Hacker News new | past | comments | ask | show | jobs | submit login
ScoutSuite: Multi-cloud security auditing tool (github.com)
89 points by vngzs 11 days ago | hide | past | web | favorite | 21 comments

another tool in this space, https://github.com/cloud-custodian/cloud-custodian

delta would be less ootb policies (though lots of github repos with examples re awesome custodian lists), and more user defined policy as code (dsl and gitops style) with integration into serverless provider platforms for continuous monitoring, along with remediation support and platform integrations (security hub, google cloud security command center, etc).

other tools in this space on the detect and report side (albeit aws specific) https://github.com/toniblyx/prowler https://github.com/jonrau1/ElectricEye

on the gcp side forseti, https://github.com/forseti-security/forseti-security

One thing people have to keep in mind when running these kinds of tools is they make tons of API calls. Depending on how you have things set up, use these tools can drastically increase your CloudTrail bill.

Also, they'll often make calls against non-existent resources or run into permissions issues. So it can clutter your CloudTrail with API errors, making actual API errors harder to locate.

note - I'm the project's maintainer

You're correct about the API calls & potential CloudTrail costs.

Regarding making calls to non-existent resources that doesn't tend to be an issue. Typically we start by making a call to whatever endpoint lists resources, and then fetch additional information for these resources.

As for permissions the wiki (https://github.com/nccgroup/ScoutSuite/wiki) has guidance towards the required privileges (including a minimal policy for AWS - https://github.com/nccgroup/ScoutSuite/wiki/AWS-Minimal-Priv...)

I am interested in reviews of this tool. Has anyone used it?

Note: I am a current NCC Group employee.

It does one thing very well: quickly grabbing a snapshot of the security posture of a public cloud account's resources with little fuss. It's an ideal solution as an outsider looking in at someone's account. But, I wouldn't use it as-is for other needs (say, those of in-house security folks) like continuous monitoring. That would be like using a Polaroid camera to create a movie.

We also offer a SaaS version (https://cyberstore.nccgroup.com/our-services/service-details...), which includes persistent monitoring as well as support for additional services and rules.

I find it disruptive as a developer in an organization that used to run it very frequently. It aggressively crawls your infrastructure and blows up AWS API calls with low rate limits, like the EMR cluster description operations.

note - I'm the project's maintainer

Have a look at the `--max-workers` and `--max-rate` arguments, which allow controlling the rate of API calls made against the cloud environment. You can use these to tweak executions against environments and ensure you don't hit API caps.

Note that this isn't a Scout Suite issue per se, but the consequence of how AWS implements rate limiting (i.e. it's account-wide, not per-principal). Any AWS tool will face the same limitations / hurdles.

I apologize for the uncharitable description. It was more of an organizational issue. They could have picked any other tool to execute a self-inflicted DoS and I would have been upset with that instead.


Scout is basically to AWS assessments what Burp is to web assessments; the baseline standard tool. It's a consultant's tool, though.

We are still having a ton of trouble getting this tool to work in GovCloud.

The results that it IS able to provide are quite useful, however

note - I'm the project's maintainer

For what provider are you having issues? It's been complicated to support GovCloud accounts for AWS/Azure as we don't have access to any accounts. If you'd be so kind as to support us with this then please get in touch via GitHub issues (https://github.com/nccgroup/ScoutSuite/issues) or directly at scoutsuite@nccgroup.com.

What are the benefits of using this over Amazon Inspector?

Perhaps beneficial to companies utilizing multiple clouds wanting 1 tool and 1 process for auditing across clouds

note - I'm the project's maintainer

Correct, Scout Suite is inherently multi-cloud and has mature support for AWS/Azure/GCP. This is very useful for organizations that want to leverage a single tool to assess the posture of all their environments.

note - I'm the project's maintainer

AWS Inspector allows assessing the baseline security of EC2 instances / hosts, i.e. against CIS benchmarks (https://docs.aws.amazon.com/inspector/latest/userguide/inspe...). Scout Suite assesses the security posture of the cloud environment as a whole, across all [supported] services. It looks at things such as encryption, configuration of Identity and Access Management, resilience, backup configuration, privilege escalation vectors, etc.

This is equivalant of the AWS CIS Benchmark if you use Security Hub. It is also way cheaper.

note - I'm the project's maintainer

And also implements a bunch more rules ;-).

Another great tool to look at is Sysdig [0]. The technical founder has an amazing background in deep low level Linux stuff, and security.

[0]: https://sysdig.com/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact