Multi-cloud storage bucket discovery via certificate transparency monitoring
Project description
CloudVault - Multi-Cloud Storage Security Scanner
Enterprise-grade cloud storage security scanner with advanced attack chain analysis, MITRE ATT&CK mapping, and comprehensive reporting
CloudVault discovers exposed AWS S3, Google Cloud Storage, and Azure Blob containers through certificate transparency monitoring and provides actionable security insights with tree-formatted visualizations.
๐ Features
Core Capabilities
- ๐ Real-time Discovery - Certificate transparency log monitoring
- โ๏ธ Multi-Provider - AWS S3, GCP Storage, Azure Blob
- ๐ฏ Smart Detection - Automated permission checking
- ๐ Risk Scoring - Advanced multi-factor algorithm (0-100)
- ๐ Attack Chains - Multi-hop privilege escalation paths
- ๐จ Tree Visualizations - Beautiful ASCII output everywhere
Advanced Features (Beyond Heimdall)
- ๐ Alerts - Slack, Discord, Email notifications
- ๐ Advanced Filtering - Boolean logic + regex queries
- ๐ Historical Tracking - SQLite database with trend sparklines
- ๐ง Auto-Remediation - Terraform/AWS CLI script generation
- ๐ Trust Graphs - Relationship visualization
- ๐ Compliance - CIS Benchmarks, PCI-DSS mapping
- ๐จ Interactive TUI - Textual framework interface
- ๐ค Multi-Format Export - SARIF, CSV, JSON, HTML, ASCII Tree
๐ฆ Installation
# Clone repository
git clone https://github.com/yourusername/CloudVault.git
cd CloudVault
# Install dependencies
pip install -e .
# Install optional dependencies
pip install aiosqlite websockets # For history & real-time scanning
๐ฏ Quick Start
Basic Scan (Static Domain List)
# Create domain list
echo "example.com" > domains.txt
echo "company.com" >> domains.txt
# Scan
cloudvault scan --source domains.txt --output findings.json
Real-Time Monitoring (Certificate Transparency)
# Monitor CT logs
cloudvault scan --only-interesting --save-history
# With keywords filter
cloudvault scan --keywords-file keywords.txt
# With alerts
cloudvault scan \
--notify slack \
--slack-webhook https://hooks.slack.com/... \
--alert-on critical,high
Dashboard & Analysis
# Security dashboard
cloudvault dashboard -i findings.json
# With filters
cloudvault dashboard -i findings.json \
--filter "severity=CRITICAL,HIGH" \
--only-public \
--min-risk-score 75
# Attack chain analysis
cloudvault analyze -i findings.json -f tree
# Filter before analysis
cloudvault analyze -i findings.json \
--filter "provider=aws" \
--min-blast-radius 70
Export & Reporting
# SARIF for GitHub Security
cloudvault export -i findings.json -f sarif -o report.sarif
# HTML report
cloudvault export -i findings.json -f html -o report.html
# Tree visualization
cloudvault export -i findings.json -f tree -o report.txt
# CSV for spreadsheets
cloudvault export -i findings.json -f csv -o report.csv
Auto-Remediation
# Generate Terraform
cloudvault remediate -i findings.json -f terraform --dry-run
# Generate AWS CLI commands
cloudvault remediate -i findings.json -f awscli
Compliance Audit
# CIS Benchmarks
cloudvault compliance -i findings.json --framework CIS
# PCI-DSS
cloudvault compliance -i findings.json --framework PCI-DSS
History & Trends
# View scan history
cloudvault history list --limit 20
# Trend analysis with sparklines
cloudvault history trends --days 30
# Compare scans
cloudvault history compare --from-scan 1 --to-scan 5
๐ Commands Reference
| Command | Description |
|---|---|
scan |
Discover exposed buckets (CT logs or domain list) |
dashboard |
Security overview with risk scoring |
analyze |
Attack chain and privilege escalation analysis |
export |
Multi-format export (SARIF/CSV/JSON/HTML/Tree) |
remediate |
Generate auto-fix scripts (Terraform/AWS CLI) |
compliance |
Framework mapping (CIS/PCI-DSS/HIPAA) |
history |
Scan history, trends, and comparison |
graph |
Trust relationship visualization |
tui |
Interactive terminal UI |
baseline |
Delta reporting and ignore patterns |
test-alerts |
Test notification channels |
init-config |
Create default configuration |
๐ง Advanced Usage
Filtering Syntax
# Equality
--filter "severity=CRITICAL"
# Multiple values (OR)
--filter "severity=CRITICAL,HIGH"
# Comparison operators
--filter "risk_score>=75"
# Regex
--filter "bucket_name~regex:.*-prod-.*"
# Boolean AND
--filter "severity=CRITICAL AND provider=aws"
# Exclude
--exclude "bucket_name~.*-test-.*"
# Combine filters
--filter "severity=CRITICAL,HIGH" \
--only-public \
--min-risk-score 80
Alert Configuration
# Slack
--notify slack \
--slack-webhook https://hooks.slack.com/... \
--alert-on critical,high
# Discord
--notify discord \
--discord-webhook https://discord.com/api/webhooks/...
# Email (SMTP)
--notify email \
--email-to security@company.com \
--smtp-host smtp.gmail.com \
--smtp-user alerts@company.com \
--smtp-password "..."
# Multiple channels
--notify slack discord email
CI/CD Integration
# .github/workflows/cloudvault.yml
- name: Run CloudVault
run: |
cloudvault scan --source domains.txt --output findings.json
cloudvault export -i findings.json -f sarif -o cloudvault.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: cloudvault.sarif
๐ Output Examples
Dashboard
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CloudVault Dashboard โ
โ Cloud Security Risk Analysis โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโ Security Risk Score โโโโโโ
โ Risk Score: 64.0/100 โ
โ Status: HIGH โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Findings by Severity
CRITICAL: 2 (40.0%) โโโโโโโโ
HIGH: 2 (40.0%) โโโโโโโโ
MEDIUM: 1 (20.0%) โโโโ
Top Security Risks:
1. Public S3 Bucket with Sensitive Data
2. Credentials in Bucket Objects
3. Database Dump Exposure
Attack Chain Analysis
Multi-Hop Privilege Escalation (Blast Radius: 90.0)
โโโ Access Public Bucket (T1530)
โโโ Extract Credentials (T1552.001)
โโโ Authenticate with Stolen Credentials (T1078)
โโโ Exfiltrate Sensitive Data (T1537)
Compliance Report
๐ CIS Compliance Report
============================================================
โโ Total Controls: 2
โโ โ Passed: 0
โโ โ Failed: 4
โโ CIS-2.1.5: Ensure S3 buckets are not publicly accessible
โโ โ company-prod-backups
๐๏ธ Architecture
cloudvault_discovery/
โโโ cli/ # Click command-line interface
โโโ core/ # Scanning engine (certstream, scanner)
โโโ models/ # Data models (Finding, AttackChain)
โโโ analysis/ # Risk scoring, MITRE mapping, attack chains
โโโ dashboard/ #Rich visualization and metrics
โโโ export/ # Multi-format exporters
โโโ alerts/ # Notification channels
โโโ filtering/ # Advanced query parser
โโโ history/ # SQLite database & trends
โโโ remediation/ # Auto-fix templates
โโโ compliance/ # Framework mappers
โโโ graph/ # Trust visualization
โโโ tui/ # Textual UI
๐งช Testing
# Run tests
pytest tests/ -v
# With coverage
pytest tests/ --cov=cloudvault_discovery
๐ Configuration
# config.yaml
scan:
providers:
aws: true
gcp: true
azure: true
skip_lets_encrypt: true
alerts:
slack_webhook: "https://hooks.slack.com/..."
severity_filter: ["CRITICAL", "HIGH"]
filters:
exclude_patterns:
- "*-test-*"
- "*-dev-*"
๐ค Contributing
Contributions welcome! Please read CONTRIBUTING.md first.
๐ License
MIT License - see LICENSE for details.
๐ Acknowledgments
- Inspired by Heimdall
- Certificate transparency via Certstream
- MITRE ATT&CK Framework
๐ Support
- ๐ Report bugs
- ๐ก Request features
- ๐ Documentation
Made with โค๏ธ for cloud security
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cloudvault4-2.0.0.tar.gz
(140.4 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
cloudvault4-2.0.0-py3-none-any.whl
(200.7 kB
view details)
File details
Details for the file cloudvault4-2.0.0.tar.gz.
File metadata
- Download URL: cloudvault4-2.0.0.tar.gz
- Upload date:
- Size: 140.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
968149eb210903f7c7b8ed2dc69fe0a11d3d0ecb06f588dfe1792e676d8db948
|
|
| MD5 |
1d572d33721d7d45544a66d1e074433d
|
|
| BLAKE2b-256 |
48c1a69595256729c4053dffa95b01c5cd76c2cd4a45b23129e7d9c8e8c3dd1c
|
File details
Details for the file cloudvault4-2.0.0-py3-none-any.whl.
File metadata
- Download URL: cloudvault4-2.0.0-py3-none-any.whl
- Upload date:
- Size: 200.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94dd8605cfcc3ac7feed838343a19dd9356e5f516e5417ce93fe0b3051deaff3
|
|
| MD5 |
cf6c897b9c2688e7de8f1c9166eb3117
|
|
| BLAKE2b-256 |
c413dce3ee6d79aae147449e5d285572c765db2cfd15e528c2c4481ff6cd7f00
|
