Open Mobile Menu


Filed In: Network Security, Security Testing

Cloud Security Auditing - First Steps

Views: 1579

Written By: Stephen Haywood March 21, 2018

Many companies are moving to Infrastructure-as-a-Service (IaaS) offerings such as Amazon Web Services (AWS), Azure, and others. There are many benefits to moving to services like this, including cost management, a centralized management console, and APIs that allow automated infrastructure management. Unfortunately, IaaS has many of the same drawbacks as onsite infrastructure. The onus is still on the network owner to secure the infrastructure and to perform regular auditing and penetration testing of the infrastructure.

While auditing the machines operating inside the IaaS system, don’t forget to audit your IaaS control panel as well. Here is an example of some questions that should be answered:

  • What user accounts have access to the IaaS Control Panel?
  • What user accounts have privileged access?
  • Are there any user accounts that are no longer needed?
  • Are there any user accounts that have not accessed the Control Panel in the last 90 days?
  • Are there any shared user accounts?
  • Are there any shared API keys?
  • Are there users with API keys that have not used those keys in the last 90 days?
  • How many machines are running in the IaaS environment?
  • Are they all needed?

Many of these questions are the same as would be asked when auditing an on-premise network. Fortunately, many IaaS providers offer APIs that can provide the data needed to answer many of these questions in a programmatic fashion. AppSec Consulting has developed an example script to pull basic user information from Amazon Web Services to help answer some of these questions in your environment. In addition, AppSec Consulting has a more full-featured, proprietary tool and a comprehensive methodology that allows us to perform a thorough security assessment of your cloud environment.

The example scripts are publicly available on our Github page at All of the scripts require Python3 and the Boto3 library.

The script, for example, will use the AWS API to export a list of Identity and Access Management (IAM) user accounts, creation dates, last login dates, and any API keys associated with the account. To use the script, you must have Python3 and the Boto3 library installed.

Before running the script, modify it to add your AWS API key and secret. (For security purposes, use a dedicated API key with the built-in Read Only role.) Run the script using the following command:


Once the script is run, it will output a file called “iam_user_accounts.txt” whose content will be similar to the following:

  IAM User Accounts
  Username: api-readonly
  Created: 2017-01-23
  Last Login: Never
  Groups: APIReadOnly
  Keys: AKIAJXOMAL4A26IKWN6Q (2017-01-27)


Contact AppSec Consulting today to learn about how we can help assess your cloud environment with our comprehensive Cloud Architecture Security Assessment or Penetration Testing services.

Stephen Haywood

Stephen Haywood, aka AverageSecurityGuy, is a Senior Penetration Tester with AppSec Consulting with 14 years of experience in the Information Technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math, the Certified Information Systems Security Professional (CISSP) certification, the Offensive Security Certified Expert (OSCE) certification, and the Offensive Security Certified Professional (OSCP) certification. Over the last eight years, he has helped improve the network security of many small businesses ranging in size from ten employees to hundreds of employees by offering practical, time-tested information security advice.

In his off hours, Stephen created a number of security tools including the Prometheus firewall analysis tool and a set of penetration testing scripts used by testers worldwide. In addition, Stephen has made multiple contributions to the Metasploit exploitation framework including, auxiliary, exploitation, and post exploitation modules. Finally, Stephen created and delivered high-quality security training, spoke at multiple security conferences, and self-published an introduction to penetration testing book.

read more articles by Stephen Haywood