Cloud Audit Tools
When to Use Which Tool
| Tool | Best For | Cloud |
|---|---|---|
| Prowler | CIS benchmark compliance, structured findings, reporting | AWS, Azure, GCP |
| ScoutSuite | Broad inventory + misconfiguration overview, HTML report | AWS, Azure, GCP |
| CloudFox | Attack surface mapping, privilege escalation paths | AWS, Azure |
| Pacu | Post-exploitation, privilege escalation simulation | AWS only |
| Steampipe | Ad-hoc SQL queries against cloud resources | AWS, Azure, GCP |
| CloudSploit | Lightweight multi-cloud config scanning | AWS, Azure, GCP |
| Checkov | Infrastructure-as-Code (Terraform, CloudFormation) review | IaC |
Typical audit workflow: Run Prowler + ScoutSuite together — Prowler for compliance findings, ScoutSuite for a visual inventory overview. Use CloudFox to chase down specific attack paths. Pacu for anything post-exploitation.
Authentication & Access Setup
AWS
aws-azure-login (federated SSO)
npm install -g aws-azure-login
# Interactive login (opens browser)
aws-azure-login --no-sandbox --mode=gui
# Non-interactive (for scripts)
aws-azure-login --profile default --no-prompt --no-sandbox~/.aws/config profile setup
[default]
azure_tenant_id=<Tenant ID>
azure_app_id_uri=https://signin.aws.amazon.com/saml
azure_default_username=username@company.co.uk
azure_default_role_arn=
azure_default_duration_hours=12
azure_default_remember_me=true
region=eu-west-2
[profile roleToAssume]
role_arn = arn:aws:iam::123456789:role/role-To-Assume
source_profile = default
region = eu-west-2Assume a role
aws sts assume-role \
--role-arn arn:aws:iam::<account>:role/RoleToAssume \
--role-session-name MySession \
--profile <source-profile>Verify active identity
aws sts get-caller-identity
aws sts get-caller-identity --profile <profile-name>For EKS environments with non-standard role assumption, see EKS assume-role + update-kubeconfig script.
Azure
# Install Azure CLI
apt install azure-cli
# Login
az login
# List and select subscription
az account list --output table
az account set --subscription "<Subscription Name or ID>"
# Confirm identity
az ad signed-in-user show
az account showScoutSuite
https://github.com/nccgroup/ScoutSuite
Useful for inventorying services and misconfigurations across cloud environments. Produces an interactive HTML report.
Install
git clone https://github.com/nccgroup/ScoutSuite
cd ScoutSuite
virtualenv -p python3 venv
source venv/bin/activate # Linux
# C:\Tools\ScoutSuite\venv\Scripts\activate (Windows)
pip install -r requirements.txtRun — AWS
# Using a named profile (after aws-azure-login)
scout aws -p <profile-name>Run — Azure
az login
scout azure --cli --subscriptions <Subscription ID>Prowler
https://github.com/prowler-cloud/prowler
CIS benchmark and best-practice checks. Highly scriptable, outputs CSV/JSON/HTML.
Install
# Option 1: pip
virtualenv -p python3 venv
source venv/bin/activate
pip install prowler
# Option 2: poetry
git clone https://github.com/prowler-cloud/prowler
cd prowler
eval $(poetry env activate)
poetry installRun — AWS
# Default profile
prowler aws
# Named profile
prowler aws --profile <profile-name>
# Output formats
prowler aws --profile <profile-name> -M html,json,csv
# List all checks
prowler -lRun — Azure
az login
prowler azure --az-cli-auth
prowler azure --az-cli-auth --subscription-ids <ID1>,<ID2>
prowler azure --az-cli-auth --output-file /path/to/output.csvCloudFox
https://github.com/BishopFox/cloudfox
Modular enumeration tool focused on attack surface and privilege escalation paths.
Install
wget https://github.com/BishopFox/cloudfox/releases/latest/download/cloudfox_Linux_x86_64.tar.gz
tar -xvf cloudfox_Linux_x86_64.tar.gz
sudo mv cloudfox /usr/local/bin/Run — AWS
# Run all checks
cloudfox aws --profile <profile-name> all-checks
# Specific modules
cloudfox aws --profile <profile-name> inventory
cloudfox aws --profile <profile-name> iam-privesc-scan
cloudfox aws --profile <profile-name> secrets
cloudfox aws --profile <profile-name> role-trusts
# Write results to output directory
cloudfox aws --profile <profile-name> all-checks --output results/Run — Azure
az login
cloudfox azure --subscription <Subscription ID> all-checksPacu (AWS Only)
https://github.com/RhinoSecurityLabs/pacu
AWS post-exploitation framework. Use after obtaining valid credentials to simulate attacker behaviour and test privilege escalation paths.
Install
git clone https://github.com/RhinoSecurityLabs/pacu.git
cd pacu
pip install -r requirements.txt
python3 pacu.pyKey modules
# Inside pacu shell:
import_keys # Import AWS credentials
run iam__enum_permissions # Enumerate effective permissions
run iam__privesc_scan # Check for privesc paths
run s3__enum_bucket_acls # Check S3 bucket permissions
run ec2__enum # Enumerate EC2 resourcesSteampipe
SQL-based queries across cloud providers. Useful for targeted, ad-hoc checks.
Install
brew tap turbot/tap
brew install steampipe
# Install plugins
steampipe plugin install aws
steampipe plugin install azureExample queries
-- IAM roles
steampipe query "select account_id, arn from aws_iam_role;"
-- Publicly accessible S3 buckets
steampipe query "select name, bucket_policy_is_public from aws_s3_bucket where bucket_policy_is_public = true;"
-- Azure role assignments
steampipe query "select principal_name, role_definition_name, scope from azure_role_assignment;"CloudSploit
https://github.com/aquasecurity/cloudsploit
Lightweight multi-cloud config scanning. Good alternative when Prowler is too heavyweight.
npm install -g @aquasecurity/cloudsploit
cloudsploit scan --cloud aws
cloudsploit scan --cloud azureCheckov
https://github.com/bridgecrewio/checkov
Infrastructure-as-Code scanning. Use when the engagement includes Terraform, CloudFormation, or ARM templates.
pip install checkov
# Scan a directory of IaC files
checkov -d /path/to/iac/
# Scan Kubernetes manifests
checkov -d /path/to/manifests/
# Specific framework
checkov -d . --framework terraform