ElectricEye is a multi-cloud, multi-SaaS Python CLI tool for Asset Management, Security Posture Management, and External Attack Surface Management supporting 100s of services and evaluations to harden your public cloud & SaaS environments.

Up here in space
I'm looking down on you
My lasers trace
Everything you do
_{Judas Priest, 1982}

git clone https://github.com/jonrau1/ElectricEye.git
cd ElectricEye
pip3 install -r requirements.txt
python3 eeauditor/controller.py -t AWS -o stdout

• Architecture
• Quick Run Down
• Tell me more!
• Using ElectricEye
• Cloud Asset Management
• Custom Outputs
• FAQ
• Supported Services and Checks
• Contributing
• Developer Guide
  • Auditor testing
• License

• ElectricEye is a Python CLI tool that offers cross-Account, cross-Region, multi-Cloud CAM, CSPM, SSPM, and EASM capabilities across AWS, GCP, and ServiceNow (with more on the way!). All Partitions are supported for AWS!

• ElectricEye offers over 500 checks for security, reliability, monitoring, and exposure across 100 CSP & SaaS services, including atypical services not supported by AWS Config/Google Cloud Asset API or mainstream CSPM & CNAPP tools.

• All checks are currently mapped to NIST Cybersecurity Framework V1.1, NIST Special Publication 800-53 Revision 4, AICPA 2020 Trust Service Criteria (TSCs), and ISO 27001:2013 ISMS controls.

• The EASM module uses NMAP for service discovery and reachability assessment of over 20 highly-dangerous ports and protocols for nearly every public-facing CSP service

• Outputs to AWS Security Hub, AWS DocumentDB, JSON, CSV, HTML Executive Reports, MongoDB, Amazon SQS, PostgreSQL, Amazon Simple Queue Service (SQS), Amazon DynamoDB, and FireMon Cloud Defense.

ElectricEye's core concept is the Auditor which are sets of Python scripts that run Checks per Service dedicated to a specific SaaS vendor or public cloud service provider called an Assessment Target. You can run an entire Assessment Target, a specific Auditor, or a specific Check within an Auditor. After ElectricEye is done with evaluations, it supports over a dozen types of Outputs ranging from an HTML executive report to AWS DocumentDB clusters. ElectricEye also uses other tools such as Shodan, detect-secrets, and NMAP for carrying out its Checks. While mainly a security tool, ElectricEye can be used for Cloud Asset Management use cases such as discovery and inventory and has Checks aligned to several best-practice regimes that cover resiliency, recovery, performance optimization, monitoring, as well as several 100 security checks against your cloud infrastructure and identities.

First, clone this repository and install the requirements using pip3: pip3 install -r requirements.txt.

Then, modify the TOML file located in ElectricEye/eeauditor/external_providers.toml to specify various configurations for the CSP(s) and SaaS Provider(s) you want to assess.

Finally, run the Controller to learn about the various Checks, Auditors, Assessment Targets, and Outputs.

$ python3 eeauditor/controller.py --help
Usage: controller.py [OPTIONS]

Options:
  -t, --target-provider [AWS|Azure|OracleCloud|GCP|Servicenow]
                                  CSP or SaaS Vendor Assessment Target, ensure
                                  that any -a or -c arg maps to your target
                                  provider e.g., -t AWS -a
                                  Amazon_APGIW_Auditor
  -a, --auditor-name TEXT         Specify which Auditor you want to run by
                                  using its name NOT INCLUDING .py. Defaults
                                  to ALL Auditors
  -c, --check-name TEXT           A specific Check in a specific Auditor you
                                  want to run, this correlates to the function
                                  name. Defaults to ALL Checks
  -d, --delay INTEGER             Time in seconds to sleep between Auditors
                                  being ran, defaults to 0
  -o, --outputs TEXT              A list of Outputs (files, APIs, databases)
                                  to send ElectricEye Findings - can provide
                                  more than one  [default: stdout]
  --output-file TEXT              For file outputs such as JSON and CSV, the
                                  name of the file, DO NOT SPECIFY .file_type
                                  [default: output]
  --list-options                  Lists all valid Output options
  --list-checks                   List all Checks, Assets, and Check
                                  Description within every Auditor for a
                                  specific Assessment Target
  --create-insights               Create SecurityHub insights for ElectricEye.
                                  This only needs to be done once per Security
                                  Hub instance
  --list-controls                 Lists all Controls (Check Titles) for an
                                  Assessment Target, used for mapping...
  --help                          Show this message and exit.                     Show this message and exit.

For more information see here, you can read the FAQ here, or if you want a more in-depth analysis of the control flow and concepts review the Developer Guide.

Refer to sub-headings for per-CSP or per-SaaS setup instructions.

• For Amazon Web Services (AWS)
• For Google Cloud Platform (GCP)
• For Microsoft Azure (Coming Soon)
• For Oracle Cloud Infrastructure (Coming Soon)

• For ServiceNow
• For Microsoft M365 (E5) (Coming Soon)
• For Workday ERP (Coming Soon)
• For GitHub (Coming Soon)

For more information on ElectricEye's CAM concept of operations and output, refer to the Asset Management documentation

Individual information is located at:

• CAM Concept of Operations
• CAM Reporting
• Asset Class Mapping

In total there are:

• 2 Supported Public CSPs

• 1 Supported SaaS Provider

• 693 Security & Resilience Best Practice Checks supported across all Public CSPs & SaaS Providers

• 105 Supported CSP & SaaS Resources / Asset Types

• 89 Auditor Plugins

These are the following services and checks perform by each Auditor, there are currently...

• 💥 548 Checks 💥
• ❗ 100 supported AWS services/components ❗
• 🔥 77 Auditors 🔥

Regarding AWS ElasticSearch Service/OpenSearch Service: AWS has stopped supporting Elastic after Version 7.10 and released a new service named OpenSearch. The APIs/SDKs/CLI are interchangable. Only ASFF metadata has changed to reflect this, the Auditor Names, Check Names, and ASFF ID's have stayed the same.

Regarding AWS Shield Advanced: You must be actively subscribed to Shield Advanced with at least one Protection assigned to assess this Service.

Regarding AWS Trusted Advisor: You must be on AWS Business or Enterprise Support to interact with the support API for Trusted Advisor.

Regarding AWS Health: You must be on AWS Business or Enterprise Support to interact with the support API for Health.

These are the following services and checks perform by each Auditor, there are currently...

• 💥 53 Checks 💥
• ❗ 2 supported GCP services/components ❗
• 🔥 3 Auditors 🔥

Coming Soon!

Coming Soon!

These are the following services and checks perform by each Auditor, there are currently...

• 💥 92 Checks 💥
• ❗ 3 supported ServiceNow services/components ❗
• 🔥 9 Auditors 🔥

Coming Soon!

Refer to the Developer Guide for instructions on how to produce new checks, for new SaaS and CSP support please open an Issue.

Feel free to open PRs and Issues where syntax, grammatic, and implementation errors are encountered in the code base.

ElectricEye is for sale: contact the maintainer for more imformation!

Quick shout-outs to the folks who answered the call early to test out ElectricEye and make it not-a-shit-sandwich.

• Mark Yancey

• Martin Klie
• Joel Castillo
• Juhi Gupta
• Bulent Yidliz
• Guillermo Ojeda
• Dhilip Anand Shivaji
• Arek Bar
• Ryan Russel
• Jonathan Nguyen
• Jody Brazil
• Dylan Shields
• Manuel Leos Rivas
• Andrew Alaniz
• Christopher Childers

This library is licensed under the Apache-2.0 License. See the LICENSE file.