Skip to content

Visibility & Enforcement


Tool Description
AWS Resource Explorer Search through the AWS resources in your account across Regions using metadata such as names, tags, and ID
  • Analyze AWS environments by creating network diagrams
  • Permissions: ViewOnlyAccess, SecurityAudit
  • Configuration:
    • copy the config.json.demo to config.json
    • edit it to include your account ID and name (ex. "prod"), along with any external CIDR names
  • Usage:
    • // Collect data & show network diagram
      $ python collect --account my_account
      $ python prepare --account my_account
      $ python webserver
    • // Find public APIs/hosts/port ranges
      $ python api_endpoints
      $ python public
    • // Audit (check for potential misconfigurations)
      $ python audit
      $ python find_admins
    • // Web Of Trust: identifies the AWS accounts trusted by a set of AWS accounts
      $ python wot --account all
    • // Show resource usage
      $ python report
  • Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by a Neo4j database
  • You can also refer to the companion blog post


Tool Description
Cloud Custodian
  • Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
  • Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management
Cloud Inquisitor
  • Monitor AWS objects for ownership attribution, notifying account owners of unowned objects, and subsequently removing unowned AWS objects if ownership is not resolved
  • Detect domain hijacking
  • Verify security services such as Cloudtrail and VPC Flowlogs
  • Managing IAM policies across multiple accounts
Dow Jones Hammer
  • Multi-account cloud security tool for AWS
  • Identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts
  • It has near real-time reporting capabilities (e.g. JIRA, Slack)
  • Can perform auto-remediation of some misconfigurations
AWS Auto Remediate Instantly remediate common security issues through the use of AWS Config
Cloudkeeper Standalone CLI tool that periodically collects a list of resources in cloud accounts (AWS, GCP, Azure), provides metrics about them, and can clean them up
metabadger A tool to help prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2)