Speed-boo3/cloud-security

## 本项目简介 大多数云数据泄露并非源于复杂的攻击，而是由配置错误造成的——例如一个公开的 S3 存储桶、拥有管理员权限的 IAM 用户、向互联网开放的数据库端口，或被意外禁用的审计跟踪。 本项目可以自动发现这些配置错误。它包含四个扫描器、一个 CIS 合规评分计算器、一个无需 AWS 凭证即可运行的完整演示模式，以及一个从零开始讲解一切的交互式学习网站。 ## 立即试用 — 无需 AWS 账户 ``` git clone https://github.com/Speed-boo3/cloud-security.git cd cloud-security pip install -r requirements.txt python aws/demo_mode.py python aws/compliance_score.py --demo ``` ## 攻击面 每一个配置错误都是一扇门。本项目能找到那些敞开的门。 ## 四个扫描器 ### S3 — 存储配置错误 S3 是云数据泄露最常见的来源。一个配置错误的存储桶就可能将数百万条记录暴露给互联网上的任何人。 ``` python aws/s3/s3_scanner.py --region eu-west-1 ``` ``` [CRITICAL] company-backups-prod Finding : Block Public Access is not fully enabled Risk : Anyone on the internet can read files from this bucket Fix : Enable all four Block Public Access settings immediately [HIGH] app-user-uploads Finding : Default encryption is not configured Risk : Objects are not encrypted at rest Fix : Enable AES-256 or AWS KMS encryption ``` 每个存储桶的检查项： ``` Block Public Access is the bucket accidentally open to the internet? Default encryption are files encrypted when stored? Versioning can deleted files be recovered? Access logging is there an audit trail of who accessed what? ``` ### IAM — 身份与访问管理 IAM 控制着谁可以在你的 AWS 账户中执行什么操作。最常见的错误是赋予用户远超其需求的权限。 ``` python aws/iam/iam_analyser.py ``` ``` [HIGH] developer1 Finding : User has AdministratorAccess policy attached Risk : Full account takeover if credentials are ever leaked Fix : Replace with a scoped policy for this user's actual role [HIGH] ci-pipeline Finding : MFA is not enabled Risk : Account can be taken over with username and password alone Fix : Enable MFA. For CI/CD consider IAM roles instead of users [MEDIUM] backup-service Finding : Access key is 143 days old (threshold: 90 days) Risk : Old keys increase the window of exposure if ever leaked Fix : Rotate the key and enforce a 90-day rotation policy ``` ### Security Groups — 网络暴露 Security groups 是 AWS 的防火墙。将危险端口向整个互联网开放是互联网上被扫描最多的配置之一。 ``` python aws/network/sg_scanner.py --region eu-west-1 ``` ``` [CRITICAL] web-server-sg Finding : Port 22 (SSH) is open to 0.0.0.0/0 Risk : SSH exposed to every IP. Constant brute force target Fix : Restrict to VPN CIDR or specific trusted IPs only [CRITICAL] database-sg Finding : Port 3306 (MySQL) is open to 0.0.0.0/0 Risk : Database directly accessible from the internet Fix : Allow only from your application server security group ``` 扫描器标记的端口及原因： ``` 22 SSH brute force and CVE target — never public 3389 RDP constant attack target, multiple critical CVEs 3306 MySQL databases must never be internet-facing 5432 PostgreSQL same reason as MySQL 6379 Redis often runs with no authentication by default 27017 MongoDB thousands of databases wiped by attackers this way 21 FTP credentials sent in plaintext 23 Telnet everything unencrypted, replaced by SSH in the 1990s ``` ### CloudTrail — 审计日志 CloudTrail 会记录你 AWS 账户中的每一次 API 调用。没有它，你就无法调查安全事件。 ``` python aws/logging/cloudtrail_check.py --region eu-west-1 ``` ``` [MEDIUM] mgmt-trail Finding : Trail is not configured for multi-region logging Risk : Activity in other regions leaves no audit trail Fix : Enable multi-region logging on the trail ``` ## CIS 合规评分 CIS AWS Foundations Benchmark 是安全团队和审计员用于评估 AWS 环境的标准。该工具可计算你的 Level 1 评分，并准确显示需要修复的内容及时间。 ``` python aws/compliance_score.py --demo python aws/compliance_score.py --results results.json ``` ``` ════════════════════════════════════════════════════════════════ CIS AWS FOUNDATIONS BENCHMARK — LEVEL 1 ──────────────────────────────────────────────────────────────── Compliance score : 57% (8/14 controls passing) ════════════════════════════════════════════════════════════════ Identity and Access Management 40% ✓ 1.1 MFA enabled on root account ✓ 1.2 No access keys on root account ✗ 1.3 MFA enabled for all IAM console users → fix within 30 days ✗ 1.5 No overly permissive IAM policies → fix within 30 days Storage 100% ✓ 3.1 S3 Block Public Access enabled ✓ 3.2 S3 buckets encrypted at rest ✓ 3.3 S3 access logging enabled Networking 67% ✗ 4.1 SSH (port 22) not open to 0.0.0.0/0 → fix immediately ✓ 4.2 RDP (port 3389) not open to 0.0.0.0/0 ✓ 4.3 Databases not publicly accessible ``` ## 一键运行所有功能 ``` cd aws python run_all.py --region eu-west-1 --output results.json python compliance_score.py --results results.json ``` ## 云安全角色的职责 ``` Cloud Security Engineer builds and maintains security controls in cloud environments Security Architect designs secure cloud architectures for new and existing systems Cloud GRC Analyst assesses cloud compliance against CIS, ISO 27001, NIST DevSecOps Engineer integrates security into cloud deployment pipelines Penetration Tester (Cloud) tests cloud environments for misconfigurations and vulnerabilities ``` 本项目展示的技能与所有这些角色直接相关。理解 IAM、了解为何 S3 配置错误会导致泄露、能够解读安全组规则并计算合规评分——这些都是面试官会问到的内容。 ## 项目结构 ``` cloud-security/ ├── aws/ │ ├── s3/ │ │ └── s3_scanner.py <- Block Public Access, encryption, versioning, logging │ ├── iam/ │ │ └── iam_analyser.py <- overprivileged users, missing MFA, old keys │ ├── network/ │ │ └── sg_scanner.py <- dangerous ports open to the internet │ ├── logging/ │ │ └── cloudtrail_check.py <- audit logging configuration │ ├── utils/ │ │ └── colors.py <- coloured terminal output for all scanners │ ├── demo_mode.py <- realistic mock scan, no AWS account needed │ ├── compliance_score.py <- CIS Level 1 compliance calculator │ └── run_all.py <- runs all four scanners in sequence ├── assets/ <- SVG diagrams in README ├── frameworks/ │ └── cis-aws-benchmark.md <- CIS AWS Foundations Benchmark explained ├── templates/ │ └── remediation-report.md <- finding documentation template ├── resources/ │ └── README.md <- free learning resources ├── explain/ │ └── index.html <- interactive learning site └── CHANGELOG.md ``` ## 真实 AWS 扫描的设置 你需要一个 AWS 账户。免费层就足够了。 ``` pip install awscli aws configure cd aws python run_all.py --region eu-west-1 --output results.json python compliance_score.py --results results.json ``` ## 免费资源 - [AWS 免费层](https://aws.amazon.com/free/) — 用于测试的免费账户 - [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services) — 免费版 PDF - [AWS 安全最佳实践](https://aws.amazon.com/security/security-resources/) - [AWS 安全基础 — 免费课程](https://explore.skillbuilder.aws/learn/course/48) - [云安全联盟指南](https://cloudsecurityalliance.org/research/guidance)

标签：Anthropic, AWS, Boto3, CIS基准, DevSecOps, DPI, IAM分析, MFA分析, Python, S3存储桶, 上游代理, 二进制发布, 协议分析, 安全扫描, 安全演示, 安全组, 开源工具, 无后门, 时序注入, 权限提升, 漏洞利用检测, 逆向工具