{"id":13576302,"url":"https://github.com/awslabs/aws-cloudsaga","last_synced_at":"2026-02-21T17:34:09.167Z","repository":{"id":37713534,"uuid":"462040356","full_name":"awslabs/aws-cloudsaga","owner":"awslabs","description":"AWS CloudSaga - Simulate security events in AWS","archived":false,"fork":false,"pushed_at":"2026-02-20T23:07:54.000Z","size":213517,"stargazers_count":473,"open_issues_count":3,"forks_count":38,"subscribers_count":12,"default_branch":"main","last_synced_at":"2026-02-21T04:56:08.796Z","etag":null,"topics":["aws","blue-team","incident-response-tooling","purple-team","red-teaming","security","security-audit"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/awslabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-02-21T21:39:16.000Z","updated_at":"2026-02-18T18:58:57.000Z","dependencies_parsed_at":"2024-01-15T00:24:15.868Z","dependency_job_id":"eee652e9-1a2f-452d-a0ed-39c66b0fd4a7","html_url":"https://github.com/awslabs/aws-cloudsaga","commit_stats":{"total_commits":32,"total_committers":6,"mean_commits":5.333333333333333,"dds":0.34375,"last_synced_commit":"e4f065a8bb7558af94768301f41f7679ea9baa8b"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":"amazon-archives/__template_Apache-2.0","purl":"pkg:github/awslabs/aws-cloudsaga","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Faws-cloudsaga","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Faws-cloudsaga/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Faws-cloudsaga/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Faws-cloudsaga/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/awslabs","download_url":"https://codeload.github.com/awslabs/aws-cloudsaga/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/awslabs%2Faws-cloudsaga/sbom","scorecard":{"id":219544,"data":{"date":"2025-08-11","repo":{"name":"github.com/awslabs/aws-cloudsaga","commit":"69a1d8bf929b384d46077cb25ae1790523354b07"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.3,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":2,"reason":"Found 4/17 approved changesets -- score normalized to 2","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/github-repo-stats.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/awslabs/aws-cloudsaga/github-repo-stats.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/awslabs/aws-cloudsaga/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/awslabs/aws-cloudsaga/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/awslabs/aws-cloudsaga/publish.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/awslabs/aws-cloudsaga/publish.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/github-repo-stats.yml:1","Warn: no topLevel permission defined: .github/workflows/publish.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/awslabs/.github/SECURITY.md:1","Info: Found linked content: github.com/awslabs/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/awslabs/.github/SECURITY.md:1","Info: Found text in security policy: github.com/awslabs/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 19 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T02:12:59.942Z","repository_id":37713534,"created_at":"2025-08-17T02:12:59.943Z","updated_at":"2025-08-17T02:12:59.943Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29688272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-21T15:51:39.154Z","status":"ssl_error","status_checked_at":"2026-02-21T15:49:03.425Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","blue-team","incident-response-tooling","purple-team","red-teaming","security","security-audit"],"created_at":"2024-08-01T15:01:08.998Z","updated_at":"2026-02-21T17:34:09.147Z","avatar_url":"https://github.com/awslabs.png","language":"Python","funding_links":[],"categories":["Python","Tools"],"sub_categories":[],"readme":"# AWS CloudSaga - Simulate security events in AWS\nAWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).\n\n## Use Case\nSecurity controls and best practices are published for securing AWS accounts, however, customers look for mechanisms to test security and incident response within their AWS environments, in order to protect themselves against known security events. \n\nAWS CloudSaga is for customers who want to test their environment against documented security events from the AWS CIRT. Using AWS CloudSaga, simple scenarios that mimic actual security events can be run against a customer's environment, testing the customer's response plans and defenses when these events occur, and improve defenses of their AWS environment from the results.\n\n## Usage\n```\ncloudsaga\n\n\n\n     ___   ____    __    ____   _______.          \n    /   \\  \\   \\  /  \\  /   /  /       |         \n   /  ^  \\  \\   \\/    \\/   /  |   (----`       \n  /  /_\\  \\  \\            /    \\   \\         \n /  _____  \\  \\    /\\    / .----)   |      \n/__/     \\__\\  \\__/  \\__/  |_______/       \n\n  ______  __        ______    __    __   _______       _______.     ___       _______      ___\n /      ||  |      /  __  \\  |  |  |  | |       \\     /       |    /   \\     /  _____|    /   \\ \n|  ,----'|  |     |  |  |  | |  |  |  | |  .--.  |   |   (----`   /  ^  \\   |  |  __     /  ^  \\ \n|  |     |  |     |  |  |  | |  |  |  | |  |  |  |    \\   \\      /  /_\\  \\  |  | |_ |   /  /_\\  \\ \n|  `----.|  `----.|  `--'  | |  `--'  | |  '--'  |.----)   |    /  _____  \\ |  |__| |  /  _____  \\  \n \\______||_______| \\______/   \\______/  |_______/ |_______/    /__/     \\__\\ \\______| /__/     \\__\\ \n                                                                                                                                               \n\n\n            Joshua \"DozerCat\" McKiddy - Team DragonCat - AWS\n            Type -h for help.\n\n    usage: cloudsaga [-h] [--scenario SCENARIO] [--chapters] [--about ABOUT]\n\n    CloudSaga - Simulate security events based on previous Ziplines\n\n    optional arguments:\n    -h, --help           show this help message and exit\n    --scenario SCENARIO  Perform the scenario you want to run against your AWS\n                        environment.\n    --chapters           List the available scenarios within CloudSaga. Use the\n                        --about flag to read details about a specific scenario.\n    --about ABOUT        Read about a specific scenario (e.g. --about\n                        \u003cscenario\u003e. For a list of available scenarios, use the\n                        --chapters flag.\n```\n\n\n## Prerequesites\n### Permissions\nThe following permissions are needed within AWS IAM for CloudSaga to run:\n* For imds-reveal:\n```\n\"ec2:DescribeInstances\"\n```\n* For network-changes:\n```\n\"ec2:DescribeInstances\",\n\"ec2:RunInstances\",\n\"ec2:CreateVpc\",\n\"ec2:DescribeVpcs\",\n\"ec2:CreateSecurityGroup\"\n```\n* For mining-bitcoin:\n```\n\"ec2:DescribeInstances\",\n\"ec2:RunInstances\"\n```\n* For iam-credentials:\n```\n\"iam:GenerateCredentialReport\",\n\"iam:GetCredentialReport\"\n```\n* For public-resources:\n```\n\"rds:DescribeDBInstances\",\n\"rds:CreateDBInstance\",\n\"rds:DeleteDBInstance\",\n\"s3:ListBuckets\",\n\"s3:CreateBucket\",\n\"s3:PutPublicAccessBlock\",\n\"s3:DeletePublicAccessBlock\"\n```\n\n## Specific Scenario Details\n```\nIMDS Reveal Scenario:\nThis scenario is based on a server-side request forgery attack. \nEC2 instances using IMDS version 1 are more likely to be subject to this \nkind of software flaw, and if EC2 Role credentials are present, those \ncredentials can be used in AWS.\n```\n```\nBitcoin Mining Scenario:\nThis scenario simulates the creation of Bitcoin mining instances.\nAttackers attempt to create Bitcoin mining instances using Amazon EC2,\nin order to leverage legitimate AWS customer's resources for their own purposes.\n```\n```\nNetwork Changes Scenario:\nThis scenario simulates the creation and modification of network resources within\nAWS. This includes creating Amazon VPCs, as well as modifications to Security Groups,\nfor the purposes of compromising resources within the AWS account.\n```\n```\nIAM Credentials Scenario:\nThis scenario attempts to grab the IAM credential report within the AWS account.\n```\n```\nPublicly Accessible Resources Scenario:\nThis scenario is for creating then checking for publicly accessible resources within an AWS account.\n```\n\n## Running the Code\nThe code in it's current form can be ran inside the following:\n* AWS CloudShell (preferred)\n* Locally (with IAM credentials, not preferred)\n\n## Prerequisites\nThe following prerequisites are required to use AWS CloudSaga\n* Python 3.7 or later\n* boto3 1.21.7 or later\n* pip3 (for installation of AWS CloudSaga)\n\n## Installing the code\nInstallation of the code is done via pip3:\n```\npip3 install cloudsaga\n```\n\n## Step-by-Step Instructions (for running in AWS CloudShell)\n1. Log into the AWS Console of the account you want to run AWS CloudSaga.\n2. Click on the icon for AWS Cloudshell next to the search bar.\n   * Ensure that you're in a region where AWS CloudShell is currently available.\n3. Once the session begins, install AWS CloudSaga via pip3:\n```\npip3 install cloudsaga\n```\n4. Once installed, run the following command to review the help page for AWS CloudSaga.\n```\ncloudsaga -h\n```\n5. Review the scenarios, select the one that you want to run for generating your security event for testing.\n\n### Logging\nA log file containing the detailed output of actions will be placed in the root directory of AWS CloudSaga. The format of the file will be cloudsaga_timestamp_here.log\n\nSample output within the log file:\n```\n2022-02-22 01:20:47,826 - INFO - --Checking instances in AWS region me-south-1--\n2022-02-22 01:20:47,826 - INFO - DescribeInstances API Call in AWS region me-south-1--\n2022-02-22 01:20:48,712 - INFO - You cannot perform lookup of IMDS versions in this region. Error message below:\n2022-02-22 01:20:48,712 - ERROR - An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials\n2022-02-22 01:20:48,713 - INFO - --Checking instances in AWS region sa-east-1--\n2022-02-22 01:20:48,713 - INFO - DescribeInstances API Call in AWS region sa-east-1--\n2022-02-22 01:20:49,525 - INFO - --Checking instances in AWS region us-east-1--\n2022-02-22 01:20:49,525 - INFO - DescribeInstances API Call in AWS region us-east-1--\n2022-02-22 01:20:49,876 - INFO - --Checking instances in AWS region us-east-2--\n2022-02-22 01:20:49,876 - INFO - DescribeInstances API Call in AWS region us-east-2--\n2022-02-22 01:20:50,192 - INFO - --Checking instances in AWS region us-west-1--\n2022-02-22 01:20:50,192 - INFO - DescribeInstances API Call in AWS region us-west-1--\n2022-02-22 01:20:50,444 - INFO - --Checking instances in AWS region us-west-2--\n2022-02-22 01:20:50,445 - INFO - DescribeInstances API Call in AWS region us-west-2--\n2022-02-22 01:20:50,610 - INFO - Instance ID i-99999999999999999 is using IMDSv1, where no authentication header is required to access the IMDS service.\n```\n\n## Cleaning Up\nOnce the logs have been enabled, you can safely remove any of the downloaded files from AWS CloudShell.\n* Note: The log file containing the detailed output of actions will be in the root directory of AWS CloudSaga. If you want to retain this, please download this to a safe place, either locally or to an Amazon S3 bucket, for your records. For information on how to download files from AWS CloudShell sessions, refer to the following [link](https://docs.aws.amazon.com/cloudshell/latest/userguide/working-with-cloudshell.html#files-storage).\n\n## Feedback\nPlease use the Issues section to submit any feedback, such as features or recommendations, as well as any bugs that are encountered.\n\n## Security\n\nSee [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.\n\n## License\n\nThis project is licensed under the Apache-2.0 License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawslabs%2Faws-cloudsaga","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fawslabs%2Faws-cloudsaga","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fawslabs%2Faws-cloudsaga/lists"}