- Mar 27, 2022
nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using a simple Yaml syntax.
The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments (at the moment only AWS).
The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralised and lightweight digital twin.
- docker-compose installed
- an AWS account configured to be used with awscli with full access to the cloud resources, better if in ReadOnly mode (the policy arn:aws:iam::awsolicy/ReadOnlyAccess is fine)
- Clone the repository
- Create and edit, if required, the .env file to set your DB username/password/URL
- Start the Neo4j docker instance
- Build the tool
- Firstly you need to dump all the supported AWS services configurations and load the data into the Neo4j database:
- To import a previously executed dump operation into the Neo4j database:
- To only perform static assessments on the data loaded into the Neo4j database using the :
- Or use to manually explore the digital twin.
About nuvolaTo get started with nuvola and its database schema, check out the nuvola .
No data is sent or shared with Prima Assicurazioni.
How to contribute
- reporting bugs and issues
- reporting new improvements
- reviewing issues and pull requests
- fixing bugs and issues
- creating new rules
- improving the overall quality
- RomHack 2022
Licensenuvola uses graph theory to reveal possible attack paths and security misconfigurations on cloud environments.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this repository and program. If not, see .
You must be registered for see images