awspx
Graph-based tool for visualizing effective access and resource relationships in AWS environments.
| Category | Penetration Testing Tools |
|---|---|
| GitHub Stars | 926 |
| Last Commit | 3 years ago |
| This page updated | a month ago |
| Pricing Details | Free and open-source under the GNU General Public License v3.0. |
| Target Audience | AWS security professionals, internal auditors, and penetration testers. |
awspx tackles the challenge of managing access control and resource relationships in AWS environments, essential for least privilege access and security.
The tool employs a graph-based architecture, utilizing Neo4j for data storage and visualization. It consists of two primary components: the ingestor, which collects AWS account data by querying various AWS services such as IAM, S3, EC2, and Lambda, and the web interface, which allows users to explore and visualize the collected data. The ingestor requires authenticated access to the AWS environment, meaning it is not suitable for initial offensive testing but rather for whitebox testing and internal security audits.
Operationally, awspx relies on Docker for deployment on Linux or macOS systems. The tool prompts for AWS credentials during the ingestion process and can load sample datasets for testing. The web interface provides advanced search capabilities, including paths-based and actions-based searches, and the ability to toggle between direct and effective searches to identify potential attack paths and access relationships. This allows for detailed analysis of access controls and the identification of unwanted access paths.
Key operational considerations include the need for appropriate AWS permissions to function effectively, and the tool's reliance on custom policies to ensure least privilege access. Wildcard permissions and default policies can be misleading and may grant more access than necessary, highlighting the importance of custom policy implementation. Additionally, awspx has seen several improvements and bug fixes, such as enhanced error handling, improved CLI aesthetics, and standardized resource models, which contribute to its stability and usability.
From a technical standpoint, awspx uses a robust set of APIs to collect data and constructs a detailed graph of access relationships. It supports multiple ZIP files for data ingestion and has optimized attack pruning logic to retain the shortest paths. However, it may encounter performance issues with large datasets due to the complexity of the graph and the computational resources required by Neo4j.