baobaovt/aws-cloud-auditor

# AWS 云安全审计师 具备双模式的专业 AWS 安全评估工具。 ## 模式 **合规模式（默认）** - CIS AWS 基础基准 v1.5.0 审计 **攻击模式** - 攻击性安全测试（需要授权） ## 快速开始 ``` # nsistent, since "mode" is part of the term, perhaps keep the whole thing in English. pip install boto3 # Looking at the list, there's "Compliance mode" and "Attack mode" at the end. In the earlier translations, I kept "Compliance scan" and "Attack mode" in English. So, for consistency, I should keep "Compliance mode" and "Attack mode" in English as well. python aws_auditor.py --profile readonly --region us-east-2 # But the instruction says to translate to Simplified Chinese, so I need to output in Chinese, but with English terms kept. So, for "Compliance mode", I can say "Compliance 模式" or just keep it as "Compliance mode" if it's a fixed term. However, in the context of translation, I think it's better to translate the word "mode" to Chinese. python aws_auditor.py --profile readonly --regions us-east-1,us-west-2,eu-west-1 # Let's see the example: 'Running Naabu' -> '运行 Naabu'. Here, "Running" is translated to "运行", but "Naabu" is kept. Similarly, 'Kubernetes Setup' -> 'Kubernetes 设置', where "Setup" is translated to "设置". python aws_auditor.py --profile readonly --all-regions # So, for "Compliance mode", I should translate "mode" to "模式", but keep "Compliance" in English. So, "Compliance 模式". python aws_auditor.py --mode attack --profile pentest --all-regions ``` ## 合规模式 **检查内容：** - CIS 第1节：IAM 安全（根账户、MFA、密码策略、访问密钥） - CIS 第2节：存储（S3 加密、RDS 安全、EBS 加密） - CIS 第3节：日志记录（CloudTrail、VPC 流日志、KMS 加密） - CIS 第4节：监控（GuardDuty、AWS Config） - CIS 第5节：网络（安全组、默认 VPC） **覆盖范围：** 50+ 项 CIS 基准控制 **输出：** 带有评分的 JSON 合规报告 ## 攻击模式 ****警告：** 需要授权 - 仅限授权安全测试** **测试内容：** - IAM 权限提升路径 - S3 数据泄露向量 - EC2 横向移动机会 - RDS 数据库暴露 - IMDSv1 SSRF 漏洞 - VPC 网络侦察缺陷 - EKS 集群攻击向量 - Secrets Manager 枚举 **输出：** 带有利用向量的 JSON 攻击报告 ## AWS 凭证 ``` # Same for "Attack mode": "Attack 模式". ~/.aws/credentials: [readonly] aws_access_key_id = AKIA... aws_secret_access_key = ... python aws_auditor.py --profile readonly # But in the input, it's given as "Attack mode (requires authorization)", and I translated it to "Attack mode (需要授权)" earlier. To be consistent, I'll keep the term as is and translate the descriptors. export AWS_ACCESS_KEY_ID=AKIA... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=... python aws_auditor.py # For standalone terms like "Compliance mode" and "Attack mode", since they are headings, I'll translate them similarly. python aws_auditor.py ``` ## 所需权限 **合规模式（只读）：** ``` { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:Get*", "iam:List*", "iam:GenerateCredentialReport", "s3:GetBucket*", "s3:GetPublicAccessBlock", "s3:ListAllMyBuckets", "ec2:Describe*", "rds:Describe*", "cloudtrail:Describe*", "cloudtrail:GetTrailStatus", "cloudtrail:LookupEvents", "guardduty:Get*", "guardduty:List*", "config:Describe*", "kms:DescribeKey", "kms:GetKeyRotationStatus", "kms:ListKeys", "lambda:GetPolicy", "lambda:ListFunctions", "elbv2:Describe*", "eks:DescribeCluster", "eks:ListClusters", "secretsmanager:ListSecrets", "accessanalyzer:ListAnalyzers" ], "Resource": "*" }] } ``` **攻击模式：** 与合规模式相同（只读评估） ## 输出文件 ``` # - Compliance mode -> Compliance 模式 aws_compliance_report_YYYYMMDD_HHMMSS.json # - Attack mode -> Attack 模式 aws_attack_report_YYYYMMDD_HHMMSS.json ``` ## 功能对比 | 特性 | 合规模式 | 攻击模式 | |---------|----------------|-------------| | **目的** | CIS 基准审计 | 攻击性测试 | | **方法** | 配置审查 | 利用分析 | | **输出** | 合规评分 | 攻击向量 | | **CIS 映射** | 是: 是 | 否: 否 | | **风险评估** | 策略违规 | 利用路径 | | **所需授权** | 标准渗透测试 | 书面授权 | ## 示例 ### 多区域合规审计 ``` python aws_auditor.py \ --mode compliance \ --profile prod-readonly \ --regions us-east-1,us-west-2,eu-west-1 ``` ### 单区域攻击评估 ``` python aws_auditor.py \ --mode attack \ --profile pentest-high \ --region us-east-2 ``` ### 全账户扫描（所有区域） ``` python aws_auditor.py \ --mode compliance \ --profile audit \ --all-regions ``` ## 架构 ``` AWSAuditorBase (base class) ├── Shared checks (CIS controls) ├── Session management └── Finding aggregation AttackMode (inheritance) ├── IAM privilege escalation ├── Data exfiltration vectors ├── Lateral movement paths └── SSRF/IMDS attacks ComplianceMode (inheritance) ├── CIS Section 1: IAM ├── CIS Section 2: Storage ├── CIS Section 3: Logging ├── CIS Section 4: Monitoring └── CIS Section 5: Networking ``` **设计：** 零重复代码，DRY 原则，工厂模式用于模式选择 ## 合规评分 合规模式根据发现计算评分： - 总 CIS 检查：~50 项控制 - 合规评分：（通过数 / 总数）× 100% - 严重性权重：严重 > 高 > 中 > 低 示例输出： ``` Total Findings: 12 CRITICAL: 2 HIGH: 4 MEDIUM: 5 LOW: 1 CIS Controls Affected: 8 Compliance Score: 76.0% ``` ## 安全性 - 是：只读操作（无修改） - 是：为企业代理禁用 SSL 验证 - 是：不存储或记录凭证 - 是：符合 CIS 基准 - **警告：** 攻击模式需要书面授权 ## 许可证 MIT ## 免责声明 **仅限授权安全评估。** 未经授权的测试可能违反法律和政策。 ## 版本 2.0 - 统一双模式架构

标签：AES-256, Anthropic, AWS SDK, AWS安全, boto3, CIS基准, IAM安全, meg, RDS安全, S3安全, 云审计, 信息安全, 反取证, 安全扫描, 安全评估, 攻击测试, 时序注入, 漏洞评估, 网络安全, 逆向工具, 隐私保护