Amazon AWS
Portal is available at https://aws.amazon.com/
Assessment Guide
The AWS Assessment Guide provides a basic methodology for performing security assessments against AWS estates.
Basics guides
- https://www.expeditedssl.com/aws-in-plain-english
- Open Guide to AWS - https://github.com/open-guides/og-aws
- https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/
- https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-cloud-need-know/
Tools
- AWS Inventory, list all items within an AWS subscription - https://github.com/nccgroup/aws-inventory
- aws-nuke - List and remove all AWS resouces - https://github.com/rebuy-de/aws-nuke
- CloudMapper, AWS visualisation - https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool
- CloudQuery - The open-source cloud asset inventory powered by SQL - https://www.cloudquery.io/
- CloudSploit, AWS security analyser - https://github.com/cloudsploit/scans
- Former2 - Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources - https://former2.com/
- Pacu, AWS exploitation framework - https://github.com/RhinoSecurityLabs/pacu
- PMapper, IAM role mapper - https://github.com/nccgroup/PMapper
- ScoutSuite, multi-cloud auditing tool - https://github.com/nccgroup/ScoutSuite
- Steampipe - open-source project, with various mods and plugins, which allows users to treat cloud/SaaS provider APIs as relational databases that can be queried with SQL https://github.com/turbot/steampipe
- Workload Discovery on AWS - AWS Tool to visualize AWS Cloud workloads - https://aws.amazon.com/solutions/implementations/aws-perspective/
A much more comprehensive list is maintained by Toni de la Fuente at https://github.com/toniblyx/my-arsenal-of-aws-security-tools.
Training Resources
- flAWS - AWS security lab - http://flaws.cloud/
- flAWS 2 - AWS security lab - http://flaws2.cloud/
- Cloudgoat - https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/
- Serverless Goat - https://www.owasp.org/index.php/OWASP_Serverless_Goat
- OWASP Damn Vulnerable Serverless Application - https://github.com/OWASP/DVSA
Benchmarks, Best Practices Guides etc
- AWS Security Best Practices - https://aws.amazon.com/whitepapers/aws-security-best-practices/
- AWS Security Guidance - https://aws.amazon.com/security/guidance/
- AWS Security Maturity Model - https://maturitymodel.security.aws.dev/en/model/
- AWS Security Reference Architecture (AWS SRA) - https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html
- CIS Benchmark for AWS - https://www.cisecurity.org/benchmark/amazon_web_services
- Cloud Conformity Ruleset, good list of things to check for various services with associated risk levels - https://www.cloudconformity.com/conformity-rules/
- Cloudformation / API calls for secure configurations - asecure cloud