SkyArk

SkyArk is designed for identifying and securing highly privileged entities in cloud environments, specifically Azure and AWS. The tool consists of two primary scanning modules: AzureStealth and AWStealth.

AzureStealth and AWStealth are designed to discover the most sensitive and risky permissions assigned to users, groups, and roles within Azure and AWS environments, respectively. These modules operate with read-only permissions, ensuring minimal impact on the scanned environments. For Azure, AzureStealth requires only read-only access to the Azure Directory (Tenant) and Subscription, while AWStealth needs similar permissions over the IAM service in AWS.

The technical architecture of SkyArk involves PowerShell scripts that can be executed locally or within the cloud provider's shell environments, such as Azure CloudShell. The scripts analyze the permission structures and identify potential Shadow Admins, which are accounts with elevated privileges that could be exploited by attackers. The results are provided in detailed reports, highlighting the most privileged entities and their associated permissions.

Operational considerations include the need for periodic scans to detect any changes or suspicious deviations in the list of privileged entities. Additionally, the tool's performance and scalability are optimized for real-time scanning, although large-scale environments may require careful management to avoid performance degradation.

Specific technical details include the use of PowerShell modules for execution, with commands such as Import-Module .\SkyArk.ps1 -force followed by Start-AzureStealth or Start-AWStealth to initiate the scans. The output is delivered in CSV and text files, providing a comprehensive view of the privileged accounts and their permissions, which is crucial for security teams to monitor and secure these high-risk entities effectively.