npx skills add mukul975/Anthropic-Cybersecurity-SkillsLegal Notice: This skill is for authorized cloud penetration testing and assessment only. CloudFox makes read/describe API calls against the cloud account whose credentials you supply. Run it ONLY against accounts you own or are authorized to test under a signed scope. Although CloudFox is read-only by design, the enumeration it performs is reconnaissance against a live environment and must be in scope.
Overview
CloudFox is an open-source command-line tool from Bishop Fox that helps penetration testers and red teamers gain situational awareness in unfamiliar cloud environments. Where tools like ScoutSuite focus on a defender-style configuration audit, CloudFox is built from the attacker's perspective: it answers questions like "what are the most attackable secrets, endpoints, and instances in this account, and what can the identity I just compromised actually reach?" It is read-only — it only performs Describe/List/Get style calls — and writes its findings to per-command CSV/TXT/loot files plus a combined report directory, so output can be triaged offline.
CloudFox covers AWS most deeply (30+ commands) and supports Azure. The workhorse is cloudfox aws all-checks, which runs the full battery of enumeration commands with sensible defaults: inventory, internet-reachable endpoints, EC2 instances (with IPs and instance-profile roles), iam-simulator and permissions for IAM analysis, principals, secrets from Secrets Manager/SSM, buckets, role-trusts (which identities can assume which roles — a core attack-path primitive), access-keys, route53, ecr, lambda, and more. CloudFox also emits ready-to-run command suggestions (e.g. aws s3 ls lines, aws ssm start-session lines) in its "loot" files so an operator can pivot immediately.
This skill covers installing CloudFox, authenticating to AWS and Azure, running targeted and full enumeration, interpreting the high-value outputs (role-trusts, secrets, endpoints), and feeding the results into attack-path planning. Source: github.com/BishopFox/cloudfox.
When to Use
- Establishing situational awareness immediately after compromising a cloud credential
- Quickly identifying internet-exposed endpoints, instances, and exposed secrets
- Mapping
sts:AssumeRoletrust relationships to plan lateral movement / privesc - Triaging an unfamiliar AWS or Azure account during an authorized assessment
- Producing attacker-centric inventory artifacts that complement a defensive audit
Prerequisites
- CloudFox installed:
# Homebrew brew install cloudfox # Go (1.21+) go install github.com/BishopFox/cloudfox@latest # or download a release binary from GitHub and chmod +x - Valid cloud credentials in scope:
# AWS — configure a named profile and verify aws configure --profile assess aws sts get-caller-identity --profile assess # Azure az login az account show - A signed authorization / Rules of Engagement defining the in-scope accounts
awscli(AWS) and/orazure-cli(Azure) installed for credential setup and follow-up
Objectives
- Install CloudFox and confirm cloud credentials
- Run full and targeted enumeration across AWS and Azure
- Identify internet-reachable endpoints, instances, and exposed secrets
- Enumerate IAM principals, permissions, and role-trust attack paths
- Triage CloudFox loot files for immediate pivot commands
- Export findings to a structured output directory for reporting
MITRE ATT&CK Mapping
| ID | Name | Use in this skill |
|---|---|---|
| T1526 | Cloud Service Discovery | CloudFox enumerates the available cloud services and resources in an account |
| T1580 | Cloud Infrastructure Discovery | inventory, instances, buckets map the infrastructure footprint |
| T1087.004 | Account Discovery: Cloud Account | principals, access-keys enumerate cloud identities |
| T1069.003 | Permission Groups Discovery: Cloud Groups | permissions, iam-simulator, role-trusts reveal entitlements |
| T1538 | Cloud Service Dashboard | Aggregated situational-awareness reporting across services |
Workflow
1. Confirm the identity and run all AWS checks
aws sts get-caller-identity --profile assess
cloudfox aws --profile assess all-checks -o ./loot2. Inventory the account footprint
cloudfox aws --profile assess inventory3. Find internet-reachable endpoints and exposed instances
cloudfox aws --profile assess endpoints
cloudfox aws --profile assess instances4. Enumerate IAM principals, permissions, and role-trust attack paths
role-trusts is the key lateral-movement primitive — it shows who can assume what.
cloudfox aws --profile assess principals
cloudfox aws --profile assess permissions
cloudfox aws --profile assess role-trusts
cloudfox aws --profile assess access-keys5. Hunt for exposed secrets
cloudfox aws --profile assess secrets6. Enumerate storage, registries, and serverless
cloudfox aws --profile assess buckets
cloudfox aws --profile assess ecr
cloudfox aws --profile assess lambda
cloudfox aws --profile assess route537. Use IAM simulator to confirm what a principal can do
cloudfox aws --profile assess iam-simulator8. Enumerate Azure
CloudFox Azure works against the subscriptions the az session can see.
cloudfox azure inventory --outdir ./azure-loot
cloudfox azure rbac
cloudfox azure storage
cloudfox azure vms9. Triage the loot
CloudFox writes per-command CSV/TXT plus a loot directory of pivot commands.
ls -R ./loot/cloudfox-output/
# Loot files contain ready-to-run follow-ups, e.g. aws s3 ls / ssm start-session linesSee scripts/agent.py to run a curated set of commands and summarize output files.
Tools and Resources
| Resource | Purpose | Link |
|---|---|---|
| CloudFox GitHub | Source, releases, full command list | https://github.com/BishopFox/cloudfox |
| CloudFox docs/wiki | Per-command output explanations | https://github.com/BishopFox/cloudfox/wiki |
| Bishop Fox CloudFox blog | Design and usage walkthrough | https://bishopfox.com/blog/introducing-cloudfox |
| AWS CLI reference | Follow-up exploitation commands | https://docs.aws.amazon.com/cli/latest/reference/ |
| Pacu | Active exploitation after enumeration | https://github.com/RhinoSecurityLabs/pacu |
OPSEC and Detection Considerations
CloudFox is read-only, but its enumeration is far from silent. Each command issues
many Describe*/List*/Get* API calls in a short burst, which is highly visible
to defenders:
- CloudTrail records every read call. A spike of
iam:ListUsers,iam:ListRoles,secretsmanager:ListSecrets,ec2:DescribeInstances, andsts:GetCallerIdentityfrom one principal within seconds is a strong enumeration signal. - GuardDuty finding types such as
Discovery:IAMUser/AnomalousBehaviorandDiscovery:S3/MaliciousIPCallercan fire on this burst pattern. - Defenders should baseline normal API-call rates per principal and alert on enumeration bursts, especially from new IPs/ASNs or newly created credentials.
For an authorized assessment, document the source IP and timestamp of CloudFox runs so the blue team can correlate, and prefer running from an in-scope, attributable host.
Recommended Operator Workflow
- Run
all-checksonce to populate the full output directory. - Open
role-trustsfirst — it reveals the assume-role graph for lateral movement. - Cross-reference
secretsandenv-varsfor credentials that unlock new principals. - Use
endpoints+instancesto map externally reachable attack surface. - Feed confirmed assume-role / privesc candidates into Pacu for active exploitation.
High-Value Command Reference
| Command | Why it matters |
|---|---|
all-checks |
Runs the full enumeration battery with defaults |
role-trusts |
Maps assume-role paths — core for lateral movement/privesc |
endpoints |
Surfaces internet-reachable attack surface |
secrets |
Exposes credentials in Secrets Manager / SSM |
permissions |
Lists effective IAM permissions per principal |
instances |
EC2 with IPs and attached instance-profile roles |
access-keys |
Active access keys (potential credential targets) |
Validation Criteria
- CloudFox installed and runs
cloudfox aws --help - Cloud credentials confirmed via
sts get-caller-identity/az account show -
all-checkscompleted and output directory populated - Internet-reachable endpoints and instances identified
- IAM principals, permissions, and role-trusts enumerated
- Exposed secrets located and documented
- Azure enumeration run (if Azure in scope)
- Loot files triaged for pivot opportunities
- Findings exported to a structured directory for reporting
- Enumeration confirmed to stay within authorized scope
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 2
api-reference.md1.9 KB
CloudFox — Command Reference
Global Invocation
cloudfox <provider> [global-flags] <command>| Flag | Description |
|---|---|
--profile <name> |
AWS named profile to use |
-o, --outdir <dir> |
Output directory for results/loot |
--region <region> |
Restrict to a region (where applicable) |
-v |
Verbosity level |
AWS_PROFILE (env) |
Alternative to --profile |
AWS Commands (selection)
| Command | Description |
|---|---|
all-checks |
Run all AWS enumeration commands with defaults |
inventory |
Account size / resource counts by region |
endpoints |
Internet-reachable service endpoints |
instances |
EC2 instances with IPs and instance-profile roles |
principals |
IAM users and roles |
permissions |
Effective IAM permissions per principal |
iam-simulator |
Simulate whether principals can perform actions |
role-trusts |
Who can assume which roles (assume-role paths) |
access-keys |
Active IAM access keys |
secrets |
Secrets from Secrets Manager and SSM Parameter Store |
buckets |
S3 buckets |
ecr |
Elastic Container Registry repositories/images |
lambda |
Lambda functions and configuration |
route53 |
Hosted zones and records |
ram |
Resource Access Manager shares |
sns / sqs |
Messaging resources |
env-vars |
Environment variables across services |
Azure Commands
| Command | Description |
|---|---|
inventory |
Resource inventory by location/subscription |
rbac |
Role-based access control assignments |
storage |
Storage accounts and access data |
vms |
Virtual machines |
Output Layout
CloudFox writes to <outdir>/cloudfox-output/<provider>/<account-or-sub>/:
table/andcsv/— per-command findingsloot/— ready-to-run follow-up commands (e.g.,aws s3 ls,ssm start-session)- A combined log of the run
standards.md1.1 KB
Standards and Framework Mapping
NIST Cybersecurity Framework 2.0
| ID | Name | Rationale |
|---|---|---|
| ID.AM-03 | Organizational communication and data flows are mapped (asset/inventory management) | CloudFox builds an attacker-centric inventory of cloud assets, identities, and trust relationships, informing asset-management gaps. |
MITRE ATT&CK (Enterprise / Cloud)
| ID | Name | Rationale |
|---|---|---|
| T1526 | Cloud Service Discovery | CloudFox enumerates available cloud services and resources. |
| T1580 | Cloud Infrastructure Discovery | Inventory/instances/buckets map the infrastructure footprint. |
| T1087.004 | Account Discovery: Cloud Account | principals/access-keys enumerate cloud identities. |
| T1069.003 | Permission Groups Discovery: Cloud Groups | permissions/role-trusts reveal cloud entitlements. |
| T1538 | Cloud Service Dashboard | Aggregated cross-service situational awareness. |
Supporting References
- BishopFox CloudFox — https://github.com/BishopFox/cloudfox
- NIST CSF 2.0 — https://www.nist.gov/cyberframework
Scripts 1
agent.py3.7 KB
#!/usr/bin/env python3
"""
CloudFox enumeration driver.
Runs a curated set of CloudFox commands against an AWS profile (or `all-checks`),
captures output into a structured directory, and prints a triage summary that
highlights the high-value findings (role-trusts, secrets, endpoints).
Authorized-use only: CloudFox performs reconnaissance against a live cloud
account. Run ONLY within a signed scope/Rules of Engagement.
Examples:
python agent.py --profile assess --all
python agent.py --profile assess --commands endpoints secrets role-trusts -o ./loot
"""
import argparse
import os
import shutil
import subprocess
import sys
HIGH_VALUE = {"role-trusts", "secrets", "endpoints", "access-keys", "permissions"}
DEFAULT_COMMANDS = [
"inventory", "endpoints", "instances", "principals",
"permissions", "role-trusts", "access-keys", "secrets", "buckets",
]
def require_cloudfox():
if shutil.which("cloudfox") is None:
sys.exit("error: 'cloudfox' not found in PATH. Install: brew install cloudfox "
"or go install github.com/BishopFox/cloudfox@latest")
def run_command(provider, profile, command, outdir):
cmd = ["cloudfox", provider]
if provider == "aws" and profile:
cmd += ["--profile", profile]
if outdir:
cmd += ["-o", outdir]
cmd += [command]
print(f"[*] cloudfox {provider} {command} ...")
try:
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=1200)
except subprocess.TimeoutExpired:
print(f" [!] {command} timed out")
return None
except OSError as exc:
print(f" [!] failed to run {command}: {exc}")
return None
if proc.returncode != 0:
print(f" [!] {command} rc={proc.returncode}: {proc.stderr.strip()[:200]}")
return proc.stdout
def summarize_outdir(outdir):
base = os.path.join(outdir, "cloudfox-output")
if not os.path.isdir(base):
print("[!] no cloudfox-output directory produced")
return
print("\n=== Output files ===")
for root, _dirs, files in os.walk(base):
for f in sorted(files):
path = os.path.join(root, f)
try:
size = os.path.getsize(path)
except OSError:
size = -1
rel = os.path.relpath(path, outdir)
flag = " <-- HIGH VALUE" if any(h in f for h in HIGH_VALUE) else ""
print(f" {rel} ({size} bytes){flag}")
def main():
p = argparse.ArgumentParser(description="CloudFox enumeration driver")
p.add_argument("--provider", default="aws", choices=["aws", "azure"])
p.add_argument("--profile", help="AWS named profile")
p.add_argument("--all", action="store_true", help="run all-checks (AWS) / inventory (Azure)")
p.add_argument("--commands", nargs="+", help="specific CloudFox commands to run")
p.add_argument("-o", "--outdir", default="./cloudfox-loot", help="output directory")
args = p.parse_args()
require_cloudfox()
print("[!] AUTHORIZED USE ONLY — confirm the target account is in scope.")
os.makedirs(args.outdir, exist_ok=True)
if args.all:
commands = ["all-checks"] if args.provider == "aws" else ["inventory"]
elif args.commands:
commands = args.commands
else:
commands = DEFAULT_COMMANDS if args.provider == "aws" else ["inventory", "rbac", "storage", "vms"]
for c in commands:
out = run_command(args.provider, args.profile, c, args.outdir)
if out and c in HIGH_VALUE:
lines = [l for l in out.splitlines() if l.strip()]
print(f" [+] {c}: {len(lines)} output lines")
summarize_outdir(args.outdir)
print(f"\n[+] done. Review loot under {args.outdir}/cloudfox-output/")
if __name__ == "__main__":
main()