Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. It provides a single UI to browse and search through all of your accounts, regions, and cloud services. The monkey remembers previous states and can show you exactly what changed, and when.Security Monkey can be extended with custom account types, custom watchers, custom auditors, and custom alerters.
aws aws-s3 aws-ec2 aws-sqs aws-vpc aws-iam boto3 boto botocore aws-security aws-policy-trackingIAM Least Privilege Policy Generator. For walkthroughs and full documentation, please visit the project on ReadTheDocs.
aws security cloud iam salesforce hacktoberfest aws-security iam-policy cloudsecurityCloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. For full documentation, please visit the project on ReadTheDocs.
aws security cloud iam salesforce aws-iam hacktoberfest aws-security cloud-securityCheckov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
kubernetes aws devops cloudformation azure terraform static-analysis gcp infrastructure-as-code scans compliance helm-charts aws-security devsecops azure-security policy-as-code gcp-security kubernetes-security terraform-securityCloudQuery transforms your cloud infrastructure into queryable SQL for easy monitoring, governance and security. CloudQuery pulls, normalize, expose and monitor your cloud infrastructure and SaaS apps as SQL database. This abstracts various scattered APIs enabling you to define security, governance, cost and compliance policies with SQL. CloudQuery comes with built-in policy packs such as: AWS CIS.
aws security cis sql monitor azure gcp cloud-computing compliance cloudtrail aws-security cis-benchmark well-architected gcp-security cspm cloud-monitoringTerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
terraform aws-security goat devsecops cloud-security azure-security gcp-securityPacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more. Pacu is a fairly lightweight program, as it requires only Python3.5+ and pip3 to install a handful of Python libraries. Running install.sh will check your Python version and ensure all Python packages are up to date.
aws-security penetration-testing aws securityAirIAM is an AWS IAM to least privilege Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method. AirIAM was created to promote immutable and version-controlled IAM management to replace today's manual and error prone methods.
aws terraform iam aws-iam aws-security aws-security-automation bridgecrew privileges-modelT-Vault is built to simplify the process of secrets management. We wanted to build an intuitive and easy to use tool that application developers can easily adopt without sacrificing their agility while still following best practices for secrets management. It uses a few open source products internally including, at its heart Hashicorp Vault. Hashicorp vault provides the core functionality of safely storing secrets at rest and access control to those secrets. T-Vault builds on that base to provide a higher-level of abstraction called Safe. Safes are logical abstractions, internally using the concept of paths within vault. T-Vault simplifies the access management to secrets by hiding away all the complexities of managing polices. A very intuitive web UI provides a nice layer of abstraction and hides all the complexities of managing paths, policies, token management, etc. T-Vault introduces two new personas, a 'Safe User' and 'Safe Administrator'. Safe admins will create Safes and grant access to individuals or a LDAP group or an application. Individuals with access to a Safe can use the web UI or API to do CRUD operations on secrets within their Safe.
hashicorp-vault secrets-management tmobile aws secret-sharing vault hashicorp secrets password-manager credential-storage aws-security password-vault vault-ui secret docker storage-backendCloud Security blogs, podcasts, standards, projects, and examples. Contributions welcome! Read the contribution guidelines first.
cloud-security aws security information-security waf dlp logging cloud elasticsearch awesome awesome-list aws-security data-loss-prevention security-standards nist nist800-53 iso27001 iso27017 iso-27017 ccmCloud Security Audit is a command line tool that scans for vulnerabilities in your AWS Account. In easy way you will be able to identify unsecure parts of your infrastructure and prepare your AWS account for security audit. Currently Cloud Security Audit does not support any package managers, but the work is in progress.
aws s3 ec2 security-audit security amazon-web-services command-line tool aws-security cloud cloud-security-auditIn the news everyday are stories of companies leaking data through exposed S3 buckets. One thing I noticed is that a lot of leaks are found using common S3 bucket names, so I had an epiphany in the shower one day and I invented Defensive S3 Bucket Squatting where you preregister and secure the most common S3 bucket names so that no one else can use them. This obviously wont stop your company from still having miss-configured S3 buckets but it should make it harder for bad actors to find them and exploit them.
aws-security aws-s3 cloud-securityPolicy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, it gives a simplified view of compliance and makes it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain. PacBot's plugin-based data ingestion architecture allows ingesting data from multiple sources. We have built plugins to pull data from Qualys Vulnerability Assessment Platform, Bitbucket, TrendMicro Deep Security, Tripwire, Venafi Certificate Management, Redhat Satellite, Spacewalk, Active Directory and few other custom built internal solutions. We are working to open source these plugins and other tools as well. You could write rules based on data collected by these plugins to get a complete picture of your ecosystem and not just cloud misconfigurations. For example, within T-Mobile, we have implemented a policy to mark all EC2 instances with one or more severity 5 (CVSS score > 7) vulnerabilities as non-compliant.
cloud-security security aws continous-compliance cloud-auditing policy-as-code cloud security-automation aws-security angularjs cloud-compliance-reporting cloud-native spring-bootThis InSpec compliance profile implement the CIS AWS Foundations Benchmark in an automated way to provide security best-practice tests in an AWS environment. InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure.
inspec mitre-corporation cloud security ia aws aws-security cis inspec-profile mitre-inspecbadbucket checks your s3 bucket for common misconfigurations
aws-s3 aws-securityKrampus is a security solution designed to delete and disable various AWS objects such as EC2 instances, S3 buckets, etc. It accepts a simple list of objects to action in the form of a JSON tasks file, and can be also be used as a cost-control tool. Krampus itself is designed to eliminate threats post by security issues, and does not actually decide whether something is insecure. For that we recommend Netflix's Security Monkey. Setting up Krampus is generally pretty simple and should only take a few minutes. It can be run locally from the command line or from Lambda in AWS. The process involves setting up the correct IAM permissions for Krampus to run, and using a method of your choice to populate an S3 bucket with a JSON tasks file that Krampus can understand (we like Security Monkey). The flow chart below demonstrates how we have chosen to set this up, though any method that generates a tasks file Krampus can understand should be fine.
aws aws-security aws-security-automation aws-lambdaThis is the Terraform Provider for Policy Sentry - the IAM Least Privilege Policy Generator. We have Policy Sentry hosted as a REST API and this Terraform provider points to the REST API.
aws security cloud iam salesforce hacktoberfest aws-security cloudsecurityDow Jones Hammer is a multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. It has near real-time reporting capabilities (e.g. JIRA, Slack) to provide quick feedback to engineers and can perform auto-remediation of some misconfigurations. This helps to protect products deployed on cloud by creating secure guardrails. Dow Jones Hammer documentation is available via GitHub Pages at https://dowjones.github.io/hammer/.
devsecops cloudsecurity aws aws-securityCdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. It also shows how Bridgecrew can be used with the AWS CDK to provide CloudFormation template vulnerability scanning at build time, even though no CloudFormation templates exist in the source repository.
cloudformation aws-security devsecops cloud-security aws-cdkCfngoat is one of Bridgecrew's "Vulnerable by Design" Infrastructure as Code repositories, a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. Cfngoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
cloudformation aws-security cloudsecurity devsecops
We have large collection of open source products. Follow the tags from
Tag Cloud >>
Open source products are scattered around the web. Please provide information
about the open source projects you own / you use.
Add Projects.