CloudFox Logo

CloudFox

0
Free
Visit Website

CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. CloudFox helps you answer the following common questions (and many more): - What regions is this AWS account using and roughly how many resources are in the account? - What secrets are lurking in EC2 userdata or service specific environment variables? - What workloads have administrative permissions attached? - What actions/permissions does this [principal] have? - What role trusts are overly permissive or allow cross-account assumption? - What endpoints/hostnames/IPs can I attack from an external starting point (public internet)? - What endpoints/hostnames/IPs can I attack from an internal starting point (assumed breach within the VPC)? - What filesystems can I potentially mount from a compromised resource inside the VPC? Demos, Examples, Walkthroughs Blog - Introducing: CloudFox Video - CloudFox + CloudFoxable A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths Video - Penetration Testing with CloudFox

FEATURES

ALTERNATIVES

A multi-threaded AWS security-focused inventory collection tool with comprehensive resource coverage and efficient data collection methods.

A tool for identifying security issues in CloudFormation templates.

A free training course and lab environment for learning to test and attack cloud infrastructure, including AWS and Azure.

Learn how to secure applications in Kubernetes Engine by granting varying levels of privilege based on requirements.

A customized AWS EKS setup for PCI-DSS, SOC2, and HIPAA compliance

Open-source cloud-agnostic resource manager for analyzing and managing cloud cost, usage, security, and governance.

Wiz Cloud Security Platform is a cloud-native security platform that enables security, dev, and devops to work together in a self-service model, detecting and preventing cloud security threats in real-time.

Commercial

A tool for discovering company infrastructure and apps on major cloud providers, beneficial for bug bounty hunters and penetration testers.