Open-source cloud security reconnaissance framework
Detect secrets, misconfigurations, public exposure, and privilege escalation paths across AWS, Azure, and GCP — from a single CLI.
What is Aurelian? • Capabilities • Installation • Quick Start • Modules • Docs • FAQ
Aurelian is an open-source, multi-cloud security reconnaissance framework built in Go. It provides a single, unified command-line interface for cloud security assessments across Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
Where other tools require you to learn separate workflows per cloud provider, Aurelian gives you one command structure that works everywhere: aurelian [platform] recon [module]. Each module encapsulates a complex, multi-step security workflow — resource enumeration, content extraction, secrets scanning, policy analysis, access evaluation — behind a single command.
Aurelian was built by the offensive security team at Praetorian, based on years of cloud penetration testing and red team engagements across hundreds of enterprise environments.
| Challenge | How Aurelian Solves It |
|---|---|
| Fragmented tooling — different tools per cloud, per task | Unified CLI: same commands, same output across AWS, Azure, and GCP |
| Complex enumeration workflows — dozens of API calls for a single finding | Each module orchestrates the full workflow behind one command |
| Secrets scattered across cloud services — user data, env vars, configs, logs | find-secrets extracts content from 30+ source types and scans with Titus |
| Detection during assessments — CloudTrail logs reveal recon activity | OPSEC-aware techniques minimize logging footprint |
| Understanding IAM blast radius — permissions are complex and interconnected | Graph analysis with Neo4j visualizes privilege escalation paths |
Enumerates cloud resources, extracts content from 30+ source types (EC2 user data, Lambda code, CloudFormation templates, CloudWatch logs, ECS task definitions, environment variables, storage blobs, application configurations), and scans with Titus for hardcoded credentials, API keys, and tokens. Optional validation confirms whether discovered secrets are active.
Combines resource listing, property enrichment, policy fetching, and access evaluation to identify publicly accessible resources — open S3 buckets, exposed databases, public IPs, anonymous-access storage accounts, and more.
Collects IAM data (Get Account Authorization Details, resource policies, org policies), evaluates effective permissions, and detects privilege escalation paths. Outputs JSON or populates a Neo4j graph database for interactive exploration.
Checks DNS records in Route53, Azure DNS, and Cloud DNS against known cloud-specific takeover patterns — dangling CNAMEs pointing to unclaimed cloud resources.
Azure Resource Graph template-based detection for weak authentication, disabled RBAC, overly permissive access rules, and other configuration issues.
Covert techniques that avoid CloudTrail logging. The whoami module identifies the caller ARN using APIs that leak identity in error messages without generating audit log entries.
| Platform | Alias | Modules | Capabilities |
|---|---|---|---|
| Amazon Web Services (AWS) | aws, amazon |
12 | Secrets, public resources, IAM graph, subdomain takeover, OPSEC whoami, cost analysis, CDK/CloudFront takeover |
| Microsoft Azure | azure, az |
6 | Secrets, public resources, configuration scan, subdomain takeover, conditional access policies |
| Google Cloud Platform (GCP) | gcp, google |
4 | Secrets, public resources, subdomain takeover, resource enumeration |
git clone https://github.com/praetorian-inc/aurelian.git
cd aurelian
go build -o aurelian main.goRequires Go 1.24+.
docker build -t aurelian .
docker run --rm -v ~/.aws:/root/.aws aurelian aws recon whoamiA docker-compose.yml is included with credential volume mounts for all three cloud providers.
# Standard build
go build -o aurelian .
# SQLite-backed store (for memory-constrained environments)
go build -tags cache_sqlite -o aurelian .# Identifies caller ARN without CloudTrail logging
aurelian aws recon whoami# Scan all AWS regions for secrets in EC2 user data, Lambda code, CloudWatch logs, and more
aurelian aws recon find-secrets
# Scan Azure subscriptions
aurelian azure recon find-secrets --subscription-id <id>
# Scan GCP projects
aurelian gcp recon find-secrets --project-id <id># Find publicly accessible AWS resources (S3 buckets, RDS instances, etc.)
aurelian aws recon public-resources
# Azure public resources
aurelian azure recon public-resources --subscription-id <id>
# GCP public resources
aurelian gcp recon public-resources --project-id <id># Build IAM graph and detect escalation paths
aurelian aws recon graph --neo4j-uri bolt://localhost:7687
# Offline analysis from GAAD export
aurelian aws analyze analyze-iam-permissions --gaad-file gaad.jsonaurelian aws recon subdomain-takeover
aurelian azure recon subdomain-takeover --subscription-id <id>
aurelian gcp recon subdomain-takeover --project-id <id>aurelian list-modules| Module | Description |
|---|---|
find-secrets |
Enumerates resources, extracts content from 30+ source types, scans with Titus |
public-resources |
Detects publicly accessible resources through policy and property evaluation |
graph |
Collects IAM data, evaluates permissions, detects privilege escalation paths |
subdomain-takeover |
Checks Route53 DNS for dangling CNAME cloud takeover patterns |
whoami |
OPSEC-safe identity check via CloudTrail-silent API techniques |
list-all |
Enumerates all Cloud Control resources across regions |
account-auth-details |
Exports IAM Get Account Authorization Details (GAAD) |
resource-policies |
Extracts resource-based policies for analysis |
org-policies |
Fetches AWS Organizations SCPs and policies |
cost-summary |
Summarizes AWS cost and usage data |
cdk-bucket-takeover |
Detects orphaned CDK bootstrap buckets |
cloudfront-s3-takeover |
Detects CloudFront distributions pointing to unclaimed S3 origins |
| Module | Description |
|---|---|
analyze-iam-permissions |
Offline IAM analysis — privilege escalation, cross-account access, create-then-use patterns |
expand-actions |
Expands IAM wildcard actions to concrete permissions |
access-key-to-account-id |
Resolves AWS access key to account ID |
ip-lookup |
Identifies AWS IP ranges for a given IP address |
known-account |
Checks if an account ID belongs to known AWS service accounts |
| Module | Description |
|---|---|
find-secrets |
Discovers secrets across Azure services — Key Vaults, App Settings, Cosmos DB, and more |
public-resources |
Detects publicly exposed Azure resources |
configuration-scan |
Resource Graph template-based misconfiguration detection |
subdomain-takeover |
Checks Azure DNS zones for dangling CNAMEs |
conditional-access-policies |
Enumerates Conditional Access policies for weaknesses |
list-all |
Enumerates all resources across subscriptions |
| Module | Description |
|---|---|
find-secrets |
Discovers secrets in GCP services — metadata, environment variables, storage objects |
public-resources |
Identifies publicly accessible GCP resources |
subdomain-takeover |
Checks Cloud DNS for dangling CNAME records |
list-all |
Enumerates all resources across projects |
Aurelian is built on three core patterns:
- Modules — Entry points implementing
plugin.Module. Registered viainit(), auto-discovered, wired into the CLI. Each encapsulates a complete security workflow. - Pipelines —
pipeline.P[T]is a generic streaming primitive with backpressure. Modules chain pipeline stages to process resources concurrently. - Components — Reusable building blocks in
pkg/<csp>/<component>/with pipeline-compatible methods. Stateless processors wired into modules viapipeline.Pipe.
Module → Pipeline.Pipe(Lister) → Pipeline.Pipe(Enricher) → Pipeline.Pipe(Evaluator) → Output
Aurelian's plugin architecture means adding a new module is as simple as implementing the plugin.Module interface and calling plugin.Register() — the CLI, flags, and parameter binding are handled automatically.
Import Aurelian modules directly into Go applications:
import (
"github.com/praetorian-inc/aurelian/pkg/plugin"
_ "github.com/praetorian-inc/aurelian/pkg/modules/aws/recon"
)
mod, _ := plugin.Get("aws", "recon", "whoami")
results, err := mod.Run(cfg)Detailed per-module documentation is available in the docs/ directory:
| Section | Description |
|---|---|
docs/aurelian_aws_recon.md |
AWS reconnaissance module reference |
docs/aurelian_aws_analyze.md |
AWS analysis module reference |
docs/aurelian_azure_recon.md |
Azure reconnaissance module reference |
docs/aurelian_gcp_recon.md |
GCP reconnaissance module reference |
| DEVELOPMENT.md | Architecture deep dive, pipeline lifecycle, integration testing |
| CONTRIBUTING.md | How to add modules, components, and submit PRs |
Aurelian occupies a unique position in the cloud security tooling landscape — it is purpose-built for offensive security reconnaissance with a unified multi-cloud interface, where most alternatives focus on compliance scanning or single-cloud exploitation.
| Capability | Aurelian | Prowler | ScoutSuite | Pacu | Cartography |
|---|---|---|---|---|---|
| Multi-cloud unified CLI | AWS, Azure, GCP | AWS, Azure, GCP, K8s | AWS, Azure, GCP | AWS only | AWS, Azure, GCP |
| Secrets discovery (30+ sources) | Yes | Limited | No | No | No |
| OPSEC-aware (CloudTrail evasion) | Yes | No | No | Partial | No |
| IAM privilege escalation graph | Yes (Neo4j) | No | No | Yes | Yes (Neo4j) |
| Subdomain takeover detection | Yes | No | No | No | No |
| Public resource detection | Yes | Yes | Yes | No | No |
| Misconfiguration scanning | Yes (Azure) | Yes | Yes | No | No |
| Compliance frameworks (CIS, NIST) | No | Yes | Yes | No | No |
| Written in | Go | Python | Python | Python | Python |
| Plugin architecture | Yes | Yes | No | Yes | No |
Choose Aurelian when you need offensive reconnaissance across multiple clouds — secrets, exposure, IAM analysis, and takeover detection — with OPSEC awareness. Choose Prowler/ScoutSuite when you need compliance-focused posture management with CIS benchmark reporting.
Aurelian supports Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). All three use the same command structure: aurelian [platform] recon [module].
Aurelian uses read-only API access. For AWS, the SecurityAudit managed policy covers most modules. Azure modules need Reader role. GCP modules need Viewer role. The whoami module requires no permissions — it uses APIs that leak identity in error responses.
Most modules generate standard read-only CloudTrail entries. The whoami module specifically avoids CloudTrail logging by using covert API techniques (Timestream, Pinpoint, SQS error messages). Set --opsec_level to control logging behavior.
Prowler is a cloud security posture management (CSPM) tool focused on compliance frameworks like CIS Benchmarks and NIST. Aurelian is a reconnaissance framework built for offensive security — it finds secrets in 30+ cloud source types, detects IAM privilege escalation paths, identifies subdomain takeover opportunities, and uses OPSEC-aware techniques that minimize detection. They are complementary tools.
Pacu is an AWS exploitation framework for active attacks (privilege escalation, persistence, data exfiltration). Aurelian is a reconnaissance framework for finding weaknesses — it scans and reports but doesn't exploit. Aurelian also supports Azure and GCP, while Pacu is AWS-only.
Yes. All modules are importable via github.com/praetorian-inc/aurelian/pkg/plugin. Call plugin.Get() to retrieve a module and mod.Run() to execute it programmatically.
Implement the plugin.Module interface and register with plugin.Register() in init(). The CLI, flags, and parameter binding are handled automatically. See CONTRIBUTING.md for a full walkthrough.
Titus is Praetorian's open-source secrets detection engine. Aurelian's find-secrets modules extract content from cloud resources and pipe it through Titus for pattern-based scanning with optional secret validation.
See SECURITY.md for vulnerability reporting guidelines. Only run Aurelian against cloud environments you own or have explicit authorization to assess.
See CONTRIBUTING.md for development setup, module creation, and PR guidelines.
Apache 2.0 — see LICENSE for details.
Aurelian is developed and maintained by Praetorian, an offensive security company that helps enterprises find and fix their most critical vulnerabilities. Our tools are built from real-world cloud penetration testing and red team engagements.