ScoutSuite – Multi-Cloud Security Auditing Tool

Scout Suite is an open supply multi-cloud safety-auditing software, which allows safety posture evaluation of cloud environments. Using the APIs uncovered via cloud suppliers, Scout Suite gathers configuration knowledge for handbook inspection and highlights chance spaces. Rather than going via dozens of pages on the internet consoles, Scout Suite gifts a transparent view of the assault floor mechanically.
Scout Suite is solid and actively maintained, however quite a few options and internals might exchange. As such, please endure with us as we discover time to paintings on, and reinforce, the software. Feel loose to document a malicious program with main points (please supply console output the use of the --debug argument), request a brand new characteristic, or ship a pull request.
The undertaking crew may also be contacted at [email protected].
https://github.com/nccgroup/Scout2/releases and https://pypi.org/undertaking/AWSScout2. Further paintings isn’t deliberate for Scout2. Fixes will likely be applied in Scout Suite.

Support
The following cloud suppliers are these days supported/deliberate:

  • Amazon Web Services
  • Microsoft Azure (beta)
  • Google Cloud Platform
  • Alibaba Cloud (early alpha)
  • Oracle Cloud Infrastructure (early alpha)

Installation
Refer to the wiki.

Compliance

AWS
Use of Scout Suite does now not require AWS customers to finish and post the AWS Vulnerability / Penetration Testing Request Form. Scout Suite handiest plays API calls to fetch configuration knowledge and establish safety gaps, which isn’t thought to be safety scanning because it does now not affect AWS’ community and packages.

Azure
Use of Scout Suite does now not require Azure customers to touch Microsoft to start out trying out. The handiest requirement is that customers abide via the Microsoft Cloud Unified Penetration Testing Rules of Engagement.
References:

  • https://medical doctors.microsoft.com/en-us/azure/safety/azure-safety-pen-trying out
  • https://www.microsoft.com/en-us/msrc/pentest-laws-of-engagement

Google Cloud Platform
Use of Scout Suite does now not require GCP customers to touch Google to start out trying out. The handiest requirement is that customers abide via the Cloud Platform Acceptable Use Policy and the Terms of Service and make sure that assessments handiest have an effect on tasks you personal (and now not different consumers’ packages).
References:

  • https://cloud.google.com/phrases/aup
  • https://cloud.google.com/phrases/

Usage
The following command will give you the record of to be had command line choices:

$ python scout.py --help

You too can use this to get assist on a particular supplier:

$ python scout.py PROVIDER --help

For additional main points, checkout our Wiki pages at https://github.com/nccgroup/ScoutSuite/wiki.
After acting quite a few API calls, Scout will create a neighborhood HTML document and open it within the default browser.
Also notice that the command line will attempt to infer the argument title if conceivable when receiving partial transfer. For instance, this may increasingly paintings and use the chosen profile:

$ python scout.py aws --profile PROFILE

Credentials
Assuming you have already got your supplier’s CLI up and operating you’ll have your credentials already arrange and be capable of run Scout Suite via the use of one of the next instructions. If that isn’t the case, please seek the advice of the wiki web page for the supplier desired.

Amazon Web Services

$ python scout.py aws

Azure

$ python scout.py azure --cli

Google Cloud Platform

$ python scout.py gcp --user-account

Additional knowledge may also be discovered within the wiki.

Download ScoutSuite

Published by Marshmallow

Marshmallow Android is BT Ireland’s Head of Sales for Republic of Ireland domestic multi-site companies, indigenous MNCs and public sector accounts. He is responsible for the direction and control of all sales activity in the region. He has over 10 years management experience from high growth start-ups to more established businesses. He’s led teams in Ireland, India and China across various industries (ICT, On-Line Recruitment, Corporate Training and International Education).