enumerating-cloud-with-cloudfox

Installation
SKILL.md

Enumerating Cloud with CloudFox

Legal Notice: This skill is for authorized cloud penetration testing and assessment only. CloudFox makes read/describe API calls against the cloud account whose credentials you supply. Run it ONLY against accounts you own or are authorized to test under a signed scope. Although CloudFox is read-only by design, the enumeration it performs is reconnaissance against a live environment and must be in scope.

Overview

CloudFox is an open-source command-line tool from Bishop Fox that helps penetration testers and red teamers gain situational awareness in unfamiliar cloud environments. Where tools like ScoutSuite focus on a defender-style configuration audit, CloudFox is built from the attacker's perspective: it answers questions like "what are the most attackable secrets, endpoints, and instances in this account, and what can the identity I just compromised actually reach?" It is read-only — it only performs Describe/List/Get style calls — and writes its findings to per-command CSV/TXT/loot files plus a combined report directory, so output can be triaged offline.

CloudFox covers AWS most deeply (30+ commands) and supports Azure. The workhorse is cloudfox aws all-checks, which runs the full battery of enumeration commands with sensible defaults: inventory, internet-reachable endpoints, EC2 instances (with IPs and instance-profile roles), iam-simulator and permissions for IAM analysis, principals, secrets from Secrets Manager/SSM, buckets, role-trusts (which identities can assume which roles — a core attack-path primitive), access-keys, route53, ecr, lambda, and more. CloudFox also emits ready-to-run command suggestions (e.g. aws s3 ls lines, aws ssm start-session lines) in its "loot" files so an operator can pivot immediately.

This skill covers installing CloudFox, authenticating to AWS and Azure, running targeted and full enumeration, interpreting the high-value outputs (role-trusts, secrets, endpoints), and feeding the results into attack-path planning. Source: github.com/BishopFox/cloudfox.

When to Use

  • Establishing situational awareness immediately after compromising a cloud credential
  • Quickly identifying internet-exposed endpoints, instances, and exposed secrets
  • Mapping sts:AssumeRole trust relationships to plan lateral movement / privesc
  • Triaging an unfamiliar AWS or Azure account during an authorized assessment
  • Producing attacker-centric inventory artifacts that complement a defensive audit
Installs
5
GitHub Stars
24.7K
First Seen
14 days ago
enumerating-cloud-with-cloudfox — mukul975/anthropic-cybersecurity-skills