CloudSploit by Aqua is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and GitHub. These scripts are designed to return a series of potential misconfigurations and security risks.
CloudSploit is available in two deployment options:
Follow the instructions below to deploy the open-source version of CloudSploit on your machine in just a few simple steps.
A commercial version of CloudSploit hosted at Aqua Wave. Try Aqua Wave today!
Ensure that NodeJS is installed. If not, install it from here.
$ git clone git@github.com:cloudsploit/scans.git
$ npm install
CloudSploit requires read-only permission to your cloud account. Follow the guides below to provision this access:
For AWS, you can run CloudSploit directly and it will detect credentials using the default AWS credential chain.
The CloudSploit config file allows you to pass cloud provider credentials by:
Start by copying the example config file:
$ cp config_example.js config.js
Edit the config file by uncommenting the relevant sections for the cloud provider you are testing. Each cloud has both a credential_file option, as well as inline options. For example:
azure: {
// OPTION 1: If using a credential JSON file, enter the path below
// credential_file: ‘/path/to/file.json’,
// OPTION 2: If using hard-coded credentials, enter them below
// application_id: process.env.AZURE_APPLICATION_ID || ”,
// key_value: process.env.AZURE_KEY_VALUE || ”,
// directory_id: process.env.AZURE_DIRECTORY_ID || ”,
// subscription_id: process.env.AZURE_SUBSCRIPTION_ID || ”
}
If you use the credential_file option, point to a file in your file system that follows the correct format for the cloud you are using.
{
“accessKeyId”: “YOURACCESSKEY”,
“secretAccessKey”: “YOURSECRETKEY”
}
{
“ApplicationID”: “YOURAZUREAPPLICATIONID”,
“KeyValue”: “YOURAZUREKEYVALUE”,
“DirectoryID”: “YOURAZUREDIRECTORYID”,
“SubscriptionID”: “YOURAZURESUBSCRIPTIONID”
}
Note: For GCP, you generate a JSON file directly from the GCP console, which you should not edit.
{
“type”: “service_account”,
“project”: “GCPPROJECTNAME”,
“client_email”: “GCPCLIENTEMAIL”,
“private_key”: “GCPPRIVATEKEY”
}
{
“tenancyId”: “YOURORACLETENANCYID”,
“compartmentId”: “YOURORACLECOMPARTMENTID”,
“userId”: “YOURORACLEUSERID”,
“keyFingerprint”: “YOURORACLEKEYFINGERPRINT”,
“keyValue”: “YOURORACLEKEYVALUE”,
}
CloudSploit supports passing environment variables, but you must first uncomment the section of your config.js file relevant to the cloud provider being scanned.
You can then pass the variables listed in each section. For example, for AWS:
{
access_key: process.env.AWS_ACCESS_KEY_ID || ”,
secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || ”,
session_token: process.env.AWS_SESSION_TOKEN || ”,
}
To run a standard scan, showing all outputs and results, simply run:
$ ./index.js
CloudSploit supports many options to customize the run time. Some popular options include:
--govcloud--china--collection=file.json--ignore-ok--exit-code--console=textSee Output Formats below for more output options. Click for a full list of options
CloudSploit supports mapping of its plugins to particular compliance policies. To run the compliance scan, use the --compliance flag. For example:
$ ./index.js –compliance=hipaa
$ ./index.js –compliance=pci
Multiple compliance modes can be run at the same time:
$ ./index.js –compliance=cis1 –compliance=cis2
CloudSploit supports output in several formats for consumption by other tools. If you do not specify otherwise, CloudSploit writes output to standard output (the console) as a table.
Note: You can pass multiple output formats and combine options for further customization. For example:
#Print a table to the console and save a CSV file
$ ./index.js –csv=file.csv –console=table
#Print text to the console and save a JSON and JUnit file while ignoring passing results
$ ./index.js –json=file.json –junit=file.xml –console=text –ignore-ok
By default, CloudSploit results are printed to the console in a table format (with colors). You can override this and use plain text instead, by running:
$ ./index.js –console=text
Alternatively, you can suppress the console output entirely by running:
$ ./index.js –console=none
You can ignore results from output that return an OK status by passing a --ignore-ok commandline argument.
$ ./index.js –csv=file.csv
Results can be suppressed by passing the --suppress flag (multiple options are supported) with the following format:
–suppress pluginId:region:resourceId
For example:
#Suppress all results for the acmValidation plugin
$ ./index.js –suppress acmValidation::
#Suppress all us-east-1 region results
$ ./index.js –suppress :us-east-1:
#Suppress all results matching the regex “certificate/*” in all regions for all plugins
$ ./index.js –suppress *::certificate/
CloudSploit works in two phases. First, it queries the cloud infrastructure APIs for various metadata about your account, namely the “collection” phase. Once all the necessary data is collected, the result is passed to the “scanning” phase. The scan uses the collected data to search for potential misconfigurations, risks, and other security issues, which are the resulting output.
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…