Here is a list of tools that make life easier when working with AWS.
It’s forever a work in progress.
Unless otherwise stated, the tool works with AWS directly in some way. Some of the tools are for supporting services such as external identity providers or continuous integration services.
Things I use and recommend
- AWS CLI version 2. I call this out separately from V1 because it’s unfortunately a different installation experience and more difficult to keep updated. There is an ongoing debate on the Github project about how to resolve this. It’s worth installing it just for the built-in SSO login support.
- aws-gate simplifies the use of Session
Manager to use SSH to connect to resource in your VPC without opening any
public access to your network. All the access is proxiewd through AWS APIs and
controlled with IAM permissions. I added the
aws-gate ssh -Loption to make it easy to establish a tunnel to other VPC resources with zero client-side configuration.
- saml2aws automates the single-sign-on process for various third-party SSO providers. I can vouch for its utility in integrating JumpCloud. I improved the JumpCloud experience by making it fail correctly when a 401 response does not prompt for MFA.
- AWS SAM CLI is the best way to deploy CloudFormation stacks, even if you don’t use any of the SAM syntax. The “deploy” command is used instead of the standard CLI’s create-stack and update-stack commands and provides a synchronous experience. The command paints status updates on your resources until the final state of the stack is known. You no longer need to check the CloudFormation console or poll the stack status to know whether your stack deployed properly.
- jccli. A command line client used to administrate the hosted JumpCloud identity provider service. If you need to list users and groups, it might be faster to use this than clicking through the JumpCloud console.
- Pipelines. A local pipeline runner for Bitbucket pipelines. Need to test the setup of CloudFormation stack from scratch in a pipeline? That can consume several of your precious build minutes. Save them by running the pipeline locally before committing wasteful errors.
- clustergit is great for making sure all your git repos are synced to the remotes. You just run clustergit in the parent folder and you get a status report for each repo to show you what you still have to commit. Then it can push everything up in parallel.
- crudini - AWS CLI config files are written in INI file format, so you can use crudini to script changes to them or actions based on them.
- awsls is a simpler way to list the resources of a certain type in an AWS account. Now you don’t have to look up the API call for listing for each resource type, because this tool knows how to do it for you.
- AWS Config Rules Repository are
the conformance pack templates that you can see in the AWS Config console. You
can’t deploy to a an organization using the console. You need to use the CLI.
And so you should clone this repo and pass the local path of your chosen
conformance pack template to the
- AWS Service Matrix shows which services are available in which regions in a relatively easy to read format. Surprisingly few services are available everywhere.
- * MAMIP (Monitor AWS Managed IAM Policies) automates the retrieval of new AWS Managed IAM Policies make it easier to monitor and get alerted when changes occur using “Watch” feature of Github or Twitter Account. * AWS Config Resource Schema property files define the properties and types of the AWS Config resource configuration items (CIs) that are searchable using the SelectResources API. You’ll need to consult this to use AWS Config’s advanced SQL queries. *
- Search Public Buckets a free tool that lists open s3 buckets and helps you search for interesting files. Don’t be on this list.
Things I haven’t tried yet
- Bees with Machine Guns
- Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
- https://github.com/jckuester/awsweeper, by the author of awsls, for cleaning out an AWS account.
- See CloudSecList docs for exmaple of using mkdocs to build a wiki-style website. I’d like my site to look more like that.
- aws-allowlister automatically compiles an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
- aws_public_ips is a tool to fetch all public IP addresses (both IPv4/IPv6) associated with an AWS account.
- cloudlist is a multi-cloud tool for getting Assets (Hostnames, IP Addresses) from Cloud Providers.
- iamlive generates a basic IAM policy from AWS client-side monitoring (CSM)
- mega-linter Mega-Linter is an 100% Open-Source tool for CI/CD workflows that analyzes consistency and quality of different languages and formats.
- ConsoleMe is a web service that makes AWS IAM permissions and credential management easier for end-users and cloud administrators.
- Weep is a CLI utility for retreiving AWS credentials from ConsoleMe.
- Quail provides a user interface where your team can select configure their EC2 instance and provision it with a click of a button in any supported region or account. And you don’t have to worry about cleaning them up - Quail handles that for you, too!
- rpCheckup is an AWS resource policy security checkup tool that identifies public, external account access, intra-org account access, and private resources. It makes it easy to reason about resource visibility across all the accounts in your org.
- Introspector is a tool and schema for importing cloud infrastructure configuration. The goal is to unlock the expressive power of SQL and relational databases to ask questions about what is currently deployed in your cloud.
- actions2aws “is a GitHub action that can grant your workflows access to AWS via an AWS IAM role session. This means no need to store long-lived credentials in GitHub and comes with a few other benefits.” It looks like basically you need to store Github credentials in AWS Secrets Manager instead.
- SSM Tree is a tool that provides a tree visualization of the parameters hierarchy from AWS System Manager Parameter Store.
- aws2-wrap makes it easier to use AWS Single Sign On credentials with tools that don’t understand the sso entries in an AWS profile. * IAM Access Analyzer Policy Validation helps you to construct IAM policies and SCPs that take advantage of time-tested AWS best practices. It’s like Parliament, but built into AWS.
- Principal Mapper models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.
- Bucket Stream find interesting Amazon S3 buckets by watching certificate transparency llogs.
- s3audit Checks the settings for all S3 buckets in an AWS account for public access
- cloudtrail-parquet-glue is terraform module that builds a Glue workflow to convert CloudTrail S3 logs to Athena-friendly Parquet format and make them available as a table using a Glue Crawler.
- aws-export-credentials gets AWS credentials from a profile to inject into other programs.
- aws-sso-util smooths out the rought edges of AWS SSO.
- botocove is a Python decorator to run against a selection of AWS accounts, or all AWS accounts in an organization, concurrently.
- Audit Manager launches an assessment that continuously collects and organizes relevant evidence from your AWS accounts and resources, such as resource configuration snapshots, user activity, and compliance check results. * The CloudFormation Command Line Interface (CLI) is an open-source tool that enables you to develop and test AWS and third-party extensions, such as resource types or modules, and register them for use in AWS CloudFormation * IAM Access Analyzer now generates least-privilege permissions based on access activity.
- Access Analyzer - Batch Policy Validator analyzes using AWS Access Analyzer - Policy Validation all your account customer managed IAM policies. * [Assisted Log Enabler]/(https://github.com/awslabs/assisted-log-enabler-for-aws) Find resources that are not logging, and turn them on. Supports VPC Flow Logs, CloudTrail, EKS Audit and Authenticator Logs, S3 Access Logs, and Route 53 Query Logs.
- yor is an open-source tool that helps add informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and Serverless.
llama’s goal goal is to make it easy to outsource compute-heavy tasks to Lambda, with its enormous available parallelism, from your shell. Llama includes llamacc, a drop-in replacement for gcc or clang which executes the compilation in the cloud, allowing for considerable speedups building large C or C++ software projects.
- s3wipe is a rapid parallelized AWS S3 key & bucket deleter.
- tail-stack-events is a convenient little CLI script (written in Node) to tail the latest AWS CloudFormation stack events. According to the open Github issues it doesn’t support profiles yet, but it looks promising. Like the AWS SAM CLI without being tied to SAM’s deployment model.
- awsrm simplifies deleting over 250 AWS resource types across multiple accounts and regions. It takes awsls as input.
- delete_vpc is a shell script to delete an AWS VPC and its dependencies. All the networking resources you would expect, plus EC2 instances, are listed as dependencies, but what about other services that use VPCs such as Redshift or CodeBuild to name a random couple?
- efsu is for accessing AWS EFS from your machine without a VPN. It achieves this by deploying a Lambda function and shuttling data between your machine and EFS via that function. You can use it to copy a file from EFS to your local machine!
- stackit is a CLI tool to synchronously and idempotently operate on AWS CloudFormation stacks. Provides commands up, down, tail and outputs. By glassechidna, the same author of actions2aws.
- aws-cfn-update is a utility to programmatically update CloudFormation templates. Could be useful for automating imports.
- coto is like boto3, but scraping the AWS console. There exist some administrative tasks for which there is no public API, and there exist some AWS tasks that still require the AWS Account Root User.
- bash-my-aws Bash-my-AWS is a simple but powerful set of CLI commands for managing resources on Amazon Web Services. They harness the power of Amazon’s AWSCLI, while abstracting away verbosity. The project implements some innovative patterns but (arguably) remains simple, beautiful and readable.
- cfn-events watches AWS CloudFormation stack events and wait for completion. A standalone tail command that just works.
- better-boto is a collection of helper functions to make using AWS Boto easier. For example, it added a create_or_update method to the AWS CloudFormation client. It also provides some helpers for dealing with pagination operations and some help using AWS Organizations.
- tail-stack-events is a convenient little CLI script written in Node to tail the latest AWS CloudFormation stack events.
- ThreatModel for S3. See the blog: The last S3 security document that we’ll ever need, and how to use it.
- Superwerker lets you set up a secure multi-account AWS Cloud environment in just a few clicks. It has been developed to follow the latest best practices in cloud security and efficiency, by AWS Advanced Partners who have decades of experience in the field of cloud computing.
- Change log of AWS IAM permissions * AWSUtility::CloudFormation::CommandRunner is a CloudFormation resource type that allows users to run Bash commands in any CloudFormation stack. Any output written using the command to the reserved file /command-output.txt can be referenced anywhere in your template by using !Fn::GetAtt Command.Output. See FAQ for comparison to Lambda, Custom Resources and Macros. * Pyplate is a CloudFormation macro to run arbitrary Python code in your CloudFormation templates. It is useful for generating values that are impossible using the CloudFormation intrinsic functions.
How to passively discover AWS tools
Subscribe to Corey Quinn’s Last Week in AWS. He shares interesting tools at the end of every newsletter.
Watch Donne Martin’s Awesome AWS repo. It’s basically a community-maintained, all-encompassing version of this page. I don’t intend this page to replicate the breadth of Donne’s list.
Subscribe to Clint Gibler’s tldr;sec newsletter.