Awesome
<h1 align="center">Cloud Security Guides</h1> <p align="center">Cloud Security Guides 是由腾讯安全云鼎实验室维护的一个云计算安全知识库项目,用来收集云安全研究期间发现的优秀资源、文献、典型云安全漏洞以及知识图谱等,并以云参考模型架构为依托,将云上安全资源进行分类编排,为云上安全能力建设工作提供一份参考指南。Cloud Security Guides中提供的云鼎实验室云安全全景图&攻防矩阵,是由云鼎实验室根据云安全研究所总结的云上知识图谱以及云产品攻防抽象模型,可以指导云上安全工作开展,并为云产品安全能力建设提供帮助。
Cloud Security Guides is a cloud computing security knowledge base project maintained by Tencent Security Cloud YUNDING LAB. It is used to collect excellent resources, literature, typical cloud security vulnerabilities and knowledge graphs discovered during cloud security research, and is based on the cloud reference model architecture As a basis, the security resources on the cloud are classified and arranged to provide a reference guide for the construction of security capabilities on the cloud. The cloud security panorama & attack-defense matrix of YUNDING LAB provided in Cloud Security Guides is a cloud knowledge graph and an abstract model of cloud product attack and defense summarized by YUNDING LAB based on the Cloud Security Research Institute, which can guide the development of security work on the cloud. And provide help for cloud product security capacity building.
1 Cloud Computing Reference Architecture :books:
2 Cloud Security Guidance:books:
2.1 Compliances
2.2 Standards and Benchmarks
- NIST.SP.800-190 Application Container Security Guide (2017-09-25)
- NIST.IR.8176 Security Assurance Requirements for Linux Application Container Deployments (2017-10)
- OWASP Container Security Verification Standard
- CIS Kubernetes Benchmark
- CIS Docker Benchmark
- NIST.SP.800-204 Security Strategies for Microservices-based Application Systems (2019-08)
- 腾讯云安全白皮书
- 阿里云安全白皮书
- 华为云安全白皮书
- Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
- AWS Security Maturity Roadmap
- CLOUD NATIVE SECURITY Your Guide to Containers / Kubernetes Security
2.3 Threat Modeling
2.4 Top Cloud Security Risks
2.5 Security Practices
- Using ATT&CKfor Containers to Level Up your Cloud Defenses
- Cloud Penetration Testing Playbook
- A Penetration Tester’s Guide to the Azure Cloud
- Are You Sure Your AWS Cloud Is Secure?
- HackingTheClouds
- 云上攻防实战 (Red Teaming for Cloud)
- 云上攻防二三事(续)地址
3 Cloud Security Report:books:
4 Cloud Management Panel :books:
4.1 API
- APISIX CVE-2022-29266 漏洞分析与复现
- 使用腾讯云 API 网关保护 API 安全
- 云原生环境下的API业务安全思考
- 云原生架构下的API安全防护方案
- API经济下的安全变局
- Best practices for securing your applications and APIs using Apigee
- Escalating AWS IAM Privileges with an Undocumented CodeStar API
4.2 IAM
- IAM 中的安全最佳实践
- 6 Big AWS IAM Vulnerabilities – and How to Avoid Them
- AWS ELB、VPC 和 IAM 服务攻防
- 如何使用Cliam枚举云端环境IAM权限
- Cloudsplaining:一款针对AWS IAM的安全审计与评估工具
- 如何使用Red-Shadow扫描AWS IAM中的安全漏洞
- AWS环境中对IAM提权漏洞的安全评估工具
- IAM Your Defense Against Cloud Threats: The Latest Unit 42 Cloud Threat Research
- Exploiting, detecting, and correcting IAM security misconfigurations
- Privilege Escalation in Google Cloud Platform – Part 1 (IAM)
- AWS IAM权限提升
- 微服务下统一认证风险总结
- Microsoft fixes critical Azure bug that exposed customer data
- VMware Authentication Bypass Vulnerability (CVE-2022-22972) Technical Deep Dive
- 在 AWS 下查看自己所拥有的权限
- Working-As-Intended: RCE to IAM Privilege Escalation in GCP Cloud Build
4.3 Security Service
- Encryption in the Cloud: Managing Certificates and Keys in AWS
- CloudGoat detection_evasion Scenario: Avoiding AWS Security Detection and Response
4.4 Log and Audit
5 Cloud Service Panel:books:
5.1 Iaas
5.1.1 Compute
- AWS EC2 弹性计算服务攻防
- 阿里云 ECS 攻防
- 腾讯云服务器攻防(CVM+轻量应用服务器)
- 华为云 ECS 弹性云服务器攻防
- 谷歌云 Compute Engine 攻防
- 微软云 VM 攻防
- 浅谈云上攻防——云服务器攻防矩阵
- 华为云 CTF cloud 非预期解之 k8s 渗透实战
- 从云服务器 SSRF 漏洞到接管你的阿里云控制台
5.1.2 Storage
5.1.3 Network
5.2 Paas
- AWS RDS Vulnerability Leads to AWS Internal Service Credentials
- Hunting AWS RDS security events with Sysdig
- Weaponizing AWS ECS Task Definitions to Steal Credentials From Running Containers
- Pillaging AWS ECS Task Definitions for Hardcoded Secrets
- Exploiting AWS ECR and ECS with the Cloud Container Attack Tool (CCAT)
- Azure PostgreSQL中存在跨账户数据库漏洞
- Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
- Wiz Research discovers "ExtraReplica"— a cross-account database vulnerability in Azure PostgreSQL
- Azure PostgreSQL中存在跨账户数据库漏洞
- The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors
- AWS RDS Vulnerability Leads to AWS Internal Service Credentials
- 公有云攻防系列——云服务利用篇
- 微软云 云数据库攻防
- 阿里云 RDS 云数据库攻防
- The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors
- PostgresQL JDBC Drive 任意代码执行漏洞(CVE-2022-21724)
- 由CVE-2022-21724引申jdbc漏洞
- IBM Cloud Databases for PostgreSQL was affected by a security vulnerability
- Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
- Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB
- 如何从PostgreSQL源码分析哪些操作需要超级用户权限 - 阿里云rds superuser提供了哪些权限
- TBase_Quick_Start
- Critical Vulnerability in Microsoft Azure Cosmos DB
- ChaosDB: How we hacked thousands of Azure customers’ databases
- ChaosDB explained: Azure's Cosmos DB vulnerability walkthrough
- Aws-rds-critical-security-vulnerability
- 报告的 Amazon RDS PostgreSQL 问题
- Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972)[vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972/)
- SynLapse – Technical Details for Critical Azure Synapse Vulnerability
- Microsoft Azure Synapse Pwnalytics
- The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors
- Vulnerability Fixed in Azure Synapse Spark
- Azure Synapse: Local Privilege Escalation Vulnerability in Spark
- CosMiss: Azure Cosmos DB Notebook Remote Code Execution Vulnerability
- Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB
- Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
- IBM Cloud Databases for PostgreSQL was affected by a security vulnerability
5.3 Saas
- ELK在渗透测试中的利用与安全配置解析
- 云上渗透-RDS数据库攻防
- 华为云 RDS 云数据库攻防
- 数据库在云上?谈谈 AWS 云数据库的攻防手法
- Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining
- Redis CSRF漏洞分析及云数据库Redis版安全措施介绍
- aws-allowlister
- binaryalert
- cloudsplaining
- Cloud Guardrails
- Function Shield
- FestIN
- GCPBucketBrute
- IAM Zero
- Lambda Guard
- Policy Sentry
- S3 Inspector
- Serverless Goat
- SkyArk
6 Cloud Infrastructure Panel:books:
6.1 Docker&Kubernetes
- 云原生之容器安全实践
- Docker 容器最佳安全实践 白皮书
- Kubernetes threat landscape
- k0otkit:针对K8s集群的通用后渗透控制技术
- Hacking Kubernetes
- k8s-threat-model
- 红蓝对抗中的云原生漏洞挖掘及利用实录
7 CSP Security:books:
7.1 AWS
- Overiew of AWS Security
- AWS-IAM-Privilege-Escalation by RhinoSecurityLabs
- MITRE ATT&CK Matrices of AWS
- AWS security workshops
- ThreatModel for Amazon S3
7.2 Azure
- Overiew of Azure Security
- Azure security fundamentals
- MicroBurst by NetSPI
- MITRE ATT&CK Matrices of Azure
- Azure security center workflow automation
7.3 GCP
- Overiew of GCP Security
- GKE security scenarios demo
- MITRE ATT&CK Matrices of GCP
- Security response automation
7.4 Others
- Cloud Security Research by RhinoSecurityLabs
- CSA cloud security guidance v4
- Appsecco provides training
- Cloud Risk Encyclopedia by Orca Security: 900+ documented cloud security risks, with ability to filter by cloud vendor, compliance framework, risk category, and criticality.
8 Tools :hammer_and_wrench:
8.1 Infrastructure Tools
- cloud_enum:多云 OSINT 工具。枚举 AWS、Azure 和 Google Cloud 中的公共资源
- nuvola:nuvola是一款功能强大的针对AWS环境的自动化安全分析工具,该工具可以使用通过Yaml语句创建的简单的预定义可扩展的自定义规则来转储AWS环境中的各种数据,并对AWS环境的配置信息和服务进程执行自动/手动安全分析
- aws_pwn: A collection of AWS penetration testing junk
- aws_ir: Python installable command line utility for mitigation of instance and key compromises.
- aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.
- aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
- awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
- azucar: A security auditing tool for Azure environments
- checkov: A static code analysis tool for infrastructure-as-code.
- cloud-forensics-utils: A python lib for DF & IR on the cloud.
- Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.
- cloudlist: Listing Assets from multiple Cloud Providers.
- Cloud Sniper: A platform designed to manage Cloud Security Operations.
- Cloudmapper: Analyze your AWS environments.
- Cloudmarker: A cloud monitoring tool and framework.
- Cloudsploit: Cloud security configuration checks.
- CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.
- Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
- consoleme: A Central Control Plane for AWS Permissions and Access
- cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
- Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
- dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.
- diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
- ElectricEye: Continuously monitor AWS services for configurations.
- Forseti security: GCP inventory monitoring and policy enforcement tool.
- Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
- kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
- Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
- Open policy agent: Policy-based control tool.
- pacbot: Policy as Code Bot.
- pacu: The AWS exploitation framework.
- Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
- ScoutSuite: Multi-cloud security auditing tool.
- Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
- Smogcloud: Find cloud assets that no one wants exposed.
- Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.
- Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
- tfsec: Static analysis powered security scanner for Terraform code.
- Zeus: AWS Auditing & Hardening Tool.
8.2 Container Tools
- [CDK]( https://github.com/cdk-team/CDK/wiki/CDK-Home-CN):CDK是一款为容器环境定制的渗透测试工具,在已攻陷的容器内部提供零依赖的常用命令及PoC/EXP。集成Docker/K8s场景特有的 逃逸、横向移动、持久化利用方式,插件化管理
- ScoutSuite:ScoutSuite: 云安全审计工具, 添加 Kubernetes 支持
- [Kubeeye]( https://github.com/kubesphere/kubeeye):Kubernetes开源安全工具:kubeeye
- auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
- Falco: Container runtime security.
- mkit: Managed kubernetes inspection tool.
- Open policy agent: Policy-based control tool.
8.3 SaaS Tools
- [ S3cret Scanner]( https://github.com/Eilonh/s3crets_scanner):S3 公开存储桶密钥扫描工具
- aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.
- binaryalert: Serverless S3 yara scanner.
- cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
- Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.
- Function Shield: Protection/destection lib of aws lambda and gcp function.
- FestIN: S3 bucket finder and content discover.
- GCPBucketBrute: A script to enumerate Google Storage buckets.
- IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.
- Lambda Guard: AWS Lambda auditing tool.
- Policy Sentry: IAM Least Privilege Policy Generator.
- S3 Inspector: Tool to check AWS S3 bucket permissions.
- Serverless Goat: A serverless application demonstrating common serverless security flaws.
- SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.
8.4 Penetration Testing Tools
- CF:CF 是一个云环境利用框架,适用于在红队场景中对云上内网进行横向、SRC 场景中对 Access Key 即访问凭证的影响程度进行判定、企业场景中对自己的云上资产进行自检等等
- [trufflehog]( https://github.com/trufflesecurity/trufflehog):trufflehog是一款可以帮助开发人员检测他们在GitHub上发布的项目是否已经不小心泄漏了任何秘密密钥。包含 600 多个凭证检测器,支持针对其各自 API 进行主动验证
- [Packer Fuzzer]( https://github.com/rtcatc/Packer-Fuzzer):一款针对Webpack等前端打包工具所构造的网站进行快速、高效安全检测的扫描工具
- ccat: Cloud Container Attack Tool.
- CloudBrute: A multiple cloud enumerator.
- cloudgoat: "Vulnerable by Design" AWS deployment tool.
- Leonidas: A framework for executing attacker actions in the cloud.
- Sadcloud: Tool for spinning up insecure AWS infrastructure with Terraform.
- TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.
- WrongSecrets: A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.