Security Audit - baeziy/AWSault GitHub Wiki
Security Audit
The security audit is Phase 3 of --godeep. It runs detection rules against the data collected during surface scan and deep enumeration, producing findings sorted by severity.
Overview
awsault --godeep
After deep enumeration completes, AWSault runs 16 security rules that check for common AWS misconfigurations. Each rule produces zero or more findings with a severity level, affected resource, description, and remediation recommendation.
Severity levels
| Severity | Color | Meaning |
|---|---|---|
| CRITICAL | Red | Immediate risk — publicly exposed data, admin access, no logging |
| HIGH | Orange | Significant risk — open ports, missing MFA, old keys |
| MEDIUM | Yellow | Notable misconfiguration — weak encryption, partial logging |
| LOW | Blue | Best practice violation — minor hardening gaps |
| INFO | Gray | Informational — noted but not necessarily a risk |
Findings are sorted by severity (CRITICAL first) in both terminal output and reports.
Detection rules
1. S3 Public Access (_rule_s3_public)
Checks every discovered S3 bucket for public exposure:
| Check | Severity | Condition |
|---|---|---|
| Public access block missing or disabled | CRITICAL | PublicAccessBlockConfiguration absent or any setting is false |
| Public ACL grants | CRITICAL | ACL grants to AllUsers or AuthenticatedUsers |
| Open bucket policy | CRITICAL | Bucket policy with Principal: "*" |
| Missing server-side encryption | MEDIUM | No default encryption configured |
| Website hosting enabled | MEDIUM | Static website hosting is on (may be intentional but worth flagging) |
2. Open Security Groups (_rule_sg_open)
Checks security groups for dangerous inbound rules allowing 0.0.0.0/0 or ::/0:
| Port | Service | Severity |
|---|---|---|
| 22 | SSH | CRITICAL |
| 3389 | RDP | CRITICAL |
| 3306 | MySQL | HIGH |
| 5432 | PostgreSQL | HIGH |
| 1433 | MSSQL | HIGH |
| 27017 | MongoDB | HIGH |
| 6379 | Redis | HIGH |
| 9200 | Elasticsearch | HIGH |
| 5900 | VNC | HIGH |
| 8080 | HTTP-Alt | HIGH |
| 8443 | HTTPS-Alt | HIGH |
3. IAM Users Without MFA (_rule_iam_no_mfa)
| Check | Severity | Condition |
|---|---|---|
| Console access without MFA | HIGH | User has a login profile (console access) but no MFA device attached |
4. Aged Access Keys (_rule_iam_old_keys)
| Check | Severity | Condition |
|---|---|---|
| Old active access keys | MEDIUM | Active access key created more than 90 days ago |
Reports the exact age in days for each flagged key.
5. Admin Policies on Roles (_rule_iam_admin)
Checks IAM roles for overpermissive policies:
| Check | Severity | Condition |
|---|---|---|
| Inline policy with full admin | CRITICAL | Inline policy with Action: * and Resource: * |
| Attached managed policy with full admin | CRITICAL | Attached policy document containing Action: * and Resource: * |
| Dangerous AWS managed policy | HIGH | Known high-risk policies attached (see list below) |
Dangerous managed policies detected:
AdministratorAccessPowerUserAccessIAMFullAccessAmazonS3FullAccessAmazonEC2FullAccessAWSLambda_FullAccessAmazonDynamoDBFullAccessAmazonRDSFullAccessAWSKeyManagementServicePowerUser
6. Admin Policies on Users (_rule_iam_user_policies)
Same checks as rule 5 but for IAM users. Additionally flags:
| Check | Severity | Condition |
|---|---|---|
| Direct policy attachment | LOW | Any policy attached directly to a user instead of through a group (AWS best practice violation) |
7. Overpermissive Trust Policies (_rule_iam_trust)
| Check | Severity | Condition |
|---|---|---|
| Wildcard principal | CRITICAL | Trust policy with Principal: "*" — anyone can assume the role |
| Cross-account trust | MEDIUM | Trust policy allowing a principal from a different AWS account |
8. Public RDS Instances (_rule_rds_public)
| Check | Severity | Condition |
|---|---|---|
| Publicly accessible | HIGH | PubliclyAccessible is true |
| Unencrypted storage | MEDIUM | StorageEncrypted is false |
| No deletion protection | LOW | DeletionProtection is false |
9. CloudTrail Gaps (_rule_cloudtrail)
| Check | Severity | Condition |
|---|---|---|
| No trails configured | CRITICAL | Zero CloudTrail trails found |
| Logging disabled | CRITICAL | Trail exists but IsLogging is false |
| Single-region only | MEDIUM | Trail is not multi-region |
| Log validation disabled | LOW | LogFileValidationEnabled is false |
10. Lambda Secrets (_rule_lambda_secrets)
Scans Lambda function environment variables for credentials:
Flagged variable names (case-insensitive):
PASSWORD,PASSWD,PWDSECRETTOKENAPI_KEY,APIKEYPRIVATE_KEYDB_PASS
Flagged value patterns:
- AWS access key IDs (
AKIAfollowed by 16 characters) aws_secret_access_keypatterns- Private key blocks (
BEGIN RSA PRIVATE KEY,BEGIN OPENSSH PRIVATE KEY)
Severity: HIGH
11. EC2 User Data Secrets (_rule_ec2_userdata_secrets)
Scans decoded EC2 user data scripts for the same credential patterns as Lambda secrets.
Severity: HIGH
12. Unencrypted EBS Volumes (_rule_ebs_unencrypted)
| Check | Severity | Condition |
|---|---|---|
| No encryption | MEDIUM | EBS volume with Encrypted: false |
13. KMS Key Rotation (_rule_kms_rotation)
| Check | Severity | Condition |
|---|---|---|
| Rotation disabled | LOW | Customer-managed KMS key without automatic key rotation enabled |
Output
Findings appear in:
- Terminal — color-coded table with severity, service, resource, and title
- HTML report — dedicated Findings tab with full details and recommendations
- CSV export — flat rows with all finding fields
- JSON export — structured finding objects under the
findingskey
Example findings
CRITICAL s3 my-public-bucket Public access block missing or disabled
HIGH iam admin-user Console access without MFA
HIGH ec2 sg-0abc123 SSH (22) open to 0.0.0.0/0
MEDIUM iam deploy-key Access key is 147 days old
CRITICAL iam admin-role Inline policy 'full-admin' grants Action:* Resource:*