CloudFox is a cloud attack surface enumeration tool for penetration testers and security engineers. Rather than checking for compliance against a benchmark, it maps the environment to answer situational awareness questions: what secrets exist, what principals have excessive permissions, what endpoints are exposed, and what attack paths are available. It supports AWS, Azure, and GCP.

• Enumerates AWS, Azure, and GCP environments for attack surface and attack paths
• Finds secrets in EC2 userdata and Lambda environment variables
• Maps IAM permissions, role trusts, and cross-account relationships
• Identifies publicly exposed endpoints and overly permissive resource policies
• All commands are read-only — no changes are made to the environment
• Failed permission checks fail silently, so any data returned confirms access

CloudFox works with SecurityAudit + ViewOnlyAccess but some checks need additional permissions. For full coverage attach the custom CloudFox policy alongside SecurityAudit:

arn:aws:iam::aws:policy/SecurityAudit

Plus the custom policy from the repo at misc/aws/cloudfox-policy.json. The key additional permissions it adds beyond SecurityAudit include:

iam:SimulatePrincipalPolicy
lambda:GetFunctionUrlConfig
ec2:DescribeInstanceAttribute
cloudformation:GetTemplate
ssm:DescribeParameters
secretsmanager:ListSecrets

The full policy JSON is at https://github.com/BishopFox/cloudfox/blob/main/misc/aws/cloudfox-policy.json

Uses your existing az login session. Reader role on subscriptions is sufficient for most commands.

No setup required. Run from the shell.

Ensure cloud credentials are configured before running. See Cloud Authentication via CLI.

cloudfox aws --profile <profile> all-checks
cloudfox aws --profile <profile> all-checks -v2    # verbose output

# Find secrets in EC2 userdata and environment variables
cloudfox aws --profile <profile> env-vars
cloudfox aws --profile <profile> userdata

# Enumerate IAM permissions for all principals
cloudfox aws --profile <profile> permissions

# Find overly permissive role trusts and cross-account paths
cloudfox aws --profile <profile> role-trusts

# Find publicly exposed endpoints
cloudfox aws --profile <profile> endpoints

# List secrets and parameters (does not retrieve values)
cloudfox aws --profile <profile> secrets
cloudfox aws --profile <profile> ssm

# Enumerate S3 buckets and public access settings
cloudfox aws --profile <profile> buckets

# Enumerate EKS clusters
cloudfox aws --profile <profile> eks

# Run across multiple profiles
cloudfox aws -l <path-to-profile-list> all-checks

# Show current session context
cloudfox azure whoami

# Enumerate RBAC assignments for a subscription
cloudfox azure rbac --subscription <subscription-id>

# Enumerate RBAC across the full tenant
cloudfox azure rbac --tenant <tenant-id>

# Enumerate compute instances
cloudfox azure instances --subscription <subscription-id>

CloudFox saves all output to ./cloudfox-output/ automatically. Each command generates both a table view and CSV files, plus loot files with ready-to-run follow-up commands.

# Output is written automatically - no flags needed
# Find results under:
ls ./cloudfox-output/aws/<account-id>/

• Some AWS services do not support region detection correctly — CloudFox queries all regions and regions that do not support a service will return errors. These can be ignored.
• The SecurityAudit managed policy does not cover all permissions CloudFox uses. Attach the custom policy for complete results.
• Check ~/.cloudfox/cloudfox-error.log for permission errors if results seem incomplete.

• GitHub Repo
• AWS Commands Wiki
• Azure Commands Wiki
• Custom AWS Policy