Cloud Security Tools

This page is a directory of open source cloud security tools I collected, organized by categories. If I've used a tool I usually publish my notes about it in its own page.

• Amazon Web Services
• Google Cloud Platform
• Azure
• Kubernetes, Docker, Terraform, Containers, Declarative Infrastructure

If you know a tool that is not listed here let me know!

Aardvark is a multi-account AWS IAM Access Advisor API
🔗, aws iam

Action Hero is a sidecar style utility to assist with creating least privilege IAM Policies for AWS.
🔗, aws iam

:wrench: Automatically deploy customizable Active Directory labs in Azure
🔗, azure

Least privilege AWS IAM Terraformer
🔗, declarative-infra terraform aws iam

The AKS Checklist
🔗, azure k8s

Amazon S3 Find and Forget is a solution to handle data erasure requests from data lakes stored on Amazon S3, for example, pursuant to the European General Data Protection Regulation (GDPR)
🔗, aws

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
🔗,

Automated Cloud Advisor is a extensible tool that aims at facilitating cost optimization in AWS, by collecting data for resources that are under utilized. In addition, this is a great learning tool for new DevOps/Cloud engineers that want to start automating things in AWS.
🔗, aws

Create On Demand Disposable OpenVPN Endpoints on AWS.
🔗, aws

Open source application to instantly remediate common security issues through the use of AWS Config
🔗, aws

Simple AWS Lambda powered Slack bot that reports your AWS Costs for the current month to a channel
🔗, aws

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster
🔗, aws iam k8s

🔗, aws iam

🔗, aws incident-response

🔗, aws incident-response

A recorder of AWS API calls for Lambda functions
🔗, aws

Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
🔗, aws

Antivirus for Amazon S3 buckets
🔗, aws

Bring AWS SSO-based credentials to the AWS SDKs until they have proper support
🔗, aws

Resource types that can be publicly exposed on AWS
🔗, aws

Script to automate initial triage/enumeration on a set of aws keys in an input file.
🔗, aws

Kubernetes multi-tenant Operator
🔗, k8s

CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
🔗, aws

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
🔗, aws declarative-infra

CLI tool for linting and testing Helm charts
🔗, k8s

A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax
🔗, aws declarative-infra

Cloudkeeper - Housekeeping for Clouds
🔗,

Container Image for Azure Cloud Shell (https://azure.microsoft.com/en-us/features/cloud-shell/)
🔗, azure containers

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
🔗, aws iam

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
🔗, iam

container-diff: Diff your Docker containers
🔗, docker containers

A GitHub action to help you scan your docker image for vulnerabilities
🔗, docker containers

CONVEX is a group of CTFs that are independently deployable into participant Azure environments.
🔗, azure

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on Amazon ECS and AWS Fargate.
🔗, aws containers

a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
🔗, docker containers

Dynamic Application and API Security Testing
🔗,

Get started fast with a built out lab, built from scratch via Azure Resource Manager (ARM) and Desired State Configuration (DSC), to test out Microsoft's security products.
🔗, azure

Rules for Elastic Security's detection engine
🔗,

DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
🔗, docker containers

A collection of OPA rules to statically analyze Dockerfiles to improve security
🔗, declarative-infra docker containers

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
🔗, docker containers

🔗,

Dragonfly is an intelligent P2P based image and file distribution system.
🔗,

Gatekeeper - Policy Controller for Kubernetes
🔗, k8s

Exports primitive and predefined GCP IAM Roles and their permissions
🔗, gcp iam

A CLI that utilizes Okta IdP via SAML to acquire temporary AWS credentials
🔗, aws

🔗, k8s gcp

Debugging tool for Kubernetes which tests and displays connectivity between nodes in the cluster.
🔗, k8s

The GOV.UK repository for our Migration to AWS
🔗, aws

A vulnerability scanner for container images and filesystems
🔗, containers

Freeze your charts in the wished versions
🔗, k8s

Analyze HTTP requests to minimize risks of HTTP Desync attacks (precursor for HTTP request smuggling/spli).
🔗,

A CLI tool for building simple to complex IAM policies
🔗, iam

Cloud cost estimates for Terraform in your CLI and pull requests 💰📉
🔗, terraform declarative-infra

🔗, k8s

A collection of kubernetes-related diagrams
🔗, k8s

Automatic Volume Snapshots on Kubernetes.
🔗, k8s

A Kubernetes node connectivity monitoring tool
🔗, k8s

Kubernetes Connection Manager CLI
🔗, k8s

Virtual-kubelet provider running pods in cloud instances
🔗, k8s

A policy management tool for interacting with Gatekeeper
🔗,

Kubernetes RBAC static Analysis & visualisation tool
🔗, k8s

Auto-configuration of Fluentd daemon-set based on Kubernetes metadata
🔗, k8s

🔗, k8s

Clean up (delete) Kubernetes resources after a configured TTL (time to live)
🔗, k8s

Use Prometheus to monitor Kubernetes and applications running on Kubernetes
🔗, k8s

This tool uses fzf(1)-like fuzzy-finder to do partial or fuzzy search of Kubernetes resources. Instead of specifying full resource names to kubectl commands, you can choose them from an interactive list that you can filter by typing a few characters.
🔗, k8s

🕸 Show container images used in the cluster.
🔗, k8s containers

Mount kubernetes metadata storage as a filesystem
🔗, k8s

Kubei is a flexible Kubernetes runtime scanner, scanning images of worker and Kubernetes nodes providing accurate vulnerabilities assessment, for more information checkout:
🔗, k8s

A Kubernetes operator for running synthetic checks as pods. Works great with Prometheus!
🔗, k8s

Minimal self-contained examples of standard Kubernetes features and patterns in YAML
🔗, k8s

Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster.
🔗, k8s

Litmus helps Kubernetes SREs and developers practice chaos engineering in a Kubernetes native way. Chaos experiments are published at the ChaosHub (https://hub.litmuschaos.io). Community notes is at https://hackmd.io/a4Zu_sH4TZGeih-xCimi3Q
🔗, k8s

Run interactive shell commands on AWS Lambda
🔗, aws

Kubernetes Admission Controller for Image Scanning using OPA
🔗, k8s declarative-infra

PowerShell framework to assess Azure security
🔗, azure

Common solutions and tools developed by Google Cloud's Professional Services team
🔗, gcp

Rego policies collection
🔗,

Regula checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
🔗, terraform azure gcp aws declarative-infra

cloud native software supply chain ☁️🔗
🔗,

Azure Key Vault provider for Secret Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.
🔗, azure k8s

Salesforce Policy Deviation Checker
🔗,

Cloud Templates and scripts to deploy mordor environments
🔗,

A tool to sync images from one container registry to another
🔗, containers

SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
🔗, azure aws

A honey token manager and alert system for AWS.
🔗, aws

Kubernetes-native security tool kit
🔗, k8s

Octant plugin for viewing Starboard security information
🔗,

🛅 Backup your Kubernetes Stateful Applications
🔗, k8s

Azure Red Team tool for graphing Azure and Azure Active Directory objects
🔗, azure

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
🔗, containers

Synator Kubernetes Secret and ConfigMap synchronizer
🔗, k8s

By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.
🔗,

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
🔗, terraform declarative-infra

A command-line tool to get valuable information out of AWS CloudTrail
🔗, aws

Remote shell into ephemeral environments 🐚 🦀
🔗,

High-performance, vendor-neutral observability pipelines.
🔗,

Kubernetes utility for exposing image versions in use, compared to latest available upstream, as metrics.
🔗, k8s

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
🔗, containers

Identify hardcoded secrets and dangerous behaviours
🔗,