Home
nuvola (with the lowercase n) is an open-source tool, developed by the Security Team of Prima Assicurazioni, to perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: replicate the BloodHound traits used for Active Directory analysis on cloud environments.
Like BloodHound, nuvola uses the advantages and principles of the graph theory (implemented in the Neo4j graph database) to discover, and reveal relationships between objects within a cloud ecosystem enabling the engineers to perform analysis.
nuvola is created with three major subset of features:
-
Dump
- to collect information on supported services and to create relationships in graph databases (JSON/CSV)
-
Assess
- to explore the graph database searching for misconfigurations and security problems
- to help DevOps have a better understanding of the environment
-
Enumerate (TODO: not yet implemented)
- to help red teamers, DevOps, and security analysts collect information on an AWS account without a privileged account
- to emulate the behavior of BloodHound to collect Active Directory trees even from a non-privileged account
As for now, nuvola only support AWS. The following services are supported and can be analyzed using the tool:
- IAM
- Users
- Roles
- Groups
- Inline Policies
- Attached Policies
- Managed Policies
- Access Analyzer
- Credential Report
- S3
- ACLs
- Policies
- EC2
- VPC
- VPC Peering
- Security Groups
- User data
- Lambda
- RDS
- Instance
- Cluster
- DynamoDB
- Redshift