that I like is the iam_report because it allows you review unused permissions in your IAM resources:

cloudmapper-iam_report

Is it popular?: On GitHub: Watch 135; Fork 759; Stars 5.3K

Recently updated? No. The last commit was on Jul 25, 2022 (956 commits). Also, some original functionality of this tools is now deprecated (generation of networking diagrams).

URL: https://github.com/duo-labs/cloudmapper

There is a CDK project to run in Fargate service the CloudMapper’s collection and audit capabilities nightly, across multiple accounts, sending any audit findings to a Slack channel and keeping a copy of the collected metadata in an S3 bucket. This is the diagram of the solution https://github.com/duo-labs/cloudmapper/blob/main/auditor/README.md

prowler

Prowler is an Open Source security tool… and you will find all this information in the following section (this is for inventory and analysis of the environment).

prowler has the functionality to perform a quick inventory check. It will give you in the console information about the number of each resource that you have, and in json/csv generated files you will find information about what is the specific resource (region, aws service, resource type, resource id and ARN)

Why use it: Perform a quick analysis of your AWS environment (a few seconds).

prowler-inventory-1 prowler-inventory-2

And this is the CSV file report:

prowler-inventory-csv

Is it popular?: On GitHub: Watch 122; Fork 1.1k; Stars 7.6K

Recently updated? Last commit yesterday (at the time I am writing this post). Total commits 2271

URL: https://github.com/prowler-cloud/prowler

AirIAM

AirIAM scans existing IAM usage patterns and provides a simple method to migrate IAM configurations into a right-sized Terraform plan. It identifies unused users, roles, groups, policies and policy attachments and replaces them with a Least Privileges Terraform code modelled to manage AWS IAM.

AirIAM was created to promote immutable and version-controlled IAM management to replace today’s manual and error-prone methods.

Why use it: IAM scan tool to detect unused resources (based on Amazon Access Advisor APIs) and the creation of terraform templates of your IAM resources.

airiam-image

This is another example analyzing other AWS account and exporting the results in a txt file:

airmiam-file

Is it popular?: On GitHub: Watch 15; Fork 68; Stars 673

Recently updated? No. Last commit the Aug 2, 2022. In total, 426 commits

URL: https://github.com/bridgecrewio/AirIAM

Updated:

First time I used this tool the terraform template generation functionality works fine, now now I receive an error and I was not able to use it. However, I think that this tool is useful to find this iam unused resources

Summary: Which tool should I use to analyze my environment?

It depends on what you want to do:

  • Full analysis of the AWS environment: cloudmapper
  • Get a quick inventory of the AWS environment: prowler
  • Fast IAM unused resources analysis: AirIAM
  • Apply least-privilege to IAM roles (review which permissions you are not using): cloudmapper

Security Assessment

There are many different tools to realize a security assessment of your environment.

  • General
    • prowler: security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness
    • Scoutsuite: multi-cloud security-auditing tool, which enables security posture assessment of cloud environments
    • cloudsploit: Cloud Security Scans to detect potential misconfigurations and security risks
    • steampipe yes, AGAIN. Ensure that cloud resources comply with security benchmarks such as CIS, NIST, and SOC2.
  • IAM
    • cloudsplaining: IAM Security Assessment tool

prowler

This is the second time I have mentioned prowler in this article in two different categories.

Prowler is an Open Source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

It contains more than 240 controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

There are 4 available categories:

  • secrets
  • trust-boundaries
  • internet-exposed
  • forensics-ready

There are 3 available Compliance Frameworks:

  • cis_1.4_aws
  • cis_1.5_aws
  • ens_rd2022_aws

severity:

  • informational
  • low
  • medium
  • high
  • critical

Why use it: Security tool to perform security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.

By default, prowler will scan all AWS regions. If you want analyze only a few regions you can use the following command -f us-east-1 eu-west-1 ...

prowler-1 prowler-2

And this is the HTML file report:

prowler-report-1 prowler-report-2

Is it popular?: On GitHub: Watch 122; Fork 1.1k; Stars 7.6K

Recently updated? Last commit yesterday (at the time I am writing this post). Total commits 2271

URL: https://github.com/prowler-cloud/prowler

Scoutsuite

Scout Suite is an open-source multi-cloud security-auditing tool`, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

Scout Suite was designed by security consultants/auditors. It is meant to provide a point-in-time security-oriented view of the cloud account it was run in. Once the data has been gathered, all usage may be performed offline.

Why use it: Enable security posture assessment of cloud environments.

By default, scoutsuite will scan all AWS regions. If you want analyze only a few regions you can use the following command -r us-east-1 eu-west-1 ...

scoutsuite-1 scoutsuite-2

Is it popular?: On GitHub: Watch 113; Fork 816; Stars 5K

Recently updated?: No. Last commit was on Sep 5, 2022 (6101 commits in total)

URL: https://github.com/nccgroup/ScoutSuite

I didn’t found information about what security frameworks is using or more information about the security controls. However, the findings in the audit report are useful and you have to review them!

cloudsploit

CloudSploit by Aqua is an open-source project designed to allow the detection of security risks in cloud infrastructure accounts, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.

Compliance:

  • hipaa
  • PCI
  • CIS (level 1 and 2)

Why use it: detect potential misconfigurations and security risks in your AWS account

cloudsploit-1

However, in the console the result is not clear:

cloudsploit-2

A better solution is generate the report in a csv file adding the following command --csv=file.csv. After convert the csv into a table it will look like this:

cloudsploit-3

Is it popular?: On GitHub: Watch 70; Fork 575; Stars 2.5k

Recently updated?: Yes. Last commit was 3 weeks ago (3449 commits in total)

URL: https://github.com/aquasecurity/cloudsploit

I didn’t found how to scan only a few regions. In the official documentation only is included how to suppress all one region results ./index.js --suppress *:us-east-1:*. And to exclude more than one region you can use something like this --suppress "*:ap-*-*:*" --suppress "*:af-*-*:*" ...

steampipe

I mentioned this tool in my first article about open-source when I talked about Extend CLI capabilities here

Steampipe is the universal interface to APIs, and we can use SQL to query cloud infrastructure, SaaS, code, logs, and more.

Besides, I am going to show you two new capabilities:

  • Check: Ensure that cloud resources comply with security benchmarks such as CIS, NIST, and SOC2.
    • AWS security best practices contains 180 controls
    • CIS v1.50 contains 63 controls
  • Visualize: View prebuilt dashboards or build your own.

Why use it: for me, the benchmark of AWS security best practices with 180 controls and the CIS level 1.5 with 63 are enough to consider use this tool to perform a security analysis.

steampipe-2 steampipe-3 steampipe-4

Is it popular?: On GitHub: Watch 32; Fork 171; Stars 4.6k

Recently updated? Yes, last commit 2 days ago. Total commits 2007

URL: https://github.com/turbot/steampipe

More information (checks and dashboard):

cloudsplaining

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.

The assessment identifies where resource ARN constraints are not used and identifies other risks in IAM policies:

  • Privilege Escalation
  • Resource Exposure
  • Infrastructure Modification
  • Data Exfiltration

CloudMapper helps you analyze your Amazon Web Services (AWS) environments (using Python)

Why use it: The tool provides you a report with some risk in IAM policies (customer/inline/AWS) and the IAM principals (IAM Users, Groups, and Roles).

cloudsplaining-1 cloudsplaining-2

Is it popular?: On GitHub: Watch 29; Fork 143; Stars 1.6K

Recently updated? Yes. Last commit 3 days ago (347 commits in total)

URL: https://github.com/salesforce/cloudsplaining

Summary: Which tool should I use to perform security assessments on my account?

This is my personal opinion. If you have a different one, let me know in the comments at the end of this article!

  • General security assessment: prowler or steampipe
  • Security assessment based on CIS 1.5: steampipe, prowler or cloudsploit
  • Richer tool security assessment based on frameworks: steampipe
  • IAM specific security assessment: cloudsplaining

Next steps

The next article related with open-source tools will be:

  • How to help you with your code: to generate it (IaC), validate it (policy as code and compliance) and analyze it (static analysis/credentials) - here
This post is licensed under CC BY 4.0 by the author.