Cloud.md

Cloud

There are:

Third-Party Tools

Amazon Web Services

Microsoft Azure

Google Cloud Platform

Third-Party Tools

1. For AWS:
   • toniblyx`s arsenal of aws security
   • awspx. Open source
   • Acunetix. Vulnerability Scanner. Commercial Software
   • weirdAAl. AWS attack library. Open source
   • S3 bucket scanner. Open source
   • Pacu. AWS pentesting framework. Open source
   • Cred Scanner. To find AWS credentials in files. Open source
   • CloudFrunt. To find misconfiguration in AWS CloudFront. Open source
   • Redboto. Collection of script to aid in AWS red team engagements
   • AWSBucketDump. Quickly enumerate AWS S3 buckets. Open source
2. For Azure:
   • MicroBurst. A PowerShell Toolkit. Open source
   • PowerZure. Created to assess and exploit resources within Microsoft’s cloud platform. Open source
   • Azurite. Novel way to use PowerShellfor pentesting Azure. Open source
   • Cloud-Katana. To automate the execution of simulation steps in multi-cloud and hybrid cloud environments. Open source
   • SkyArk. Cloud security project with main scanning modules. Open source
   • MFASweep. Help with MFA in Microsoft services. Open source
   • Adconnectdump. Exploit vulnerabilities in how AD is configured in Azure to extract passwords. Open source
   • BlobHunter. Helps to identify Azure blob storage poorly configured containers. Open source
   <
3. For GCP:
   • GCPBucketBrute. A script to enumerate Google Storage buckets. Open source
   • hayat. Script to audit Cloud SQL, IAM, Cloud Storage, network configuration, VMs etc. Open source
   • gcploit. Pentrsting tools to find vulnerabilities in GCP. Open source
   • gcp-iam-role-permissions. Open source
   • GCP Scanner. Open source
4. For three:
   • Prowler. Open source
   • Intruder. Auromated scan. Montly or annual subscription
   • CloudBrute. A tool to find a company (target) infrastructure, files, and apps on the top cloud providers. Open source
   • ScoutSuite. Open source multi-cloud security-auditing tool
   • buckets.grayhatwarfare.com
   • cloud_enum. Multi-cloud OSINT tool. Open source

AWS

1. Prepare to pentest:
   • AWS Customer Support Policy for Penetration Testing
   • Amazon EC2 Testing Policy
   • DDoS Simulation Testing Policy
   • AWS Security Documentation
2. AWS own instruments:
   • Amazon Inspector

Azure

1. Prepare to pentest:
   • Microsoft Online Subscription Agreement
   • Penetration Testing Rules of Engagement
2. Azure own instruments:
   • Microsoft Defender for Cloud

GCP

1. Prepare to pentest:
   • Google Cloud Platform/SecOps Terms of Service
   • Google Cloud Platform Acceptable Use Policy

Feel free to check out my GitHub Stars for more cloud tools and resources!