MCPcopy
hub / github.com/BishopFox/cloudfox

github.com/BishopFox/cloudfox @v2.0.5 sqlite

repository ↗ · DeepWiki ↗ · release v2.0.5 ↗
4,345 symbols 13,013 edges 338 files 1,904 documented · 44%
README

:fox_face: CloudFox :fox_face:

CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.

CLOUDFOX UPDATE REQUIRED: (12/2025): If you are using cloudfox, you need to use v1.17.0 or greater. All earlier versions stopped working after a format change in AWS's public service mapping file.

Overview

CloudFox helps you answer the following common questions (and many more):

  • What regions is this AWS account using and roughly how many resources are in the account?
  • What secrets are lurking in EC2 userdata or service specific environment variables?
  • What workloads have administrative permissions attached?
  • What actions/permissions does this [principal] have?
  • What role trusts are overly permissive or allow cross-account assumption?
  • What endpoints/hostnames/IPs can I attack from an external starting point (public internet)?
  • What endpoints/hostnames/IPs can I attack from an internal starting point (assumed breach within the VPC)?
  • What filesystems can I potentially mount from a compromised resource inside the VPC?

Demos, Examples, Walkthroughs

Intentionally Vulnerable Playground

Want to chat about CloudFox?

Join us on the RedSec discord server

Quick Start

CloudFox is modular (you can run one command at a time), but there is an aws all-checks command that will run the other aws commands for you with sane defaults:

cloudfox aws --profile [profile-name] all-checks

White Box Enumeration

CloudFox was designed to be executed by a principal with limited read-only permissions, but it's purpose is to help you find attack paths that can be exploited in simulated compromise scenarios (aka, objective based penetration testing).

Black Box Enumeration

CloudFox can be used with "found" credentials, similar to how you would use weirdAAL or enumerate-iam. Checks that fail, do so silently, so any data returned means your "found" creds have the access needed to retrieve it.

Documentation

For the full documentation please refer to our wiki.

Supported Cloud Providers

Provider CloudFox Commands
AWS 34
Azure 4
GCP 60
Kubernetes Support Planned

Install

Option 1: Download the latest binary release for your platform.

Option 2: If you use homebrew: brew install cloudfox

Option 3: Install Go, use go install github.com/BishopFox/cloudfox@latest to install from the remote source

Option 4: Developer mode:

Install Go, clone the CloudFox repository and compile from source # git clone https://github.com/BishopFox/cloudfox.git # cd ./cloudfox # Make any changes necessary # go build . # ./cloudfox

Option 5: Testing a bug fix git clone git@github.com:BishopFox/cloudfox.git git checkout seth-dev go build . ./cloudfox [rest of the command options]

Prerequisites

AWS

  • AWS CLI installed
  • Supports AWS profiles, AWS environment variables, or metadata retrieval (on an ec2 instance)
  • To run commands on multiple profiles at once, you can specify the path to a file with a list of profile names separated by a new line using the -l flag or pass all stored profiles with the -a flag.
  • A principal with one recommended policies attached (described below)
  • Recommended attached policies: SecurityAudit + CloudFox custom policy

Additional policy notes (as of 09/2022):

Policy Notes
CloudFox custom policy Has a complete list of every permission cloudfox uses and nothing else
arn:aws:iam::aws:policy/SecurityAudit Covers most cloudfox checks but is missing newer services or permissions like apprunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess Covers most cloudfox checks but is missing newer services or permissions like AppRunner:*, grafana:*, lambda:GetFunctionURL, lightsail:GetContainerServices - and is also missing iam:SimulatePrincipalPolicy.
arn:aws:iam::aws:policy/ReadOnlyAccess Only missing AppRunner, but also grants things like "s3:Get*" which can be overly permissive.
arn:aws:iam::aws:policy/AdministratorAccess This will work just fine with CloudFox, but if you were handed this level of access as a penetration tester, that should probably be a finding in itself :)

Azure

  • Viewer or similar permissions applied.

GCP

  • Google Cloud SDK installed and authenticated
  • Application Default Credentials configured (gcloud auth application-default login)
  • Recommended permissions at appropriate hierarchy levels (see below)

GCP Permissions: Minimal vs Comprehensive

Minimal Permissions (Single Project):

For basic enumeration of a single project, the roles/viewer role provides read access to most resources (includes logging, monitoring, and compute/network viewing).

Comprehensive Permissions (Organization-Wide):

For thorough security assessments across an entire organization:

Scope Role Purpose
Organization roles/resourcemanager.organizationViewer View organization structure and metadata
Organization roles/iam.securityReviewer Review IAM policies across the organization
Organization roles/cloudasset.viewer Query Cloud Asset Inventory for all resources
Organization roles/cloudidentity.groupsViewer Enumerate Google Groups and memberships
Folder roles/resourcemanager.folderViewer View folder hierarchy and metadata
Project roles/viewer Read access to most project resources (includes logging.viewer, monitoring.viewer, compute.viewer)
Tooling Project roles/serviceusage.serviceUsageAdmin (Optional) Manage API quotas for CloudFox operations

Note: The basic roles/viewer role includes permissions from roles/logging.viewer, roles/monitoring.viewer, and roles/compute.networkViewer, so these don't need to be granted separately.

GCP API Requirements

APIs must be enabled in each project you want to assess. GCP APIs are project-scoped.

API Service Name Purpose
Cloud Identity API cloudidentity.googleapis.com Group enumeration, inherited role analysis
Cloud Asset API cloudasset.googleapis.com Cross-project resource discovery
Cloud Resource Manager API cloudresourcemanager.googleapis.com Organization mapping, IAM enumeration
IAM API iam.googleapis.com IAM analysis, privilege escalation detection
Compute Engine API compute.googleapis.com Instance enumeration, network security
Secret Manager API secretmanager.googleapis.com Secrets enumeration
Cloud Functions API cloudfunctions.googleapis.com Serverless enumeration
Cloud Run API run.googleapis.com Serverless enumeration
Kubernetes Engine API container.googleapis.com Container security analysis
BigQuery API bigquery.googleapis.com Data security analysis

For detailed setup instructions, see the GCP Setup Guide.

AWS Commands

Provider Command Name Description
AWS all-checks Run all of the other commands using reasonable defaults. You'll still want to check out the non-default options of each command, but this is a great place to start.
AWS access-keys Lists active access keys for all users. Useful for cross referencing a key you found with which in-scope account it belongs to.
AWS api-gw Lists API gateway endpoints and gives you custom curl commands including API tokens if they are stored in metadata.
AWS buckets Lists the buckets in the account and gives you handy commands for inspecting them further.
AWS cape Enumerates cross-account privilege escalation paths. Requires pmapper to be run first
AWS cloudformation Lists the cloudformation stacks in the account. Generates loot file with stack details, stack parameters, and stack output - look for secrets.
AWS codebuild Enumerate CodeBuild projects
AWS databases Enumerate RDS databases. Get a loot file with connection strings.
AWS ecr List the most recently pushed image URI from all repositories. Use the loot file to pull selected images down with docker/nerdctl for inspection.
AWS ecs-tasks List all ecs tasks. This returns a list of ecs tasks and associated cluster, task definition, container instance, launch type, and associated IAM principal.
AWS eks List all EKS clusters, see if they expose their endpoint publicly, and check the associated IAM roles attached to reach cluster or node group. Generates a loot file with the aws eks udpate-kubeconfig command needed to connect to each cluster.
AWS elastic-network-interfaces List all eni information. This returns a list of eni ID, type, external IP, private IP, VPCID, attached instance and a description.
AWS endpoints Enumerates endpoints from various services. Scan these endpoints from both an internal and external position to look for things that don't require authentication, are misconfigured, etc.
AWS env-vars Grabs the environment variables from services that have them (App Runner, ECS, Lambda, Lightsail containers, Sagemaker are supported. If you find a sensitive secret, use cloudfox iam-simulator AND pmapper to see who has access to them.
AWS filesystems Enumerate the EFS and FSx filesystems that you might be able to mount without creds (if you have the right network access). For example, this is useful when you have ec:RunInstance but not iam:PassRole.
AWS iam-simulator Like pmapper, but uses the IAM policy simulator. It uses AWS's evaluation logic, but notably, it doesn't consider transitive access via privesc, which is why you should also always also use pmapper.
AWS instances Enumerates useful information for EC2 Instances in all regions like name, public/private IPs, and instance profiles. Generates loot files you can feed to nmap and other tools for service enumeration.
AWS inventory Gain a rough understanding of size of the account and preferred regions.
AWS lambda Lists the lambda functions in the account, including which one's have admin roles attached. Also gives you handy commands for downloading each function.
AWS network-ports Enumerates AWS services that are potentially exposing a network service. The security groups and the network ACLs are parsed for each resource to determine what ports are potentially exposed.
AWS orgs Enumerate accounts in an organization
AWS outbound-assumed-roles List the roles that have been assumed by principals in this account. This is an excellent way to find outbound attack paths that lead into other accounts.
AWS permissions Enumerates IAM permissions associated with all users and roles. Grep this output to figure out what permissions a particular principal has rather than logging into the AWS console and painstakingly expanding each pol

Extension points exported contracts — how you extend this code

CloudfoxOutput (Interface)
TODO support datastructures that enable brief or wide format [68 implementers]
internal/output2.go
Iterator (Interface)
Wrappers and abstracting types to facilitate mocking the client responses [4 implementers]
gcp/services/secretsService/secretsService.go
AttackSummaryProvider (Interface)
AttackSummaryProvider is an interface that FoxMapperCache implements This allows modules to use the cache interchangeabl [2 …
internal/gcp/foxmapper_cache.go
AWSCodeCommitClientInterface (Interface)
(no doc) [4 implementers]
aws/sdk/codecommit.go
Node (Interface)
(no doc) [4 implementers]
aws/graph/ingester/schema/schema.go
TagsGetResourcesAPI (Interface)
(no doc) [3 implementers]
aws/tags.go
AWSSQSClient (Interface)
(no doc) [2 implementers]
aws/sqs.go
SNSClientInterface (Interface)
(no doc) [2 implementers]
aws/sns.go

Core symbols most depended-on inside this repo

Error
called by 757
internal/log.go
IncrError
called by 439
internal/aws.go
InfoM
called by 376
internal/log.go
GetProjectName
called by 244
internal/gcp/base.go
Info
called by 232
internal/log.go
Add
called by 194
gcp/shared/risk.go
ErrorM
called by 177
internal/log.go
DecrExecuting
called by 124
internal/aws.go

Shape

Method 2,393
Function 1,176
Struct 693
Interface 67
TypeAlias 12
FuncType 4

Languages

Go100%

Modules by API surface

internal/gcp/sdk/clients.go86 symbols
gcp/commands/compliancedashboard.go77 symbols
gcp/services/foxmapperService/foxmapperService.go72 symbols
internal/gcp/sdk/interfaces.go67 symbols
internal/output2.go63 symbols
gcp/services/iamService/iamService.go62 symbols
aws/inventory.go62 symbols
gcp/commands/networktopology.go54 symbols
gcp/commands/inventory.go54 symbols
aws/network-ports.go50 symbols
gcp/commands/whoami.go48 symbols
cli/aws.go44 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/accesscontextmanagerv1.9.7 · 1×
cloud.google.com/go/artifactregistryv1.18.0 · 1×
cloud.google.com/go/assetv1.22.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/bigqueryv1.72.0 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/kmsv1.23.2 · 1×
cloud.google.com/go/longrunningv0.7.0 · 1×

Datastores touched

(mongodb)Database · 1 repos

For agents

$ claude mcp add cloudfox \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact