cloudexec is a fast, concurrent, multi-cloud security scanner and offensive audit framework written in Go. Designed for cloud security engineers and pentester specialists, it combines automated OSINT, signature-based template scanning, and a multi-threaded secrets finder with automated real-time pivot and post-authentication enumeration capability.
Important
Legal Disclaimer: This tool is developed strictly for educational purposes, authorized penetration testing, and security auditing. The author (n40y) assumes no liability for any unauthorized misuse, damage, or illegal activities caused by this tool. Usage of cloudexec for attacking targets without prior mutual consent is illegal. Users are solely responsible for complying with all applicable local and international laws.
- β‘ High-Performance Secrets Scanner: Multi-threaded worker pool to hunt down leaked credentials (AWS, GCP, Slack, etc.) across local directories.
- π Automated Pivot Mode: Validates discovered secrets on-the-fly against live cloud provider APIs during the filesystem scan without blocking the pipeline.
- π΅οΈ Post-Auth Enumeration: Automatically maps out accessible services, permissions, and attack paths the moment a valid credential is confirmed.
- π οΈ YAML Template-Driven Core: Decoupled engine logic using modular YAML signatures for flexible multi-cloud checks.
- βοΈ Multi-Cloud Support:
- AWS: STS identity verification (
GetCallerIdentity) and S3 exposure auditing. - Azure: Domain OSINT, Tenant ID enumeration, break-glass account identification, and blob storage mapping.
- GCP: Google Workspace public infrastructure discovery and API Key validation (
Identity Toolkit).
- AWS: STS identity verification (
cloudexec uses a modular YAML template engine. You can easily extend the scanner's capabilities by adding your own templates into the provider subdirectories (e.g., templates/gcp/, templates/aws/).
Every template must follow this anatomy:
id: custom-gcp-check
engine: gcp # Target engine: aws, azure, gcp, cloudflare, recon
action: gcp:ApiKeyCheck # The internal method to execute
info:
name: "Custom API Key Validation Workflow"
description: "Triggers a validation request and maps downstream permissions."
severity: "high"Ensure you have Go installed (version 1.20+ recommended).
# Clone the repository
git clone [https://github.com/n40y/cloudexec.git](https://github.com/n40y/cloudexec.git)
cd cloudexec
# Build the binary
go buildScan a directory for leaked credentials, automatically intercept them, and validate them against cloud provider APIs in real-time.
# Basic scan
./cloudexec secrets --path .
# Scan with auto-pivot validation and JSON export
./cloudexec secrets --path /path/to/project -p -o report.jsonExecutes AWS-specific templates (identity verification via STS, S3 bucket enumeration). It automatically utilizes credentials configured in your config.yaml or standard local AWS environment variables.
./cloudexec awsPerforms passive and active reconnaissance on a Microsoft 365 / Azure tenant using a target domain. Extracts Tenant ID, authentication mechanics, identity provider details, and lists potential break-glass accounts.
./cloudexec azure -d targetcompany.comValidates Google Cloud API keys and checks if a domain is mapped to a public Google Workspace infrastructure.
# Check both Workspace infrastructure and a specific API Key
./cloudexec gcp -d targetcompany.com --apikey AIzaSy...
# Check an isolated API key only
./cloudexec gcp --apikey AIzaSy...Triggers passive multi-cloud discovery templates, including historical DNS lookups, certificate transparency logs via crt.sh, and cross-provider storage bucket detection.
./cloudexec recon -d targetcompany.comSince these flags are registered globally, you can append them to any of the commands above (like recon, gcp, azure, etc.) to bypass network protections:
-
DNS Pinning / Cloudflare Bypass (
--ip): Forces the HTTP client to connect directly to a specific backend IP address, bypassing public DNS resolution and Cloudflare caching/WAF layers. -
Anti-WAF Header Spoofing (
--anti-waf): Rotates standard browser User-Agents and injects source spoofing headers (X-Forwarded-For,X-Real-IP) to fly under the radar of simple anti-bot mechanisms.
# Example: Running reconnaissance by hitting the origin server IP directly with anti-WAF headers
./cloudexec recon -d targetcompany.com --ip 185.190.140.23 --anti-waf| Path | Description |
|---|---|
cmd/ |
Contains Cobra CLI command definitions (aws, azure, gcp, recon, secrets). |
pkg/bypass/ |
Evasion and bypass network protections. |
pkg/engines/ |
Core execution logic for cloud provider validation and post-auth enumeration. |
pkg/templates/ |
YAML template parsing and signature matching engines. |
pkg/utils/ |
Thread-safe logging utilities and console formatting. |
templates/ |
Ready-to-use security playbooks and detection signatures (.yaml). |
main.go |
Application entry point. |
For authenticated modules, you can maintain a local config.yaml file at the root.
[!WARNING]
Never commit your config.yaml to a public repository. Ensure it is included in your .gitignore.
aws:
access_key: "AKIA..."
secret_key: "..."
region: "eu-west-3"Distributed under the MIT License. See LICENSE for more information.
cloud-automation security-orchestration devsecops cloud-native infrastructure-as-code iam-governance go security-automation cloud-ops api-security
