A curated list of cloud security tools for AWS, Azure, GCP, and Kubernetes.
Whether you're a penetration tester, cloud security engineer, DevSecOps professional, or security researcher, this list provides tools for offensive security, defensive security, compliance, and IAM analysis.
- Multi-Cloud Security
- Attack Path Analysis
- AWS Security
- Azure Security
- GCP Security
- Container and Kubernetes Security
- IAM Analysis
- Secrets Scanning
- Compliance and Governance
- Infrastructure as Code Security
- Serverless Security
- Training Labs
- Nubicustos - Unified security platform orchestrating 24+ tools with attack path analysis and compliance across AWS, Azure, GCP, and Kubernetes.
- Prowler - Security assessment tool for AWS, Azure, GCP, and Kubernetes with CIS benchmark checks.
- ScoutSuite - Multi-cloud security auditing tool supporting AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud.
- CloudSploit - Cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud.
- CloudQuery - Open source cloud asset inventory with SQL-based policy engine.
- Steampipe - Query cloud APIs using SQL with pre-built compliance mods.
- Cloud Custodian - Rules engine for cloud security, cost optimization, and governance.
- Magpie - Cloud security posture management with data discovery.
- Cartography - Graph-based asset inventory and relationship mapping.
- cloudlist - Multi-cloud asset listing tool.
- Resoto - Infrastructure inventory with search and analytics.
- CloudFox - AWS attack surface enumeration for penetration testers.
- PMapper - AWS IAM privilege escalation path finder using graph analysis.
- Cloudmapper - AWS environment visualization and analysis.
- AzureHound - Azure data collector for BloodHound attack path analysis.
- Pacu - AWS exploitation framework for penetration testing.
- aws_pwn - Collection of AWS penetration testing tools.
- Endgame - AWS resource policy exploitation tool for privilege escalation.
- Weirdaal - AWS attack library.
- ccat - Cloud Container Attack Tool.
- Nimbostratus - AWS security assessment tool.
- ElectricEye - AWS security posture management with auto-remediation.
- Security Monkey - Security configuration monitoring.
- Cloudsplaining - AWS IAM policy analysis for least privilege violations.
- Parliament - AWS IAM linting library.
- enumerate-iam - Enumerate IAM permissions without logs.
- IAMFinder - Enumerate and identify IAM roles.
- aws-iam-tester - Test IAM permissions systematically.
- iamlive - Generate IAM policies from AWS calls.
- S3Scanner - Scan for open S3 buckets.
- bucket-finder - S3 bucket discovery tool.
- AWSBucketDump - Quickly enumerate S3 buckets.
- s3-inspector - Check S3 bucket permissions.
- S3cret Scanner - Search for secrets in S3 buckets.
- ROADtools - Azure AD exploration framework.
- MicroBurst - PowerShell toolkit for Azure security.
- Stormspotter - Azure Red Team tool for graphing resources.
- PowerZure - PowerShell framework for Azure security.
- AADInternals - Azure AD administration PowerShell module.
- ScubaGear - M365 security configuration assessment.
- Monkey365 - Azure and Microsoft 365 security scanner.
- AzureADRecon - Azure AD enumeration and reconnaissance.
- GCPBucketBrute - GCP bucket enumeration.
- gcp_enum - GCP enumeration tool.
- gcp-iam-collector - Collect and analyze GCP IAM data.
- Hayat - GCP penetration testing tool.
- Forseti Security - GCP security tool suite.
- gcp-audit - GCP security auditing.
- Trivy - Comprehensive vulnerability scanner for containers.
- Grype - Vulnerability scanner for container images.
- Clair - Static analysis of container vulnerabilities.
- Anchore - Container image analysis and policy enforcement.
- Falco - Cloud-native runtime security.
- Tetragon - eBPF-based security observability.
- KubeArmor - Container-aware runtime security.
- Tracee - Linux runtime security with eBPF.
- kube-bench - CIS Kubernetes Benchmark checks.
- Kubescape - Kubernetes security platform with NSA and MITRE frameworks.
- kube-hunter - Kubernetes penetration testing.
- Polaris - Best practices validation.
- Popeye - Kubernetes cluster sanitizer.
- kube-linter - Static analysis for Kubernetes manifests.
- kubeaudit - Audit Kubernetes clusters for security concerns.
- Kubei - Kubernetes runtime vulnerability scanner.
- iam-policy-json-to-terraform - Convert IAM policies to Terraform.
- TruffleHog - 700+ secret detectors with API verification.
- Gitleaks - Fast Git secrets scanner with extensive rule set.
- detect-secrets - Secrets detection in codebases.
- git-secrets - Prevent committing secrets to Git.
- ggshield - GitGuardian CLI for secrets detection.
- whispers - Static code analysis for secrets.
- OpenSCAP - Security Content Automation Protocol implementation.
- InSpec - Infrastructure testing and compliance automation.
- Checkov - Static analysis for Terraform, CloudFormation, Kubernetes, Helm, and ARM templates.
- tfsec - Security scanner for Terraform code.
- Terrascan - Static code analyzer for IaC with 500+ policies.
- KICS - Infrastructure as Code scanner for security vulnerabilities.
- Regula - Policy engine for Terraform and CloudFormation using Rego.
- Serverless Goat - OWASP serverless vulnerable application.
- DVSA - Damn Vulnerable Serverless Application.
- CloudGoat - Vulnerable by design AWS deployment tool.
- Sadcloud - Terraform for insecure AWS infrastructure.
- TerraGoat - Vulnerable Terraform repository.
- AWSGoat - Vulnerable AWS infrastructure.
- flaws.cloud - AWS CTF challenges.
- flaws2.cloud - AWS CTF challenges advanced.
- AzureGoat - Vulnerable Azure infrastructure.
- Purple Cloud - Azure Active Directory lab.
- GCPGoat - Vulnerable GCP infrastructure.
- thunder-ctf - GCP CTF framework.
- Kubernetes Goat - Vulnerable Kubernetes cluster.
- kube-security-lab - Kubernetes security testing lab.
- WrongSecrets - Demonstrate secret management failures across AWS, Azure, and GCP.
- Pwned Labs - Free hosted cloud security labs.
- HackTheBox Cloud Labs - Cloud penetration testing labs.
Contributions welcome! Read the contribution guidelines first.