
ScoutSuite: Multi-cloud security auditing tool - vngzs
https://github.com/nccgroup/ScoutSuite
======
kapilvt
another tool in this space, [https://github.com/cloud-custodian/cloud-
custodian](https://github.com/cloud-custodian/cloud-custodian)

delta would be less ootb policies (though lots of github repos with examples
re awesome custodian lists), and more user defined policy as code (dsl and
gitops style) with integration into serverless provider platforms for
continuous monitoring, along with remediation support and platform
integrations (security hub, google cloud security command center, etc).

other tools in this space on the detect and report side (albeit aws specific)
[https://github.com/toniblyx/prowler](https://github.com/toniblyx/prowler)
[https://github.com/jonrau1/ElectricEye](https://github.com/jonrau1/ElectricEye)

on the gcp side forseti, [https://github.com/forseti-security/forseti-
security](https://github.com/forseti-security/forseti-security)

~~~
jcims
Nice list of tools from prowler author:

[https://github.com/toniblyx/my-arsenal-of-aws-security-
tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)

------
aka1234
One thing people have to keep in mind when running these kinds of tools is
they make _tons_ of API calls. Depending on how you have things set up, use
these tools can drastically increase your CloudTrail bill.

Also, they'll often make calls against non-existent resources or run into
permissions issues. So it can clutter your CloudTrail with API errors, making
actual API errors harder to locate.

~~~
xga2
note - I'm the project's maintainer

You're correct about the API calls & potential CloudTrail costs.

Regarding making calls to non-existent resources that doesn't tend to be an
issue. Typically we start by making a call to whatever endpoint lists
resources, and then fetch additional information for these resources.

As for permissions the wiki
([https://github.com/nccgroup/ScoutSuite/wiki](https://github.com/nccgroup/ScoutSuite/wiki))
has guidance towards the required privileges (including a minimal policy for
AWS - [https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-
Priv...](https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Privileges-
Policy))

------
Hnrobert42
I am interested in reviews of this tool. Has anyone used it?

~~~
ncc-erik
Note: I am a current NCC Group employee.

It does one thing very well: quickly grabbing a snapshot of the security
posture of a public cloud account's resources with little fuss. It's an ideal
solution as an outsider looking in at someone's account. But, I wouldn't use
it as-is for other needs (say, those of in-house security folks) like
continuous monitoring. That would be like using a Polaroid camera to create a
movie.

~~~
xga2
We also offer a SaaS version ([https://cyberstore.nccgroup.com/our-
services/service-details...](https://cyberstore.nccgroup.com/our-
services/service-details/16/scout:-public-cloud-account-monitoring)), which
includes persistent monitoring as well as support for additional services and
rules.

------
joncrane
We are still having a ton of trouble getting this tool to work in GovCloud.

The results that it IS able to provide are quite useful, however

~~~
xga2
note - I'm the project's maintainer

For what provider are you having issues? It's been complicated to support
GovCloud accounts for AWS/Azure as we don't have access to any accounts. If
you'd be so kind as to support us with this then please get in touch via
GitHub issues
([https://github.com/nccgroup/ScoutSuite/issues](https://github.com/nccgroup/ScoutSuite/issues))
or directly at scoutsuite@nccgroup.com.

------
ruffrey
What are the benefits of using this over Amazon Inspector?

~~~
cj
Perhaps beneficial to companies utilizing multiple clouds wanting 1 tool and 1
process for auditing across clouds

~~~
xga2
note - I'm the project's maintainer

Correct, Scout Suite is inherently multi-cloud and has mature support for
AWS/Azure/GCP. This is very useful for organizations that want to leverage a
single tool to assess the posture of all their environments.

------
simonebrunozzi
Another great tool to look at is Sysdig [0]. The technical founder has an
amazing background in deep low level Linux stuff, and security.

[0]: [https://sysdig.com/](https://sysdig.com/)

