{"id":17978181,"url":"https://github.com/al0ne/cloud-audit","last_synced_at":"2025-08-05T10:22:07.185Z","repository":{"id":242733525,"uuid":"810416583","full_name":"al0ne/cloud-audit","owner":"al0ne","description":"cloud-audit （云安全审计助手）是检测公有云厂商AK/SK泄漏被利用的工具，通过定期调用云平台接口审计日志，基于异常行为/黑特征/基线发现疑似入侵行为。","archived":false,"fork":false,"pushed_at":"2024-06-04T16:55:09.000Z","size":1047,"stargazers_count":38,"open_issues_count":0,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-05T12:40:45.152Z","etag":null,"topics":["accesskey","aksk","aws","tencent-cloud"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/al0ne.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-04T16:50:30.000Z","updated_at":"2025-04-08T06:39:51.000Z","dependencies_parsed_at":"2024-06-04T18:45:52.092Z","dependency_job_id":"fe16cdeb-449c-4a54-87a7-71a740b68d62","html_url":"https://github.com/al0ne/cloud-audit","commit_stats":null,"previous_names":["al0ne/cloud-audit"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/al0ne/cloud-audit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fcloud-audit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fcloud-audit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fcloud-audit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fcloud-audit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/al0ne","download_url":"https://codeload.github.com/al0ne/cloud-audit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/al0ne%2Fcloud-audit/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268877045,"owners_count":24322169,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-05T02:00:12.334Z","response_time":2576,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["accesskey","aksk","aws","tencent-cloud"],"created_at":"2024-10-29T17:32:07.969Z","updated_at":"2025-08-05T10:22:07.121Z","avatar_url":"https://github.com/al0ne.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"## 项目简介\n\ncloud-audit （云安全审计助手）是检测公有云厂商AK/SK泄漏被利用的工具，通过定期调用云平台接口审计日志，基于异常行为/黑特征/基线发现疑似入侵行为。\n\n当前仅支持腾讯云与AWS\n\n## 特性\n\n- 支持检测腾讯云平台AK/SK利用告警（异常行为）\n    - 调用AK/SK创建命令/执行命令监控\n    - 调用AK/SK添加子账户/删除子账户监控\n    - 调用AK/SK跨region列DB\n    - 调用AK/SK跨region列实例\n- 支持检测AWS云平台AK/SK利用告警（基线检测）\n    - 调用AK/SK创建用户监控\n    - 调用AK/SK列用户监控\n    - 调用AK/SK列S3监控\n    - 调用AK/SK列DB监控\n    - 调用AK/SK提权监控\n- 支持企业微信/Discord 告警通知\n\n## 使用说明\n\n第一步：执行命令安装依赖\n\n```bash\ncd /opt/ \u0026\u0026 git clone https://github.com/al0ne/cloud-audit\ncd cloud-audit \u0026\u0026 pip3 install -r requirements.txt\n```\n\n第二步：创建并修改.env配置\n\n```bash\ncp .env.example .env\n```\n\n根据自己的实际配置填入.env文件\n\n```bash\n# 腾讯云的AK/SK信息，需要使用AK/SK来调用API接口获取日志\nTencentAccessKey=\"xxx\"\nTencentSecretKey=\"xxx\"\n\n# 腾讯云要监控的AK/SK列表\nAccesskeyList=\"xxx,xxx,xxx\"\n\n# AWS的AK/SK信息\nAWS_ACCESS_KEY_ID=\"xxx\"\nAWS_SECRET_ACCESS_KEY=\"xxx\"\n\n# Discord 通知信息\ndiscord_webhook_url=\"\"\n\n# 企业微信机器人通知\nweixin_webhook_url=\"\"\n```\n\n第三步：程序重要配置\n\n```bash\n# 可信的网段，非可信网段调用敏感操作直接告警。\nwhile_cidr = [\"192.168.0.0/16\", \"172.16.0.0/12\", \"10.0.0.0/8\"]\n\n# AWS要关注的地域，非该地域的事件将不查询\naws_region = [\n    \"us-east-1\",\n    \"us-east-2\",\n    \"ap-northeast-1\",\n    \"ap-southeast-1\"\n]\n```\n\n运行\n\n```bash\npython3 cloud-audit.py\n```\n\n程序每隔15分钟执行一次搜索结果\n\n### AWS 权限问题说明\n\n由于AWS日志是使用的AWS CloudTrail服务来读取并审计日志的，请一定确保你的账号的IAM权限要有**AWSCloudTrail_ReadOnlyAccess**才能使用本产品，否则会有以下报错信息。\n\n```\nbotocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the LookupEvents operation: User: arn:aws:iam::xxxxx:user/test is not authorized to perform: cloudtrail:LookupEvents because no identity-based policy allows the cloudtrail:LookupEvents action\n```\n\n进入AWS IAM平台，选择用户--》权限处来添加权限\n\n## 检测逻辑\n\n### 云平台利用检测逻辑\n\n在使用一些针对云平台利用工具时，这类工具通常的动作会包括扫描所有region下是否存在RDS实例，所有region下是否存在ECS实例或者容器等，创建/删除子账号，执行命令等。这些动作本身就属于比较敏感的操作，所以通过各个云平台的日志接口来获取这些动作。\n\n还有一种则是根据来自非可信网段的敏感操作，正常都是IDC内网调用或者IDC出口IP调用，如果非企业可信网段出现AK/SK调用并且为高危操作则直接告警。\n\n常见比较敏感的关键操作例如：\n\n- CreateUser\n- ListUsers\n- ListBuckets\n- DescribeInstances\n- DescribeDBInstances\n- AttachUserPolicy\n- RunCommand/CreateCommand（腾讯云）\n\n### 腾讯云检测\n\n腾讯云与AWS API调用最大的不同在于，腾讯云可以通过API接口查询某个AK id的详细动作，但是AWS只能在平台上搜索，而不能通过AK/SK调用接口查询某个AK id的最近的执行信息\n\n所以要检测腾讯云AK/SK的利用，就需要输入要监控线上业务使用的AK id列表，定期查看某个AK id执行的动作\n\n### AWS 检测\n\nAWS则只能根据region和动作来获取日志，通过AK/SK调用CloudTrail接口获取某个region下某个动作是否有日志\n\n所以AWS更多是根据基线来判断的\n\n```python\ndef DescribeInstances(CloudTrailEvent: dict):\n    \"\"\"\n    检测使用AK/SK列ec2信息\n    :param CloudTrailEvent:\n    :return: None\n    \"\"\"\n    accessKeyId = CloudTrailEvent.get('userIdentity').get('accessKeyId')\n    arn = CloudTrailEvent.get('userIdentity').get('arn')\n    eventTime = utc_to_china_tz(CloudTrailEvent.get('eventTime'))\n    eventName = CloudTrailEvent.get('eventName')\n    awsRegion = CloudTrailEvent.get('awsRegion')\n    sourceIPAddress = CloudTrailEvent.get('sourceIPAddress')\n    userAgent = CloudTrailEvent.get('userAgent')\n\n    sip_verify = False\n\n    for cidr in while_cidr:\n        if ipaddress.ip_address(sourceIPAddress) in ipaddress.ip_network(cidr):\n            sip_verify = True\n\n    if not sip_verify and 'aws-internal' not in userAgent:\n        message = f\"{text_title}\\n时间：{eventTime}\\n账号ID：{arn}\\nRegion：{awsRegion}\\nAccessKey ID:{accessKeyId}\\n\"\n        f\"执行动作：{eventName}\\nIP地址：{sourceIPAddress}\\nUser-Agent：{userAgent}\\n\\n\"\n        f\"检测到有外部IP请求列实例信息，请注意是否为攻击者利用！\"\n    send_message(message)\n```\n\n## 运行截图\n\nDiscord 告警截屏\n\n![1](./img/3.png)\n\n![1](./img/1.png)\n\n![2](./img/2.png)\n\n## 未来规划\n\n目前仅根据行为去检测，实际还可以根据基线去检测。\n\n- 非SDK的UA去AK/SK调用\n- 基线检测，历史未执行过相关命令初次执行则直接告警","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Fcloud-audit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fal0ne%2Fcloud-audit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fal0ne%2Fcloud-audit/lists"}