{"id":47609881,"url":"https://github.com/praetorian-inc/aurelian","last_synced_at":"2026-04-01T20:00:03.426Z","repository":{"id":345771474,"uuid":"1141521761","full_name":"praetorian-inc/aurelian","owner":"praetorian-inc","description":"Open-source cloud security reconnaissance framework","archived":false,"fork":false,"pushed_at":"2026-03-30T08:35:35.000Z","size":57762,"stargazers_count":30,"open_issues_count":18,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-30T08:42:22.470Z","etag":null,"topics":["aws","azure","capability","cloud-security","gcp"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/praetorian-inc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-25T00:52:09.000Z","updated_at":"2026-03-30T01:36:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/praetorian-inc/aurelian","commit_stats":null,"previous_names":["praetorian-inc/aurelian"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/praetorian-inc/aurelian","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Faurelian","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Faurelian/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Faurelian/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Faurelian/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/praetorian-inc","download_url":"https://codeload.github.com/praetorian-inc/aurelian/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Faurelian/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291333,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","azure","capability","cloud-security","gcp"],"created_at":"2026-04-01T20:00:02.755Z","updated_at":"2026-04-01T20:00:03.414Z","avatar_url":"https://github.com/praetorian-inc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg width=\"2752\" alt=\"Aurelian — Open-Source Multi-Cloud Security Reconnaissance Framework for AWS, Azure, and GCP\" src=\"docs/aurelian.webp\" /\u003e\n\u003ch1 align=\"center\"\u003eAurelian\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eOpen-source cloud security reconnaissance framework\u003c/strong\u003e\u003cbr/\u003e\n  Detect secrets, misconfigurations, public exposure, and privilege escalation paths across AWS, Azure, and GCP — from a single CLI.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://github.com/praetorian-inc/aurelian/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/praetorian-inc/aurelian/ci.yml?style=flat-square\u0026label=build\" alt=\"Aurelian CI Build Status\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/praetorian-inc/aurelian/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/praetorian-inc/aurelian?style=flat-square\" alt=\"Aurelian Latest Release\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-Apache%202.0-blue.svg?style=flat-square\" alt=\"Apache 2.0 License\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/praetorian-inc/aurelian/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/praetorian-inc/aurelian?style=flat-square\" alt=\"GitHub Stars\"\u003e\u003c/a\u003e\n\u003ca href=\"https://goreportcard.com/report/github.com/praetorian-inc/aurelian\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/praetorian-inc/aurelian?style=flat-square\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#what-is-aurelian\"\u003eWhat is Aurelian?\u003c/a\u003e •\n  \u003ca href=\"#key-capabilities\"\u003eCapabilities\u003c/a\u003e •\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n  \u003ca href=\"#modules\"\u003eModules\u003c/a\u003e •\n  \u003ca href=\"#documentation\"\u003eDocs\u003c/a\u003e •\n  \u003ca href=\"#faq\"\u003eFAQ\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n## What is Aurelian?\n\nAurelian is an open-source, multi-cloud security reconnaissance framework built in Go. It provides a single, unified command-line interface for cloud security assessments across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).\n\nWhere other tools require you to learn separate workflows per cloud provider, Aurelian gives you **one command structure that works everywhere**: `aurelian [platform] recon [module]`. Each module encapsulates a complex, multi-step security workflow — resource enumeration, content extraction, secrets scanning, policy analysis, access evaluation — behind a single command.\n\nAurelian was built by the offensive security team at [Praetorian](https://www.praetorian.com), based on years of cloud penetration testing and red team engagements across hundreds of enterprise environments.\n\n### Why Aurelian?\n\n| Challenge | How Aurelian Solves It |\n|-----------|----------------------|\n| **Fragmented tooling** — different tools per cloud, per task | Unified CLI: same commands, same output across AWS, Azure, and GCP |\n| **Complex enumeration workflows** — dozens of API calls for a single finding | Each module orchestrates the full workflow behind one command |\n| **Secrets scattered across cloud services** — user data, env vars, configs, logs | `find-secrets` extracts content from 30+ source types and scans with [Titus](https://github.com/praetorian-inc/titus) |\n| **Detection during assessments** — CloudTrail logs reveal recon activity | OPSEC-aware techniques minimize logging footprint |\n| **Understanding IAM blast radius** — permissions are complex and interconnected | Graph analysis with Neo4j visualizes privilege escalation paths |\n\n---\n\n## Key Capabilities\n\n### Secrets Discovery\n\nEnumerates cloud resources, extracts content from 30+ source types (EC2 user data, Lambda code, CloudFormation templates, CloudWatch logs, ECS task definitions, environment variables, storage blobs, application configurations), and scans with [Titus](https://github.com/praetorian-inc/titus) for hardcoded credentials, API keys, and tokens. Optional validation confirms whether discovered secrets are active.\n\n### Public Resource Detection\n\nCombines resource listing, property enrichment, policy fetching, and access evaluation to identify publicly accessible resources — open S3 buckets, exposed databases, public IPs, anonymous-access storage accounts, and more.\n\n### IAM Privilege Escalation Analysis\n\nCollects IAM data (Get Account Authorization Details, resource policies, org policies), evaluates effective permissions, and detects privilege escalation paths. Outputs JSON or populates a Neo4j graph database for interactive exploration.\n\n### Subdomain Takeover Detection\n\nChecks DNS records in Route53, Azure DNS, and Cloud DNS against known cloud-specific takeover patterns — dangling CNAMEs pointing to unclaimed cloud resources.\n\n### Cloud Misconfiguration Scanning\n\nAzure Resource Graph template-based detection for weak authentication, disabled RBAC, overly permissive access rules, and other configuration issues.\n\n### OPSEC-Aware Reconnaissance\n\nCovert techniques that avoid CloudTrail logging. The `whoami` module identifies the caller ARN using APIs that leak identity in error messages without generating audit log entries.\n\n---\n\n## Supported Cloud Platforms\n\n| Platform | Alias | Modules | Capabilities |\n|----------|-------|---------|--------------|\n| **Amazon Web Services (AWS)** | `aws`, `amazon` | 12 | Secrets, public resources, IAM graph, subdomain takeover, OPSEC whoami, cost analysis, CDK/CloudFront takeover |\n| **Microsoft Azure** | `azure`, `az` | 6 | Secrets, public resources, configuration scan, subdomain takeover, conditional access policies |\n| **Google Cloud Platform (GCP)** | `gcp`, `google` | 4 | Secrets, public resources, subdomain takeover, resource enumeration |\n\n---\n\n## Installation\n\n### From Source (Recommended)\n\n```sh\ngit clone https://github.com/praetorian-inc/aurelian.git\ncd aurelian\ngo build -o aurelian main.go\n```\n\nRequires **Go 1.24+**.\n\n### Docker\n\n```sh\ndocker build -t aurelian .\ndocker run --rm -v ~/.aws:/root/.aws aurelian aws recon whoami\n```\n\nA `docker-compose.yml` is included with credential volume mounts for all three cloud providers.\n\n### Build Options\n\n```sh\n# Standard build\ngo build -o aurelian .\n\n# SQLite-backed store (for memory-constrained environments)\ngo build -tags cache_sqlite -o aurelian .\n```\n\n---\n\n## Quick Start\n\n### Verify Your Identity (OPSEC-Safe)\n\n```sh\n# Identifies caller ARN without CloudTrail logging\naurelian aws recon whoami\n```\n\n### Find Hardcoded Secrets\n\n```sh\n# Scan all AWS regions for secrets in EC2 user data, Lambda code, CloudWatch logs, and more\naurelian aws recon find-secrets\n\n# Scan Azure subscriptions\naurelian azure recon find-secrets --subscription-id \u003cid\u003e\n\n# Scan GCP projects\naurelian gcp recon find-secrets --project-id \u003cid\u003e\n```\n\n### Detect Public Resources\n\n```sh\n# Find publicly accessible AWS resources (S3 buckets, RDS instances, etc.)\naurelian aws recon public-resources\n\n# Azure public resources\naurelian azure recon public-resources --subscription-id \u003cid\u003e\n\n# GCP public resources\naurelian gcp recon public-resources --project-id \u003cid\u003e\n```\n\n### Analyze IAM Privilege Escalation\n\n```sh\n# Build IAM graph and detect escalation paths\naurelian aws recon graph --neo4j-uri bolt://localhost:7687\n\n# Offline analysis from GAAD export\naurelian aws analyze analyze-iam-permissions --gaad-file gaad.json\n```\n\n### Detect Subdomain Takeovers\n\n```sh\naurelian aws   recon subdomain-takeover\naurelian azure recon subdomain-takeover --subscription-id \u003cid\u003e\naurelian gcp   recon subdomain-takeover --project-id \u003cid\u003e\n```\n\n### List All Modules\n\n```sh\naurelian list-modules\n```\n\n---\n\n## Modules\n\n### AWS Reconnaissance\n\n| Module | Description |\n|--------|-------------|\n| `find-secrets` | Enumerates resources, extracts content from 30+ source types, scans with Titus |\n| `public-resources` | Detects publicly accessible resources through policy and property evaluation |\n| `graph` | Collects IAM data, evaluates permissions, detects privilege escalation paths |\n| `subdomain-takeover` | Checks Route53 DNS for dangling CNAME cloud takeover patterns |\n| `whoami` | OPSEC-safe identity check via CloudTrail-silent API techniques |\n| `list-all` | Enumerates all Cloud Control resources across regions |\n| `account-auth-details` | Exports IAM Get Account Authorization Details (GAAD) |\n| `resource-policies` | Extracts resource-based policies for analysis |\n| `org-policies` | Fetches AWS Organizations SCPs and policies |\n| `cost-summary` | Summarizes AWS cost and usage data |\n| `cdk-bucket-takeover` | Detects orphaned CDK bootstrap buckets |\n| `cloudfront-s3-takeover` | Detects CloudFront distributions pointing to unclaimed S3 origins |\n\n### AWS Analysis\n\n| Module | Description |\n|--------|-------------|\n| `analyze-iam-permissions` | Offline IAM analysis — privilege escalation, cross-account access, create-then-use patterns |\n| `expand-actions` | Expands IAM wildcard actions to concrete permissions |\n| `access-key-to-account-id` | Resolves AWS access key to account ID |\n| `ip-lookup` | Identifies AWS IP ranges for a given IP address |\n| `known-account` | Checks if an account ID belongs to known AWS service accounts |\n\n### Azure Reconnaissance\n\n| Module | Description |\n|--------|-------------|\n| `find-secrets` | Discovers secrets across Azure services — Key Vaults, App Settings, Cosmos DB, and more |\n| `public-resources` | Detects publicly exposed Azure resources |\n| `configuration-scan` | Resource Graph template-based misconfiguration detection |\n| `subdomain-takeover` | Checks Azure DNS zones for dangling CNAMEs |\n| `conditional-access-policies` | Enumerates Conditional Access policies for weaknesses |\n| `list-all` | Enumerates all resources across subscriptions |\n\n### GCP Reconnaissance\n\n| Module | Description |\n|--------|-------------|\n| `find-secrets` | Discovers secrets in GCP services — metadata, environment variables, storage objects |\n| `public-resources` | Identifies publicly accessible GCP resources |\n| `subdomain-takeover` | Checks Cloud DNS for dangling CNAME records |\n| `list-all` | Enumerates all resources across projects |\n\n---\n\n## Architecture\n\nAurelian is built on three core patterns:\n\n- **Modules** — Entry points implementing `plugin.Module`. Registered via `init()`, auto-discovered, wired into the CLI. Each encapsulates a complete security workflow.\n- **Pipelines** — `pipeline.P[T]` is a generic streaming primitive with backpressure. Modules chain pipeline stages to process resources concurrently.\n- **Components** — Reusable building blocks in `pkg/\u003ccsp\u003e/\u003ccomponent\u003e/` with pipeline-compatible methods. Stateless processors wired into modules via `pipeline.Pipe`.\n\n```\nModule → Pipeline.Pipe(Lister) → Pipeline.Pipe(Enricher) → Pipeline.Pipe(Evaluator) → Output\n```\n\nAurelian's plugin architecture means adding a new module is as simple as implementing the `plugin.Module` interface and calling `plugin.Register()` — the CLI, flags, and parameter binding are handled automatically.\n\n---\n\n## Library Usage\n\nImport Aurelian modules directly into Go applications:\n\n```go\nimport (\n    \"github.com/praetorian-inc/aurelian/pkg/plugin\"\n    _ \"github.com/praetorian-inc/aurelian/pkg/modules/aws/recon\"\n)\n\nmod, _ := plugin.Get(\"aws\", \"recon\", \"whoami\")\nresults, err := mod.Run(cfg)\n```\n\n---\n\n## Documentation\n\nDetailed per-module documentation is available in the [`docs/`](docs/) directory:\n\n| Section | Description |\n|---------|-------------|\n| [`docs/aurelian_aws_recon.md`](docs/aurelian_aws_recon.md) | AWS reconnaissance module reference |\n| [`docs/aurelian_aws_analyze.md`](docs/aurelian_aws_analyze.md) | AWS analysis module reference |\n| [`docs/aurelian_azure_recon.md`](docs/aurelian_azure_recon.md) | Azure reconnaissance module reference |\n| [`docs/aurelian_gcp_recon.md`](docs/aurelian_gcp_recon.md) | GCP reconnaissance module reference |\n| [DEVELOPMENT.md](DEVELOPMENT.md) | Architecture deep dive, pipeline lifecycle, integration testing |\n| [CONTRIBUTING.md](CONTRIBUTING.md) | How to add modules, components, and submit PRs |\n\n---\n\n## How Aurelian Compares\n\nAurelian occupies a unique position in the cloud security tooling landscape — it is purpose-built for **offensive security reconnaissance** with a unified multi-cloud interface, where most alternatives focus on compliance scanning or single-cloud exploitation.\n\n| Capability | Aurelian | Prowler | ScoutSuite | Pacu | Cartography |\n|------------|----------|---------|------------|------|-------------|\n| **Multi-cloud unified CLI** | AWS, Azure, GCP | AWS, Azure, GCP, K8s | AWS, Azure, GCP | AWS only | AWS, Azure, GCP |\n| **Secrets discovery (30+ sources)** | Yes | Limited | No | No | No |\n| **OPSEC-aware (CloudTrail evasion)** | Yes | No | No | Partial | No |\n| **IAM privilege escalation graph** | Yes (Neo4j) | No | No | Yes | Yes (Neo4j) |\n| **Subdomain takeover detection** | Yes | No | No | No | No |\n| **Public resource detection** | Yes | Yes | Yes | No | No |\n| **Misconfiguration scanning** | Yes (Azure) | Yes | Yes | No | No |\n| **Compliance frameworks (CIS, NIST)** | No | Yes | Yes | No | No |\n| **Written in** | Go | Python | Python | Python | Python |\n| **Plugin architecture** | Yes | Yes | No | Yes | No |\n\n**Choose Aurelian when** you need offensive reconnaissance across multiple clouds — secrets, exposure, IAM analysis, and takeover detection — with OPSEC awareness. **Choose Prowler/ScoutSuite** when you need compliance-focused posture management with CIS benchmark reporting.\n\n---\n\n## FAQ\n\n### What cloud providers does Aurelian support?\n\nAurelian supports Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). All three use the same command structure: `aurelian [platform] recon [module]`.\n\n### What permissions does Aurelian need?\n\nAurelian uses read-only API access. For AWS, the `SecurityAudit` managed policy covers most modules. Azure modules need `Reader` role. GCP modules need `Viewer` role. The `whoami` module requires no permissions — it uses APIs that leak identity in error responses.\n\n### Does Aurelian write to CloudTrail?\n\nMost modules generate standard read-only CloudTrail entries. The `whoami` module specifically avoids CloudTrail logging by using covert API techniques (Timestream, Pinpoint, SQS error messages). Set `--opsec_level` to control logging behavior.\n\n### How is Aurelian different from Prowler?\n\nProwler is a cloud security posture management (CSPM) tool focused on compliance frameworks like CIS Benchmarks and NIST. Aurelian is a reconnaissance framework built for offensive security — it finds secrets in 30+ cloud source types, detects IAM privilege escalation paths, identifies subdomain takeover opportunities, and uses OPSEC-aware techniques that minimize detection. They are complementary tools.\n\n### How is Aurelian different from Pacu?\n\nPacu is an AWS exploitation framework for active attacks (privilege escalation, persistence, data exfiltration). Aurelian is a reconnaissance framework for finding weaknesses — it scans and reports but doesn't exploit. Aurelian also supports Azure and GCP, while Pacu is AWS-only.\n\n### Can I use Aurelian as a Go library?\n\nYes. All modules are importable via `github.com/praetorian-inc/aurelian/pkg/plugin`. Call `plugin.Get()` to retrieve a module and `mod.Run()` to execute it programmatically.\n\n### How do I add a new module?\n\nImplement the `plugin.Module` interface and register with `plugin.Register()` in `init()`. The CLI, flags, and parameter binding are handled automatically. See [CONTRIBUTING.md](CONTRIBUTING.md) for a full walkthrough.\n\n### What is Titus?\n\n[Titus](https://github.com/praetorian-inc/titus) is Praetorian's open-source secrets detection engine. Aurelian's `find-secrets` modules extract content from cloud resources and pipe it through Titus for pattern-based scanning with optional secret validation.\n\n---\n\n## Security\n\nSee [SECURITY.md](SECURITY.md) for vulnerability reporting guidelines. Only run Aurelian against cloud environments you own or have explicit authorization to assess.\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, module creation, and PR guidelines.\n\n## License\n\nApache 2.0 — see [LICENSE](LICENSE) for details.\n\n## About Praetorian\n\nAurelian is developed and maintained by [Praetorian](https://www.praetorian.com), an offensive security company that helps enterprises find and fix their most critical vulnerabilities. Our tools are built from real-world cloud penetration testing and red team engagements.\n\n- [Praetorian Website](https://www.praetorian.com)\n- [Praetorian GitHub](https://github.com/praetorian-inc)\n- [Titus — Secrets Detection Engine](https://github.com/praetorian-inc/titus)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Faurelian","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpraetorian-inc%2Faurelian","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Faurelian/lists"}