Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Multi-Cloud

Multi-Cloud

Section titled “Multi-Cloud”

5 automated security scanners

Cloud Cost Security

Section titled “Cloud Cost Security”

Purpose: The Cloud Cost Security and Cryptomining Detection Scanner is designed to identify potential resource abuse and cryptomining activities across AWS, Azure, and GCP environments. This tool aims to ensure compliance with security policies and prevent unauthorized use of cloud resources by detecting misconfigurations in S3 buckets, vulnerabilities in IAM policies, anomalies in EC2 instances, signs of cryptomining activity, and network security gaps such as open ports and misconfigured security groups.

What It Detects:

  • S3 Bucket Misconfigurations:
    • Publicly accessible buckets: BlockPublicAcls.*?false
    • Missing server-side encryption: ServerSideEncryptionConfiguration.*?not\\s+found
    • AllUsers or AuthenticatedUsers access: AllUsers|AuthenticatedUsers
  • IAM Policy Vulnerabilities:
    • Overly permissive policies: `“Effect”:\s*“Allow”.?”Action”:\s”\*""
    • Root user usage: arn:aws:iam::.*?:root
    • Old account creation dates: CreateDate.*?[0-9]{4}
  • EC2 Instance Anomalies:
    • Unnecessary or idle instances
    • Unauthorized access attempts logged in CloudTrail
  • Cryptomining Activity Indicators:
    • Suspicious processes running on instances
    • Unexpected high CPU usage patterns
  • Network Security Gaps:
    • Open ports and services exposed to the internet
    • Misconfigured security groups allowing unauthorized access

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS Account ID for API access (e.g., 123456789012)
  • gcp_project_id (string): GCP Project ID for API access (e.g., my-gcp-project)

Business Impact: This scanner is crucial for maintaining the security and compliance of cloud environments, preventing unauthorized use of resources that could lead to financial loss or reputational damage. It helps organizations adhere to strict security policies and regulations while ensuring operational efficiency in their cloud infrastructure.

Risk Levels:

  • Critical: Conditions that directly compromise security posture, such as public S3 buckets without ACL restrictions, should be addressed with immediate attention.
  • High: Policies allowing unrestricted actions or excessive permissions pose significant risks and require swift review and adjustment to align with least privilege principles.
  • Medium: Issues like unencrypted data in S3 buckets may not immediately compromise security but are still considered medium risk due to potential future vulnerabilities that could be exploited by threat actors.
  • Low: Informational findings such as unnecessary instances or open ports might not directly affect security but can contribute to cost optimization and operational efficiency considerations.

If the README doesn’t specify exact risk levels, infer them based on the scanner’s purpose and impact.

Example Findings:

  • A bucket named “example-bucket” is found to be publicly accessible due to its BlockPublicAcls configuration being set to false.
  • An IAM policy identified as overly permissive allows all actions across multiple services, posing a significant security risk by granting excessive permissions without explicit need.

Cloud IAM Consistency

Section titled “Cloud IAM Consistency”

Purpose: The Cloud IAM Consistency Scanner is designed to ensure consistent Identity and Access Management (IAM) practices across multiple cloud providers. It aims to detect deviations in access policies, permissions, and configurations, thereby helping maintain security standards and reduce the risk of unauthorized access.

What It Detects:

  • S3 Bucket Configuration Issues:
    • Public ACLs: Detects buckets with BlockPublicAcls set to false.
    • Server-Side Encryption: Identifies buckets without server-side encryption enabled.
    • Access Permissions: Flags buckets accessible by AllUsers or AuthenticatedUsers.
  • IAM Policy Vulnerabilities:
    • Wildcard Actions: Detects policies allowing all actions ("Action": "*").
    • Root User Usage: Identifies usage of the root user account (arn:aws:iam::.*?:root).
    • Policy Creation Dates: Flags policies created before a certain date.
  • Cross-Cloud IAM Role Consistency:
    • Role Naming Standards: Ensures IAM roles follow consistent naming conventions across AWS, Azure, and GCP.
    • Attached Policies: Verifies that the same policies are attached to corresponding roles in different clouds.
  • Service Account Management:
    • Inactive Accounts: Detects inactive service accounts that have not been used recently.
    • Overprivileged Accounts: Identifies service accounts with excessive permissions.
  • Access Control List (ACL) Misconfigurations:
    • Bucket ACLs: Checks for misconfigured bucket ACLs that allow unauthorized access.
    • Network Security Groups: Ensures network security groups are correctly configured to prevent unauthorized ingress and egress.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS account ID for IAM and resource checks.
  • gcp_project_id (string): GCP project ID for IAM and resource checks.

Business Impact: Ensuring consistent IAM practices across multiple cloud providers is crucial for maintaining a secure and compliant environment. Misconfigurations in IAM policies can lead to unauthorized access, data breaches, and compliance violations.

Risk Levels:

  • Critical: Policies allowing all actions ("Action": "*") are highly critical as they grant unrestricted permissions.
  • High: Usage of the root user account is a high risk because it provides complete control over the AWS account.
  • Medium: Inactive service accounts and misconfigured bucket ACLs represent medium risks, but still need attention to prevent potential security issues.
  • Low: Policies created before a certain date are considered low risk unless they explicitly require such permissions for legacy systems.
  • Info: Informational findings like public buckets without encryption do not directly impact security but should be addressed for best practices compliance.

Example Findings:

  • A bucket with BlockPublicAcls set to false would be flagged as a critical issue, indicating potential exposure of sensitive data.
  • An IAM policy allowing all actions could lead to unauthorized modifications or access to critical resources, posing a significant risk.

Cloud-to-Cloud Security

Section titled “Cloud-to-Cloud Security”

Purpose: The Cloud-to-Cloud Security Scanner is designed to identify and mitigate cross-cloud access and identity federation issues by analyzing configurations across AWS, Azure, and GCP. Its primary objective is to ensure secure data handling and compliance through the detection of potential vulnerabilities in bucket configurations, IAM policies, RBAC misconfigurations, and other related areas.

What It Detects:

  • S3 Bucket Configuration Issues:

    • Public Access: Detects buckets with BlockPublicAcls set to false, indicating a lack of ACL restrictions that could lead to unauthorized access.
    • Encryption: Identifies S3 buckets without server-side encryption, which is crucial for protecting data at rest.
    • Permissions: Flags grants to AllUsers or AuthenticatedUsers, potentially exposing sensitive information to the public.

  • IAM Policy Vulnerabilities:

    • Overly Permissive Policies: Finds policies with "Effect": "Allow" and "Action": "*" for all resources, which can lead to excessive permissions being granted to users or roles.
    • Root User Usage: Detects the use of the root user account, which is highly risky as it has unrestricted access across all AWS services and resources.
    • Policy Age: Identifies policies created more than a year ago, potentially indicating outdated configurations that may no longer be secure.

  • Azure Storage Security:

    • Public Access: Checks storage accounts with public access enabled, which can lead to unauthorized data exposure.
    • RBAC Misconfigurations: Identifies roles and permissions that are overly permissive or misconfigured, increasing the risk of privilege escalation attacks.
    • Network Security: Detects network rules that allow unrestricted access, potentially compromising the security posture of Azure resources.

  • GCP IAM Role Issues:

    • Service Account Permissions: Finds service accounts with excessive permissions, which can lead to unauthorized activities within GCP environments.
    • Project-Wide Policies: Identifies project-wide policies that grant broad access, increasing the risk of misconfigured or malicious policies affecting multiple resources and services.
    • Audit Logs: Checks for missing or misconfigured audit logs, which are essential for monitoring and detecting potential security incidents.

Inputs Required:

  • domain (string): The primary domain to analyze, such as acme.com, used to identify breach disclosure statements on the company website.
  • aws_account_id (string): AWS account ID for analyzing specific configurations within that account.
  • gcp_project_id (string): GCP project ID for analyzing specific configurations within that project.

Business Impact: This scanner is critical for organizations aiming to secure their cloud infrastructure, as it helps in identifying and remediating potential security flaws before they can be exploited by malicious actors. The findings from this scanner are essential for compliance with various industry standards and regulations, such as GDPR, HIPAA, and others that require data protection and privacy controls.

Risk Levels:

  • Critical: Conditions where buckets have public access without encryption or where overly permissive IAM policies exist can lead to immediate unauthorized access or data breaches if exploited by threat actors.
  • High: Misconfigured RBAC settings in Azure or GCP, allowing unrestricted network access, pose a significant risk of unauthorized activities and potential data exposure.
  • Medium: Policies that are too permissive but not as critical as those at the high level can still lead to security vulnerabilities if left unaddressed.
  • Low: Informational findings such as missing audit logs or outdated policies do not directly impact security but should be addressed for continuous improvement and compliance with best practices.
  • Info: These are generally non-critical issues that provide insights into potential improvements in configuration and management processes, contributing to a stronger cloud security posture over time.

Example Findings:

  • A critical finding could be an S3 bucket configured with BlockPublicAcls set to false, allowing public access without any restrictions.
  • A high risk finding might be an IAM policy that allows all actions on all resources, providing excessive permissions and posing a significant security threat.

Cloud Security Policy Management

Section titled “Cloud Security Policy Management”

Purpose: The Cloud Security Policy Management Scanner is designed to identify and report inconsistencies and deviations in AWS, Azure, and GCP environments regarding security policies. It aims to ensure adherence to organizational baselines and compliance standards by detecting issues such as public access to S3 buckets, overly permissive IAM policies, insecure EC2 security groups, missing or misconfigured CloudTrail trails, and improperly assigned IAM roles in GCP.

What It Detects:

  • S3 Bucket Configuration Issues: Identifies S3 buckets with BlockPublicAcls set to false, missing server-side encryption configurations, and grants to AllUsers and AuthenticatedUsers.
  • IAM Policy Vulnerabilities: Detects overly permissive policies that allow all actions without specific resource constraints, usage of the root user, and outdated policies based on creation dates.
  • EC2 Security Group Misconfigurations: Flags security groups with unrestricted ingress rules for sensitive ports and identifies unused or outdated security groups.
  • CloudTrail Activity Monitoring: Checks for the absence of CloudTrail trails in AWS accounts and ensures that they are configured to log all regions and global events.
  • GCP IAM Role Assignments: Identifies overly permissive roles assigned to users or service accounts, potential misuse of service accounts with broad permissions.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)
  • aws_account_id (string): AWS account ID for policy checks.
  • gcp_project_id (string): GCP project ID for policy checks.

Business Impact: This scanner is crucial for maintaining a secure cloud environment by proactively identifying and remediating security policy violations, which can lead to significant risks such as data breaches, unauthorized access, and non-compliance fines.

Risk Levels:

  • Critical: Overly permissive IAM policies allowing all actions without constraints, public S3 bucket configurations that do not block public ACLs, and root user usage in critical security settings.
  • High: Insecure ingress rules in EC2 security groups and missing CloudTrail trails that hinder auditability of activities within the cloud environment.
  • Medium: Policies with broad permissions that can affect multiple resources without specific scope, and some configurations that may not directly impact security but could be misused or lead to unnecessary risk exposure.
  • Low: Some configurations might be less critical if they are isolated to non-sensitive areas of the infrastructure.
  • Info: Informal findings about missing server-side encryption settings in S3 buckets, which while concerning, may not pose an immediate threat without additional context on usage and sensitivity of data stored.

The risk levels are inferred based on the potential impact and severity of each detected issue.

Example Findings:

  1. A critical IAM policy that allows all actions ("Action": "*") without resource constraints could lead to unauthorized access across multiple services within AWS, posing a significant threat.
  2. An S3 bucket with public access enabled through BlockPublicAcls set to false exposes sensitive data to unauthenticated users, increasing the risk of data leakage significantly.

Central Cloud Monitoring

Section titled “Central Cloud Monitoring”

Purpose: The Central Cloud Monitoring Scanner is designed to identify and address cross-cloud visibility and alert correlation issues by auditing AWS, Azure, and GCP configurations. It aims to ensure that security settings are correctly implemented and potential vulnerabilities are identified across various cloud services.

What It Detects:

  • S3 Bucket Configuration Issues:

    • Public Access: Detects if public access is enabled on S3 buckets, which can lead to unauthorized data exposure.
    • Encryption: Identifies the absence of server-side encryption on S3 objects, exposing them to potential security risks.
    • Permissions: Uncovers if AllUsers or AuthenticatedUsers have permissions to S3 buckets, allowing unintended access.

  • IAM Policy Vulnerabilities:

    • Wildcard Permissions: Detects IAM policies with wildcard actions ("Action": "*"), which can lead to excessive privileges and potential security breaches.
    • Root User Usage: Identifies the use of root user accounts, which are highly privileged and should be avoided for routine administrative tasks.
    • Account Creation Date: Checks for old account creation dates that may indicate potential dormant or compromised accounts.

  • EC2 Security Group Misconfigurations:

    • Open Ports: Detects if security groups have open ports to the public internet, allowing remote access and increasing attack surface.
    • Insecure Rules: Identifies rules that allow unrestricted access, which can lead to unauthorized data exposure or system compromise.

  • CloudTrail Configuration Issues:

    • Logging Disabled: Checks if CloudTrail logging is disabled for any regions, potentially hiding important administrative activities and security events.
    • Log File Validation: Verifies if log file validation is enabled, which helps ensure the integrity of logged data.

  • Azure Storage Account Vulnerabilities:

    • Public Access: Detects if public access is enabled on Azure storage accounts, exposing data to unauthorized users.
    • Blob Container Permissions: Identifies if blob containers have public access settings, allowing unauthenticated access.

Inputs Required:

  • domain (string): The primary domain to analyze, which helps in identifying resources under this domain across different cloud services.
  • aws_account_id (string): Specifies the AWS account ID for conducting a detailed configuration audit of S3 buckets, IAM policies, and EC2 security groups.
  • gcp_project_id (string): Identifies the GCP project ID to audit CloudTrail configurations and other relevant settings within this project.

Business Impact: This scanner is crucial as it helps in maintaining a secure cloud environment by identifying misconfigurations that could lead to unauthorized access, data breaches, and potential system vulnerabilities. Addressing these issues promptly can significantly enhance the overall security posture of an organization’s cloud infrastructure.

Risk Levels:

  • Critical: Conditions where public access is enabled on S3 buckets or IAM policies with wildcard actions are present, which directly expose sensitive information and risk elevated privileges.
  • High: Use of root user accounts in IAM policies or disabled CloudTrail logging can lead to significant security risks if compromised.
  • Medium: Insecure rules in EC2 security groups and lack of encryption on S3 objects pose moderate risks but should be addressed to improve overall cloud security.
  • Low: Old account creation dates in IAM might indicate a low risk unless the accounts are associated with critical permissions or services.
  • Info: Informational findings like using Hot access tier for storage accounts can be considered as minor issues that, while not critical, could be optimized for better cost management and security practices.

Example Findings:

  • A public S3 bucket detected without any encryption, posing a significant risk of data exposure if accessed by unauthorized parties.
  • An IAM policy granting full permissions ("Action": "*") to an application, which might lead to unintended system modifications or data theft.
  • EC2 instances with open ports (e.g., port 22 for SSH access) that are accessible from the internet, increasing the attack surface and potential unauthorized access points.