Unless otherwise noted, we have not used or evaluated evaluated these tools. As per usual with open source tools, be sure to evaluate tools before adopting them to ensure they are worthy of your trust.
→ CIT Cloud Team has used the tool.
IAM-Specific Tools
- Access Key Management
- awscli-login – Access Keys for AWS CLI Using Cornell Two-Step Login (Shibboleth)
- rapid7/awsaml – Awsaml is an application for providing automatically rotated temporary AWS credentials.
- 99designs/aws-vault – A vault for securely storing and accessing AWS credentials in development environments
- RiotGames/key-conjurer – Temporary Credential Service
- aws-rotate-key – Easily rotate your AWS access key
- IAM/Resources Policy
- AWS Policy Generator – The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.
- duo-labs/cloudtracker – CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
- goldfiglabs/rpCheckup – rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources.
- iann0036/iamlive – Generate an IAM policy from AWS calls using client-side monitoring (CSM) or embedded proxy
Tools that Help Secure AWS Resources
- Multiple Resource Types
- asecure.cloud – Creates customized CloudFormation/Terraform templates to improve security of existing AWS resources, or deploy secured resources.
- cloud-custodian/cloud-custodian – Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
- toniblyx/prowler – Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
- aquasecurity/cloudsploit – Cloud Security Posture Management (CSPM)
- airbnb/streamalert – StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
- RhinoSecurityLabs/pacu – The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
- Netflix/security_monkey – Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- RiotGames/cloud-inquisitor – Enforce ownership and data security within AWS
- tmobile/pacbot – Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud.
- CloudFormation
- cfripper – Library and CLI tool for analyzing CloudFormation templates and check them for security compliance
- stelligent/cfn_nag – The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure.
- Keys and Secrets
awslabs/git-secrets – Prevents you from committing secrets and credentials into git repositories
- exec-with-secrets – Handle secrets in Docker using AWS KMS, SSM parameter store, Secrets Manager, or Azure Key Vault
- dxa4481/truffleHog – Searches through git repositories for high entropy strings and secrets, digging deep into commit history
- zricethezav/gitleaks – Scan git repos (or files) for secrets using regex and entropy
- S3
Training and Tutorials
- AWS Security Workshops – A collection of the latest AWS Security workshops from AWS
- Serverless Security Workshop – In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. From AWS
- flAWS 2 Challenge – Teaches you AWS (Amazon Web Services) security concepts. The challenges are focused on AWS specific issues, so no buffer overflows, XSS, etc. Able to be attacker or defender for challenges.
Other Compilations of Security Resources
- puresec/awesome-serverless-security – A curated list of serverless security resources such as (e)books, articles, whitepapers, blogs and research papers.
- toniblyx/my-arsenal-of-aws-security-tools – List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.