Here is a list of tools that make life easier when working with AWS.
It’s forever a work in progress.
Unless otherwise stated, the tool works with AWS directly in some way. Some of the tools are for supporting services such as external identity providers or continuous integration services.
Things I use and recommend
- AWS CLI version 2. I call this out separately from V1 because it’s unfortunately a different installation experience and more difficult to keep updated. There is an ongoing debate on the Github project about how to resolve this. It’s worth installing it just for the built-in SSO login support.
- aws-gate simplifies the use of Session
Manager to use SSH to connect to resource in your VPC without opening any
public access to your network. All the access is proxiewd through AWS APIs and
controlled with IAM permissions. I added the
aws-gate ssh -Loption to make it easy to establish a tunnel to other VPC resources with zero client-side configuration.
- saml2aws automates the single-sign-on process for various third-party SSO providers. I can vouch for its utility in integrating JumpCloud. I improved the JumpCloud experience by making it fail correctly when a 401 response does not prompt for MFA.
- AWS SAM CLI is the best way to deploy CloudFormation stacks, even if you don’t use any of the SAM syntax. The “deploy” command is used instead of the standard CLI’s create-stack and update-stack commands and provides a synchronous experience. The command paints status updates on your resources until the final state of the stack is known. You no longer need to check the CloudFormation console or poll the stack status to know whether your stack deployed properly.
- jccli. A command line client used to administrate the hosted JumpCloud identity provider service. If you need to list users and groups, it might be faster to use this than clicking through the JumpCloud console.
- Pipelines. A local pipeline runner for Bitbucket pipelines. Need to test the setup of CloudFormation stack from scratch in a pipeline? That can consume several of your precious build minutes. Save them by running the pipeline locally before committing wasteful errors.
- clustergit is great for making sure all your git repos are synced to the remotes. You just run clustergit in the parent folder and you get a status report for each repo to show you what you still have to commit. Then it can push everything up in parallel.
- crudini - AWS CLI config files are written in INI file format, so you can use crudini to script changes to them or actions based on them.
- awsls is a simpler way to list the resources of a certain type in an AWS account. Now you don’t have to look up the API call for listing for each resource type, because this tool knows how to do it for you.
- AWS Config Rules Repository are
the conformance pack templates that you can see in the AWS Config console. You
can’t deploy to a an organization using the console. You need to use the CLI.
And so you should clone this repo and pass the local path of your chosen
conformance pack template to the
- AWS Service Matrix shows which services are available in which regions in a relatively easy to read format. Surprisingly few services are available everywhere.
- * MAMIP (Monitor AWS Managed IAM Policies) automates the retrieval of new AWS Managed IAM Policies make it easier to monitor and get alerted when changes occur using “Watch” feature of Github or Twitter Account. * AWS Config Resource Schema property files define the properties and types of the AWS Config resource configuration items (CIs) that are searchable using the SelectResources API. You’ll need to consult this to use AWS Config’s advanced SQL queries. *
- Search Public Buckets a free tool that lists open s3 buckets and helps you search for interesting files. Don’t be on this list.
Things I haven’t tried yet
- Bees with Machine Guns
- Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
- https://github.com/jckuester/awsweeper, by the author of awsls, for cleaning out an AWS account.
- See CloudSecList docs for exmaple of using mkdocs to build a wiki-style website. I’d like my site to look more like that.
- aws-allowlister automatically compiles an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
- aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.
- cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.
- iamlive generates a basic IAM policy from AWS client-side monitoring (CSM)
- mega-linter Mega-Linter is an 100% Open-Source tool for CI/CD workflows that analyzes consistency and quality of different languages and formats.
- ConsoleMe is a web service that makes AWS IAM permissions and credential management easier for end-users and cloud administrators.
- Weep is a CLI utility for retreiving AWS credentials from ConsoleMe.
- Quail provides a user interface where your team can select configure their EC2 instance and provision it with a click of a button in any supported region or account. And you don’t have to worry about cleaning them up - Quail handles that for you, too!
- rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources. It makes it easy to reason about resource visibility across all the accounts in your org.
- Introspector is a tool and schema for importing cloud infrastructure configuration. The goal is to unlock the expressive power of SQL and relational databases to ask questions about what is currently deployed in your cloud.
- actions2aws “is a GitHub action that can grant your workflows access to AWS via an AWS IAM role session. This means no need to store long-lived credentials in GitHub and comes with a few other benefits.” It looks like basically you need to store Github credentials in AWS Secrets Manager instead.
- SSM Tree is a tool that provides a tree visualization of the parameters hierarchy from AWS System Manager Parameter Store.
- aws2-wrap makes it easier to use AWS Single Sign On credentials with tools that don’t understand the sso entries in an AWS profile. * IAM Access Analyzer Policy Validation helps you to construct IAM policies and SCPs that take advantage of time-tested AWS best practices. It’s like Parliament, but built into AWS.
- Principal Mapper models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
- Bucket Stream find interesting Amazon S3 buckets by watching certificate transparency llogs.
- s3audit Checks the settings for all S3 buckets in an AWS account for public access
- cloudtrail-parquet-glue is terraform module that builds a Glue workflow to convert CloudTrail S3 logs to Athena-friendly Parquet format and make them available as a table using a Glue Crawler.
- aws-export-credentials gets AWS credentials from a profile to inject into other programs.
- aws-sso-util smooths out the rought edges of AWS SSO.
- botocove is a Python decorator to run against a selection of AWS accounts, or all AWS accounts in an organization, concurrently.
- Audit Manager launches an assessment that continuously collects and organizes relevant evidence from your AWS accounts and resources, such as resource configuration snapshots, user activity, and compliance check results. * The CloudFormation Command Line Interface (CLI) is an open-source tool that enables you to develop and test AWS and third-party extensions, such as resource types or modules, and register them for use in AWS CloudFormation * IAM Access Analyzer now generates least-privilege permissions based on access activity.
- Access Analyzer - Batch Policy Validator analyzes using AWS Access Analyzer - Policy Validation all your account customer managed IAM policies.
How to passively discover AWS tools
Subscribe to Corey Quinn’s Last Week in AWS. He shares interesting tools at the end of every newsletter.
Watch Donne Martin’s Awesome AWS repo. It’s basically a community-maintained, all-encompassing version of this page. I don’t intend this page to replicate the breadth of Donne’s list.
Subscribe to Clint Gibler’s tldr;sec newsletter.