Appearance
Cloud Scout Cheat Sheet
Overview
Cloud Scout is an open-source tool developed by Sygnia for cloud security mapping and attack path visualization across hybrid cloud environments. This comprehensive platform provides security teams with the ability to map cloud infrastructure, identify attack paths, and visualize potential security risks across AWS, Azure, and Google Cloud Platform environments. Cloud Scout excels at providing a unified view of cloud security posture by combining data from multiple cloud providers and on-premises infrastructure to create comprehensive attack path analysis and security mapping capabilities.
⚠️ Warning: Cloud Scout requires appropriate permissions to access cloud resources. Only use this tool against cloud environments you own or have explicit written permission to assess. Unauthorized cloud scanning may violate terms of service and local laws.
Installation and Setup
Prerequisites
bash
# Install Python 3.8 or higher
python3 --version
# Install pip and virtualenv
sudo apt update
sudo apt install python3-pip python3-venv
# Install Node.js for web interface
curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash -
sudo apt-get install -y nodejs
# Install Docker for containerized deployment
sudo apt install docker.io docker-compose
sudo usermod -aG docker $USERInstallation from Source
bash
# Clone Cloud Scout repository
git clone https://github.com/Sygnia/cloud-scout.git
cd cloud-scout
# Create virtual environment
python3 -m venv cloud-scout-env
source cloud-scout-env/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install additional dependencies for cloud providers
pip install boto3 azure-identity azure-mgmt-resource google-cloud-asset
# Verify installation
python cloud_scout.py --helpDocker Installation
bash
# Pull Cloud Scout Docker image
docker pull sygnia/cloud-scout:latest
# Run Cloud Scout in Docker
docker run -it --rm \
-v $(pwd)/config:/app/config \
-v $(pwd)/output:/app/output \
-p 8080:8080 \
sygnia/cloud-scout:latest
# Create Docker Compose setup
cat > docker-compose.yml << 'EOF'
version: '3.8'
services:
cloud-scout:
image: sygnia/cloud-scout:latest
ports:
- "8080:8080"
volumes:
- ./config:/app/config
- ./output:/app/output
- ./data:/app/data
environment:
- CLOUD_SCOUT_CONFIG=/app/config/config.yaml
EOF
# Start with Docker Compose
docker-compose up -dCloud Provider Setup
AWS Configuration
bash
# Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
# Configure AWS credentials
aws configure
# Enter Access Key ID, Secret Access Key, Region, Output format
# Create IAM policy for Cloud Scout
cat > cloud-scout-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:List*",
"iam:Get*",
"s3:List*",
"s3:Get*",
"rds:Describe*",
"lambda:List*",
"lambda:Get*",
"cloudformation:List*",
"cloudformation:Describe*",
"cloudtrail:Describe*",
"cloudtrail:Get*",
"organizations:List*",
"organizations:Describe*"
],
"Resource": "*"
}
]
}
EOF
# Create IAM user and attach policy
aws iam create-user --user-name cloud-scout-user
aws iam put-user-policy --user-name cloud-scout-user --policy-name CloudScoutPolicy --policy-document file://cloud-scout-policy.json
aws iam create-access-key --user-name cloud-scout-userAzure Configuration
bash
# Install Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# Login to Azure
az login
# Create service principal for Cloud Scout
az ad sp create-for-rbac --name "cloud-scout-sp" --role "Reader" --scopes "/subscriptions/$(az account show --query id -o tsv)"
# Grant additional permissions
az role assignment create --assignee <service-principal-id> --role "Security Reader" --scope "/subscriptions/$(az account show --query id -o tsv)"
# Set environment variables
export AZURE_CLIENT_ID="<client-id>"
export AZURE_CLIENT_SECRET="<client-secret>"
export AZURE_TENANT_ID="<tenant-id>"
export AZURE_SUBSCRIPTION_ID="<subscription-id>"Google Cloud Platform Configuration
bash
# Install Google Cloud SDK
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
# Initialize gcloud
gcloud init
# Create service account
gcloud iam service-accounts create cloud-scout-sa --display-name="Cloud Scout Service Account"
# Grant necessary roles
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:cloud-scout-sa@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/viewer"
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:cloud-scout-sa@PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/security.securityReviewer"
# Create and download service account key
gcloud iam service-accounts keys create cloud-scout-key.json \
--iam-account=cloud-scout-sa@PROJECT_ID.iam.gserviceaccount.com
# Set environment variable
export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/cloud-scout-key.json"Configuration
Basic Configuration
yaml
# config/config.yaml
cloud_scout:
# General settings
output_directory: "./output"
log_level: "INFO"
max_threads: 10
# Cloud providers
providers:
aws:
enabled: true
regions: ["us-east-1", "us-west-2", "eu-west-1"]
accounts: ["123456789012"]
azure:
enabled: true
subscriptions: ["subscription-id-1", "subscription-id-2"]
gcp:
enabled: true
projects: ["project-id-1", "project-id-2"]
# Data collection settings
collection:
compute_instances: true
storage_buckets: true
databases: true
network_resources: true
iam_resources: true
security_groups: true
load_balancers: true
dns_records: true
# Analysis settings
analysis:
attack_paths: true
privilege_escalation: true
lateral_movement: true
data_exfiltration: true
persistence_mechanisms: true
# Visualization settings
visualization:
web_interface: true
port: 8080
export_formats: ["json", "csv", "graphml"]Advanced Configuration
yaml
# config/advanced-config.yaml
cloud_scout:
# Advanced collection settings
collection:
deep_scan: true
include_metadata: true
scan_interval: 3600 # seconds
# Resource-specific settings
compute:
include_stopped_instances: true
scan_instance_metadata: true
check_user_data: true
storage:
scan_bucket_policies: true
check_public_access: true
analyze_encryption: true
network:
map_vpc_peering: true
analyze_security_groups: true
check_nacls: true
scan_route_tables: true
iam:
analyze_policies: true
check_cross_account_access: true
map_role_assumptions: true
scan_service_accounts: true
# Attack path analysis
attack_paths:
algorithms:
- "shortest_path"
- "privilege_escalation"
- "lateral_movement"
- "data_access"
risk_scoring:
enabled: true
factors:
- "exposure_level"
- "privilege_level"
- "data_sensitivity"
- "attack_complexity"
filters:
min_risk_score: 5
max_path_length: 10
exclude_low_impact: true
# Reporting settings
reporting:
formats: ["html", "pdf", "json"]
include_remediation: true
executive_summary: true
technical_details: true
templates:
executive: "templates/executive.html"
technical: "templates/technical.html"
compliance: "templates/compliance.html"Basic Usage
Initial Cloud Mapping
bash
# Basic cloud mapping across all configured providers
python cloud_scout.py map --all-providers
# Map specific cloud provider
python cloud_scout.py map --provider aws
python cloud_scout.py map --provider azure
python cloud_scout.py map --provider gcp
# Map specific regions/subscriptions/projects
python cloud_scout.py map --provider aws --regions us-east-1,us-west-2
python cloud_scout.py map --provider azure --subscriptions sub-id-1
python cloud_scout.py map --provider gcp --projects project-1,project-2
# Map with specific resource types
python cloud_scout.py map --resources compute,storage,networkAttack Path Analysis
bash
# Analyze attack paths across all mapped resources
python cloud_scout.py analyze --attack-paths
# Analyze specific attack scenarios
python cloud_scout.py analyze --scenario privilege-escalation
python cloud_scout.py analyze --scenario lateral-movement
python cloud_scout.py analyze --scenario data-exfiltration
# Analyze with risk scoring
python cloud_scout.py analyze --risk-scoring --min-score 7
# Generate attack path report
python cloud_scout.py analyze --output-format html --report-type attack-pathsSecurity Assessment
bash
# Comprehensive security assessment
python cloud_scout.py assess --comprehensive
# Assess specific security domains
python cloud_scout.py assess --domains iam,network,storage
python cloud_scout.py assess --domains compute,database
# Compliance assessment
python cloud_scout.py assess --compliance cis-aws
python cloud_scout.py assess --compliance nist-csf
python cloud_scout.py assess --compliance iso27001
# Custom security checks
python cloud_scout.py assess --custom-checks config/custom-checks.yamlAdvanced Features
Multi-Cloud Environment Mapping
bash
# Map hybrid cloud environment
python cloud_scout.py map-hybrid \
--aws-accounts 123456789012,987654321098 \
--azure-subscriptions sub-1,sub-2 \
--gcp-projects project-1,project-2 \
--include-on-premises
# Cross-cloud relationship analysis
python cloud_scout.py analyze-relationships \
--cross-cloud \
--include-vpn-connections \
--include-peering
# Multi-cloud attack path analysis
python cloud_scout.py analyze-attack-paths \
--multi-cloud \
--include-cross-cloud-paths \
--risk-threshold 8Advanced Visualization
bash
# Generate interactive visualization
python cloud_scout.py visualize \
--interactive \
--include-attack-paths \
--color-by-risk
# Export to graph formats
python cloud_scout.py export \
--format graphml \
--include-metadata \
--output cloud-topology.graphml
# Generate network diagrams
python cloud_scout.py diagram \
--type network \
--provider aws \
--region us-east-1 \
--output network-diagram.pngContinuous Monitoring
bash
# Set up continuous monitoring
python cloud_scout.py monitor \
--interval 3600 \
--alert-on-changes \
--webhook-url https://hooks.slack.com/services/...
# Compare cloud states
python cloud_scout.py compare \
--baseline baseline-20231201.json \
--current current-scan.json \
--output-diff changes-report.html
# Automated reporting
python cloud_scout.py report \
--schedule daily \
--email-recipients security@company.com \
--include-executive-summaryAutomation Scripts
Comprehensive Cloud Security Assessment
bash
#!/bin/bash
# Comprehensive cloud security assessment using Cloud Scout
ASSESSMENT_NAME="$1"
OUTPUT_DIR="cloud_assessment_$(date +%Y%m%d_%H%M%S)"
REPORT_DIR="$OUTPUT_DIR/reports"
DATA_DIR="$OUTPUT_DIR/data"
if [ -z "$ASSESSMENT_NAME" ]; then
echo "Usage: $0 <assessment_name>"
echo "Example: $0 'Q4_2023_Security_Assessment'"
exit 1
fi
mkdir -p "$REPORT_DIR" "$DATA_DIR"
# Function to perform cloud mapping
perform_cloud_mapping() {
echo "[+] Starting cloud mapping phase"
# Map AWS environments
if python cloud_scout.py check-provider --provider aws; then
echo " [+] Mapping AWS environment"
python cloud_scout.py map \
--provider aws \
--all-regions \
--output "$DATA_DIR/aws-mapping.json" \
--verbose
fi
# Map Azure environments
if python cloud_scout.py check-provider --provider azure; then
echo " [+] Mapping Azure environment"
python cloud_scout.py map \
--provider azure \
--all-subscriptions \
--output "$DATA_DIR/azure-mapping.json" \
--verbose
fi
# Map GCP environments
if python cloud_scout.py check-provider --provider gcp; then
echo " [+] Mapping GCP environment"
python cloud_scout.py map \
--provider gcp \
--all-projects \
--output "$DATA_DIR/gcp-mapping.json" \
--verbose
fi
# Combine mappings
python cloud_scout.py combine-mappings \
--input-dir "$DATA_DIR" \
--output "$DATA_DIR/combined-mapping.json"
echo "[+] Cloud mapping completed"
}
# Function to analyze attack paths
analyze_attack_paths() {
echo "[+] Starting attack path analysis"
# Comprehensive attack path analysis
python cloud_scout.py analyze-attack-paths \
--input "$DATA_DIR/combined-mapping.json" \
--all-scenarios \
--risk-scoring \
--output "$DATA_DIR/attack-paths.json"
# Privilege escalation analysis
python cloud_scout.py analyze-privilege-escalation \
--input "$DATA_DIR/combined-mapping.json" \
--include-cross-account \
--output "$DATA_DIR/privilege-escalation.json"
# Lateral movement analysis
python cloud_scout.py analyze-lateral-movement \
--input "$DATA_DIR/combined-mapping.json" \
--include-network-paths \
--output "$DATA_DIR/lateral-movement.json"
# Data exfiltration analysis
python cloud_scout.py analyze-data-exfiltration \
--input "$DATA_DIR/combined-mapping.json" \
--include-storage-access \
--output "$DATA_DIR/data-exfiltration.json"
echo "[+] Attack path analysis completed"
}
# Function to perform security assessment
perform_security_assessment() {
echo "[+] Starting security assessment"
# CIS benchmark assessment
python cloud_scout.py assess-compliance \
--framework cis \
--input "$DATA_DIR/combined-mapping.json" \
--output "$DATA_DIR/cis-assessment.json"
# NIST CSF assessment
python cloud_scout.py assess-compliance \
--framework nist-csf \
--input "$DATA_DIR/combined-mapping.json" \
--output "$DATA_DIR/nist-assessment.json"
# Custom security checks
python cloud_scout.py assess-security \
--custom-checks config/security-checks.yaml \
--input "$DATA_DIR/combined-mapping.json" \
--output "$DATA_DIR/security-assessment.json"
# Risk assessment
python cloud_scout.py assess-risk \
--input "$DATA_DIR/combined-mapping.json" \
--include-attack-paths "$DATA_DIR/attack-paths.json" \
--output "$DATA_DIR/risk-assessment.json"
echo "[+] Security assessment completed"
}
# Function to generate reports
generate_reports() {
echo "[+] Generating comprehensive reports"
# Executive summary report
python cloud_scout.py generate-report \
--template executive \
--input-dir "$DATA_DIR" \
--output "$REPORT_DIR/executive-summary.html" \
--title "$ASSESSMENT_NAME - Executive Summary"
# Technical report
python cloud_scout.py generate-report \
--template technical \
--input-dir "$DATA_DIR" \
--output "$REPORT_DIR/technical-report.html" \
--title "$ASSESSMENT_NAME - Technical Report" \
--include-remediation
# Attack path report
python cloud_scout.py generate-report \
--template attack-paths \
--input "$DATA_DIR/attack-paths.json" \
--output "$REPORT_DIR/attack-paths-report.html" \
--include-visualizations
# Compliance report
python cloud_scout.py generate-report \
--template compliance \
--input-dir "$DATA_DIR" \
--output "$REPORT_DIR/compliance-report.html" \
--frameworks cis,nist-csf
# Generate PDF reports
for html_file in "$REPORT_DIR"/*.html; do
pdf_file="${html_file%.html}.pdf"
wkhtmltopdf "$html_file" "$pdf_file" 2>/dev/null || \
echo "Warning: Could not generate PDF for $(basename "$html_file")"
done
echo "[+] Report generation completed"
}
# Function to create visualizations
create_visualizations() {
echo "[+] Creating visualizations"
# Network topology visualization
python cloud_scout.py visualize-topology \
--input "$DATA_DIR/combined-mapping.json" \
--output "$REPORT_DIR/network-topology.html" \
--interactive
# Attack path visualization
python cloud_scout.py visualize-attack-paths \
--input "$DATA_DIR/attack-paths.json" \
--output "$REPORT_DIR/attack-paths-visualization.html" \
--color-by-risk
# Risk heatmap
python cloud_scout.py generate-heatmap \
--input "$DATA_DIR/risk-assessment.json" \
--output "$REPORT_DIR/risk-heatmap.png" \
--dimensions provider,service,risk-level
# Export to graph formats
python cloud_scout.py export-graph \
--input "$DATA_DIR/combined-mapping.json" \
--format graphml \
--output "$DATA_DIR/cloud-topology.graphml"
echo "[+] Visualization creation completed"
}
# Function to generate summary
generate_summary() {
echo "[+] Generating assessment summary"
cat > "$OUTPUT_DIR/assessment-summary.txt" << EOF
Cloud Security Assessment Summary
================================
Assessment Name: $ASSESSMENT_NAME
Date: $(date)
Output Directory: $OUTPUT_DIR
Files Generated:
- Data Files: $DATA_DIR/
- Reports: $REPORT_DIR/
- Visualizations: $REPORT_DIR/
Key Findings:
$(python cloud_scout.py summarize --input-dir "$DATA_DIR" --format text)
Next Steps:
1. Review executive summary report
2. Analyze attack path visualizations
3. Implement high-priority remediation items
4. Schedule follow-up assessment
EOF
echo "[+] Assessment summary generated: $OUTPUT_DIR/assessment-summary.txt"
}
# Main execution
echo "[+] Starting comprehensive cloud security assessment: $ASSESSMENT_NAME"
# Check dependencies
if ! command -v python &> /dev/null || ! python -c "import cloud_scout" 2>/dev/null; then
echo "[-] Cloud Scout not found or not properly installed"
exit 1
fi
# Perform assessment phases
perform_cloud_mapping
analyze_attack_paths
perform_security_assessment
generate_reports
create_visualizations
generate_summary
echo "[+] Comprehensive cloud security assessment completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $REPORT_DIR/executive-summary.html for overview"Multi-Cloud Attack Path Discovery
bash
#!/bin/bash
# Multi-cloud attack path discovery and analysis
TARGET_ENVIRONMENT="$1"
ATTACK_SCENARIO="$2"
OUTPUT_DIR="attack_path_analysis_$(date +%Y%m%d_%H%M%S)"
if [ -z "$TARGET_ENVIRONMENT" ] || [ -z "$ATTACK_SCENARIO" ]; then
echo "Usage: $0 <target_environment> <attack_scenario>"
echo "Environments: production, staging, development, all"
echo "Scenarios: privilege-escalation, lateral-movement, data-exfiltration, persistence, all"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
# Function to discover attack paths
discover_attack_paths() {
local environment="$1"
local scenario="$2"
local output_file="$OUTPUT_DIR/attack_paths_${environment}_${scenario}.json"
echo "[+] Discovering attack paths for $environment environment, scenario: $scenario"
# Configure environment-specific settings
case "$environment" in
"production")
config_file="config/production.yaml"
;;
"staging")
config_file="config/staging.yaml"
;;
"development")
config_file="config/development.yaml"
;;
"all")
config_file="config/all-environments.yaml"
;;
*)
echo "[-] Unknown environment: $environment"
return 1
;;
esac
# Perform attack path discovery
python cloud_scout.py discover-attack-paths \
--config "$config_file" \
--scenario "$scenario" \
--deep-analysis \
--include-cross-cloud \
--output "$output_file"
if [ $? -eq 0 ]; then
echo " [+] Attack paths discovered: $output_file"
# Analyze path complexity
python cloud_scout.py analyze-path-complexity \
--input "$output_file" \
--output "$OUTPUT_DIR/complexity_analysis_${environment}_${scenario}.json"
# Calculate risk scores
python cloud_scout.py calculate-risk-scores \
--input "$output_file" \
--risk-factors config/risk-factors.yaml \
--output "$OUTPUT_DIR/risk_scores_${environment}_${scenario}.json"
return 0
else
echo " [-] Failed to discover attack paths for $environment"
return 1
fi
}
# Function to analyze privilege escalation paths
analyze_privilege_escalation() {
echo "[+] Analyzing privilege escalation paths"
# AWS privilege escalation
python cloud_scout.py analyze-aws-privesc \
--include-iam-policies \
--include-assume-role \
--include-cross-account \
--output "$OUTPUT_DIR/aws-privesc-paths.json"
# Azure privilege escalation
python cloud_scout.py analyze-azure-privesc \
--include-rbac \
--include-managed-identity \
--include-service-principal \
--output "$OUTPUT_DIR/azure-privesc-paths.json"
# GCP privilege escalation
python cloud_scout.py analyze-gcp-privesc \
--include-iam-bindings \
--include-service-accounts \
--include-workload-identity \
--output "$OUTPUT_DIR/gcp-privesc-paths.json"
# Cross-cloud privilege escalation
python cloud_scout.py analyze-cross-cloud-privesc \
--aws-input "$OUTPUT_DIR/aws-privesc-paths.json" \
--azure-input "$OUTPUT_DIR/azure-privesc-paths.json" \
--gcp-input "$OUTPUT_DIR/gcp-privesc-paths.json" \
--output "$OUTPUT_DIR/cross-cloud-privesc-paths.json"
}
# Function to analyze lateral movement paths
analyze_lateral_movement() {
echo "[+] Analyzing lateral movement paths"
# Network-based lateral movement
python cloud_scout.py analyze-network-lateral-movement \
--include-vpc-peering \
--include-transit-gateway \
--include-vpn-connections \
--output "$OUTPUT_DIR/network-lateral-movement.json"
# Service-based lateral movement
python cloud_scout.py analyze-service-lateral-movement \
--include-lambda-functions \
--include-container-services \
--include-database-connections \
--output "$OUTPUT_DIR/service-lateral-movement.json"
# Identity-based lateral movement
python cloud_scout.py analyze-identity-lateral-movement \
--include-shared-credentials \
--include-federated-access \
--include-service-accounts \
--output "$OUTPUT_DIR/identity-lateral-movement.json"
}
# Function to analyze data exfiltration paths
analyze_data_exfiltration() {
echo "[+] Analyzing data exfiltration paths"
# Storage-based exfiltration
python cloud_scout.py analyze-storage-exfiltration \
--include-s3-buckets \
--include-blob-storage \
--include-cloud-storage \
--check-public-access \
--output "$OUTPUT_DIR/storage-exfiltration.json"
# Database exfiltration
python cloud_scout.py analyze-database-exfiltration \
--include-rds \
--include-sql-database \
--include-cloud-sql \
--check-backup-access \
--output "$OUTPUT_DIR/database-exfiltration.json"
# API-based exfiltration
python cloud_scout.py analyze-api-exfiltration \
--include-api-gateways \
--include-function-apps \
--include-cloud-functions \
--output "$OUTPUT_DIR/api-exfiltration.json"
}
# Function to generate attack path report
generate_attack_path_report() {
echo "[+] Generating comprehensive attack path report"
# Combine all attack path data
python cloud_scout.py combine-attack-paths \
--input-dir "$OUTPUT_DIR" \
--output "$OUTPUT_DIR/combined-attack-paths.json"
# Generate interactive visualization
python cloud_scout.py visualize-attack-paths \
--input "$OUTPUT_DIR/combined-attack-paths.json" \
--output "$OUTPUT_DIR/attack-paths-visualization.html" \
--interactive \
--color-by-risk \
--include-filters
# Generate detailed report
python cloud_scout.py generate-attack-path-report \
--input "$OUTPUT_DIR/combined-attack-paths.json" \
--template detailed \
--output "$OUTPUT_DIR/attack-path-report.html" \
--include-remediation \
--include-mitre-mapping
# Generate executive summary
python cloud_scout.py generate-executive-summary \
--input "$OUTPUT_DIR/combined-attack-paths.json" \
--output "$OUTPUT_DIR/executive-summary.html" \
--focus-high-risk
# Export to MITRE ATT&CK format
python cloud_scout.py export-mitre-attack \
--input "$OUTPUT_DIR/combined-attack-paths.json" \
--output "$OUTPUT_DIR/mitre-attack-mapping.json"
}
# Function to prioritize remediation
prioritize_remediation() {
echo "[+] Prioritizing remediation actions"
python cloud_scout.py prioritize-remediation \
--input "$OUTPUT_DIR/combined-attack-paths.json" \
--risk-threshold 8 \
--business-impact-weights config/business-impact.yaml \
--output "$OUTPUT_DIR/remediation-priorities.json"
# Generate remediation roadmap
python cloud_scout.py generate-remediation-roadmap \
--input "$OUTPUT_DIR/remediation-priorities.json" \
--timeline 90 \
--resource-constraints config/resource-constraints.yaml \
--output "$OUTPUT_DIR/remediation-roadmap.html"
}
# Main execution
echo "[+] Starting multi-cloud attack path discovery"
echo "[+] Target environment: $TARGET_ENVIRONMENT"
echo "[+] Attack scenario: $ATTACK_SCENARIO"
# Check dependencies
if ! command -v python &> /dev/null || ! python -c "import cloud_scout" 2>/dev/null; then
echo "[-] Cloud Scout not found or not properly installed"
exit 1
fi
# Discover attack paths based on scenario
case "$ATTACK_SCENARIO" in
"privilege-escalation")
discover_attack_paths "$TARGET_ENVIRONMENT" "privilege-escalation"
analyze_privilege_escalation
;;
"lateral-movement")
discover_attack_paths "$TARGET_ENVIRONMENT" "lateral-movement"
analyze_lateral_movement
;;
"data-exfiltration")
discover_attack_paths "$TARGET_ENVIRONMENT" "data-exfiltration"
analyze_data_exfiltration
;;
"persistence")
discover_attack_paths "$TARGET_ENVIRONMENT" "persistence"
;;
"all")
discover_attack_paths "$TARGET_ENVIRONMENT" "privilege-escalation"
discover_attack_paths "$TARGET_ENVIRONMENT" "lateral-movement"
discover_attack_paths "$TARGET_ENVIRONMENT" "data-exfiltration"
discover_attack_paths "$TARGET_ENVIRONMENT" "persistence"
analyze_privilege_escalation
analyze_lateral_movement
analyze_data_exfiltration
;;
*)
echo "[-] Unknown attack scenario: $ATTACK_SCENARIO"
exit 1
;;
esac
# Generate reports and prioritize remediation
generate_attack_path_report
prioritize_remediation
echo "[+] Multi-cloud attack path discovery completed"
echo "[+] Results saved in: $OUTPUT_DIR"
echo "[+] Open $OUTPUT_DIR/attack-paths-visualization.html for interactive analysis"Continuous Cloud Security Monitoring
bash
#!/bin/bash
# Continuous cloud security monitoring with Cloud Scout
MONITORING_CONFIG="config/monitoring.yaml"
LOG_DIR="monitoring_logs"
ALERT_WEBHOOK="$1"
CHECK_INTERVAL=3600 # 1 hour
if [ -z "$ALERT_WEBHOOK" ]; then
echo "Usage: $0 <alert_webhook_url>"
echo "Example: $0 'https://hooks.slack.com/services/...'"
exit 1
fi
mkdir -p "$LOG_DIR"
# Function to perform security monitoring scan
perform_monitoring_scan() {
local timestamp=$(date +%Y%m%d_%H%M%S)
local scan_output="$LOG_DIR/scan_$timestamp.json"
local baseline_file="$LOG_DIR/baseline.json"
echo "[+] Performing security monitoring scan at $(date)"
# Perform comprehensive scan
python cloud_scout.py monitor-scan \
--config "$MONITORING_CONFIG" \
--output "$scan_output" \
--include-all-providers \
--deep-scan
if [ $? -ne 0 ]; then
echo "[-] Monitoring scan failed"
return 1
fi
# Compare with baseline if it exists
if [ -f "$baseline_file" ]; then
echo " [+] Comparing with baseline"
local changes_file="$LOG_DIR/changes_$timestamp.json"
python cloud_scout.py compare-scans \
--baseline "$baseline_file" \
--current "$scan_output" \
--output "$changes_file"
# Analyze changes for security implications
analyze_security_changes "$changes_file" "$timestamp"
else
echo " [+] Creating initial baseline"
cp "$scan_output" "$baseline_file"
fi
# Update baseline if significant time has passed
local baseline_age=$(stat -c %Y "$baseline_file" 2>/dev/null || echo 0)
local current_time=$(date +%s)
local age_hours=$(( (current_time - baseline_age) / 3600 ))
if [ $age_hours -gt 168 ]; then # 1 week
echo " [+] Updating baseline (age: ${age_hours} hours)"
cp "$scan_output" "$baseline_file"
fi
return 0
}
# Function to analyze security changes
analyze_security_changes() {
local changes_file="$1"
local timestamp="$2"
local analysis_file="$LOG_DIR/analysis_$timestamp.json"
echo " [+] Analyzing security changes"
# Perform security impact analysis
python cloud_scout.py analyze-security-changes \
--input "$changes_file" \
--risk-assessment \
--attack-path-impact \
--output "$analysis_file"
# Check for high-risk changes
local high_risk_count=$(python cloud_scout.py count-high-risk-changes \
--input "$analysis_file" \
--threshold 8)
if [ "$high_risk_count" -gt 0 ]; then
echo " [!] High-risk changes detected: $high_risk_count"
send_security_alert "HIGH_RISK_CHANGES" "$high_risk_count" "$analysis_file"
fi
# Check for new attack paths
local new_attack_paths=$(python cloud_scout.py detect-new-attack-paths \
--input "$analysis_file" \
--output "$LOG_DIR/new_attack_paths_$timestamp.json")
if [ "$new_attack_paths" -gt 0 ]; then
echo " [!] New attack paths detected: $new_attack_paths"
send_security_alert "NEW_ATTACK_PATHS" "$new_attack_paths" "$LOG_DIR/new_attack_paths_$timestamp.json"
fi
# Check for compliance violations
local compliance_violations=$(python cloud_scout.py check-compliance-violations \
--input "$analysis_file" \
--frameworks cis,nist \
--output "$LOG_DIR/compliance_violations_$timestamp.json")
if [ "$compliance_violations" -gt 0 ]; then
echo " [!] Compliance violations detected: $compliance_violations"
send_security_alert "COMPLIANCE_VIOLATIONS" "$compliance_violations" "$LOG_DIR/compliance_violations_$timestamp.json"
fi
}
# Function to send security alerts
send_security_alert() {
local alert_type="$1"
local count="$2"
local details_file="$3"
echo "[!] Sending security alert: $alert_type"
# Create alert message
local message="🚨 Cloud Security Alert: $alert_type detected ($count items) at $(date)"
# Send to webhook
if [ -n "$ALERT_WEBHOOK" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{\"text\":\"$message\"}" \
"$ALERT_WEBHOOK" 2>/dev/null || echo "Webhook alert failed"
fi
# Send email if configured
if [ -n "$ALERT_EMAIL" ]; then
echo "$message" | mail -s "Cloud Security Alert: $alert_type" \
-A "$details_file" "$ALERT_EMAIL" 2>/dev/null || echo "Email alert failed"
fi
# Log alert
echo "$(date): $alert_type - $count items" >> "$LOG_DIR/alerts.log"
}
# Function to generate monitoring report
generate_monitoring_report() {
echo "[+] Generating monitoring report"
local report_file="$LOG_DIR/monitoring_report_$(date +%Y%m%d).html"
# Collect recent scan data
python cloud_scout.py generate-monitoring-report \
--input-dir "$LOG_DIR" \
--timeframe 24h \
--output "$report_file" \
--include-trends \
--include-alerts
echo " [+] Monitoring report generated: $report_file"
}
# Function to cleanup old logs
cleanup_logs() {
echo "[+] Cleaning up old monitoring logs"
# Keep logs for 30 days
find "$LOG_DIR" -name "scan_*.json" -mtime +30 -delete
find "$LOG_DIR" -name "changes_*.json" -mtime +30 -delete
find "$LOG_DIR" -name "analysis_*.json" -mtime +30 -delete
# Keep reports for 90 days
find "$LOG_DIR" -name "monitoring_report_*.html" -mtime +90 -delete
}
# Function to check system health
check_system_health() {
echo "[+] Checking system health"
# Check Cloud Scout installation
if ! python -c "import cloud_scout" 2>/dev/null; then
echo "[-] Cloud Scout not available"
send_security_alert "SYSTEM_ERROR" "1" "/dev/null"
return 1
fi
# Check cloud provider connectivity
local connectivity_issues=0
if ! python cloud_scout.py test-aws-connectivity 2>/dev/null; then
echo "[-] AWS connectivity issues"
connectivity_issues=$((connectivity_issues + 1))
fi
if ! python cloud_scout.py test-azure-connectivity 2>/dev/null; then
echo "[-] Azure connectivity issues"
connectivity_issues=$((connectivity_issues + 1))
fi
if ! python cloud_scout.py test-gcp-connectivity 2>/dev/null; then
echo "[-] GCP connectivity issues"
connectivity_issues=$((connectivity_issues + 1))
fi
if [ $connectivity_issues -gt 0 ]; then
send_security_alert "CONNECTIVITY_ISSUES" "$connectivity_issues" "/dev/null"
fi
# Check disk space
local disk_usage=$(df "$LOG_DIR" | awk 'NR==2 {print $5}' | sed 's/%//')
if [ "$disk_usage" -gt 90 ]; then
echo "[-] Disk space critical: ${disk_usage}%"
send_security_alert "DISK_SPACE_CRITICAL" "$disk_usage" "/dev/null"
fi
return 0
}
# Main monitoring loop
echo "[+] Starting continuous cloud security monitoring"
echo "[+] Check interval: $((CHECK_INTERVAL / 60)) minutes"
echo "[+] Alert webhook: $ALERT_WEBHOOK"
while true; do
echo "[+] Starting monitoring cycle at $(date)"
# Check system health
if check_system_health; then
# Perform monitoring scan
if perform_monitoring_scan; then
echo " [+] Monitoring scan completed successfully"
else
echo " [-] Monitoring scan failed"
send_security_alert "SCAN_FAILURE" "1" "/dev/null"
fi
fi
# Generate daily report and cleanup
if [ "$(date +%H)" = "06" ]; then # 6 AM
generate_monitoring_report
cleanup_logs
fi
echo "[+] Monitoring cycle completed at $(date)"
echo "[+] Next check in $((CHECK_INTERVAL / 60)) minutes"
sleep "$CHECK_INTERVAL"
doneIntegration with Other Tools
SIEM Integration
bash
# Export Cloud Scout data to SIEM formats
python cloud_scout.py export-siem \
--format splunk \
--input scan-results.json \
--output cloud-scout-events.json
# Send alerts to SIEM
python cloud_scout.py send-siem-alert \
--siem-endpoint https://siem.company.com/api \
--alert-data high-risk-findings.jsonTerraform Integration
bash
# Generate Terraform remediation code
python cloud_scout.py generate-terraform \
--input security-findings.json \
--output remediation.tf
# Validate Terraform against Cloud Scout policies
python cloud_scout.py validate-terraform \
--terraform-dir ./infrastructure \
--policies config/security-policies.yamlCI/CD Pipeline Integration
bash
# Cloud Scout in CI/CD pipeline
python cloud_scout.py pipeline-scan \
--config config/pipeline.yaml \
--fail-on-high-risk \
--output pipeline-results.json
# Generate security gates
python cloud_scout.py generate-security-gates \
--input pipeline-results.json \
--output security-gates.yamlTroubleshooting
Common Issues
Authentication Problems
bash
# Check AWS credentials
aws sts get-caller-identity
# Check Azure authentication
az account show
# Check GCP authentication
gcloud auth list
# Test Cloud Scout authentication
python cloud_scout.py test-auth --all-providersPerformance Issues
bash
# Optimize scan performance
python cloud_scout.py optimize-scan \
--max-threads 20 \
--batch-size 100 \
--timeout 300
# Monitor resource usage
python cloud_scout.py monitor-resources \
--output resource-usage.logData Collection Issues
bash
# Debug data collection
python cloud_scout.py debug-collection \
--provider aws \
--region us-east-1 \
--verbose
# Validate collected data
python cloud_scout.py validate-data \
--input scan-results.json \
--output validation-report.jsonResources
- Cloud Scout GitHub Repository
- Sygnia Research
- Cloud Security Best Practices
- AWS Security Documentation
- Azure Security Documentation
- GCP Security Documentation
- MITRE ATT&CK Cloud Matrix
This cheat sheet provides a comprehensive reference for using Cloud Scout for cloud security mapping and attack path visualization. Always ensure you have proper authorization before scanning cloud environments.