cloudtoolkit

module
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2026 License: MIT

README

CloudToolKit

English | 简体中文

Multi-cloud defensive validation toolkit for CSPM / CNAPP detection, telemetry, and investigation workflows in authorized environments.

CloudToolKit gives security teams a practical way to verify whether cloud controls are discoverable, detectable, alertable, and investigable before those gaps matter in production.

Why CloudToolKit

Advantage What it gives defenders
9-cloud coverage One workflow across major global and China cloud providers.
Asset-first inventory Hosts, databases, buckets, domains, accounts, logs, SMS assets, and billing-plane signals where supported.
Validation payloads Focused checks for identity lifecycle, credential lifecycle, role bindings, storage exposure, audit events, instance command telemetry, and database account changes.
Replay mode demo drives providers against in-memory replay fixtures, so detection logic can be tested without live cloud calls.
Conservative claims Capabilities are advertised only when drivers, replay paths, and focused tests are in place.

Capability Matrix

Every provider supports cloudlist asset enumeration. Asset categories include host / database / bucket / domain / account / log / sms / balance where the cloud has a native equivalent.

Validation payload coverage:

AWS icon AWSAzure icon AzureGCP icon GCPAlibaba icon AlibabaTencent icon TencentHuawei icon HuaweiVolcengine icon VolcengineJDCloud icon JDCloudUCloud icon UCloud
Cloud iam bucket event cmd rds role acl cred

Legend: iam = user lifecycle · bucket = object visibility · event = audit log review · cmd = instance command telemetry · rds = database account lifecycle · role = privilege binding change · acl = storage exposure · cred = long-lived credential lifecycle. = no native equivalent or pending validation.

Quick Start

go build --ldflags "-s -w" -trimpath -o ctk cmd/main.go
./ctk                                    # interactive REPL
./ctk <provider> <action> [args] [flags] # headless one-shot

Try demo inside the REPL to drive any provider against an in-memory replay (no live cloud calls).

Responsible Use

Use only on owned, lab, internal, or explicitly authorized customer environments to verify detection coverage, telemetry quality, investigation workflow, and control effectiveness. CloudToolKit is not a stealth, bypass, or unauthorized intrusion utility and must not be used against third-party environments without permission.

Documentation

  • Wiki — usage, payload references, replay walkthroughs

Acknowledgements

Directories

Path Synopsis
pkg
inventory
providers
providers/alibaba
providers/alibaba/api
providers/alibaba/auth
providers/alibaba/bss
providers/alibaba/dns
providers/alibaba/ecs
providers/alibaba/iam
providers/alibaba/oss
providers/alibaba/rds
providers/alibaba/replay
providers/alibaba/sas
providers/alibaba/sls
providers/alibaba/sms
providers/aws
providers/aws/api
providers/aws/auth
providers/aws/billing
Package billing wraps AWS Cost Explorer for the cloudlist `balance` asset.
 Package billing wraps AWS Cost Explorer for the cloudlist `balance` asset.
providers/aws/cloudtrail
providers/aws/ec2
providers/aws/iam
providers/aws/internal/arnutil
providers/aws/logs
providers/aws/rds
Package rds wraps AWS RDS master password rotation.
 Package rds wraps AWS RDS master password rotation.
providers/aws/replay
providers/aws/route53
providers/aws/s3
providers/aws/ssm
providers/azure
providers/azure/api
providers/azure/auth
providers/azure/billing
Package billing wraps Azure Cost Management for the cloudlist `balance` asset.
 Package billing wraps Azure Cost Management for the cloudlist `balance` asset.
providers/azure/cloud
providers/azure/compute
providers/azure/dns
providers/azure/graph
Package graph implements the Microsoft Graph slice that Azure's account inventory, iam-user, and iam-credential validation flows need.
 Package graph implements the Microsoft Graph slice that Azure's account inventory, iam-user, and iam-credential validation flows need.
providers/azure/insights
providers/azure/loganalytics
providers/azure/rbac
providers/azure/replay
providers/azure/sqldb
Package sqldb wraps the Azure SQL master password rotation.
 Package sqldb wraps the Azure SQL master password rotation.
providers/azure/storage
providers/gcp
providers/gcp/api
providers/gcp/auth
providers/gcp/billing
Package billing wraps GCP Cloud Billing for the cloudlist `balance` asset.
 Package billing wraps GCP Cloud Billing for the cloudlist `balance` asset.
providers/gcp/compute
providers/gcp/dns
providers/gcp/iam
providers/gcp/internal/testutil
providers/gcp/logging
providers/gcp/replay
providers/gcp/sqladmin
providers/gcp/storage
Package storage wraps GCS bucket / object enumeration for cloudlist and bucket-check.
 Package storage wraps GCS bucket / object enumeration for cloudlist and bucket-check.
providers/gcp/vmexec
Package vmexec implements the cloudlist `vm` capability for GCP via the metadata startup-script + reboot path (PLAN.md decision T2.2/Task 10).
 Package vmexec implements the cloudlist `vm` capability for GCP via the metadata startup-script + reboot path (PLAN.md decision T2.2/Task 10).
providers/huawei
providers/huawei/api
providers/huawei/auth
providers/huawei/bss
providers/huawei/coc
Package coc implements the cloudlist `vm` capability for Huawei Cloud via COC (Cloud Operations Center) BatchExecuteCommand.
 Package coc implements the cloudlist `vm` capability for Huawei Cloud via COC (Cloud Operations Center) BatchExecuteCommand.
providers/huawei/cts
providers/huawei/dns
providers/huawei/ecs
providers/huawei/endpoint
Package endpoint builds Huawei Cloud service endpoint URLs without going through the official SDK's region.ValueOf() lookup.
 Package endpoint builds Huawei Cloud service endpoint URLs without going through the official SDK's region.ValueOf() lookup.
providers/huawei/iam
providers/huawei/lts
Package lts wraps the Huawei Cloud LTS (Log Tank Service) ListLogGroups action for the cloudlist `log` asset.
 Package lts wraps the Huawei Cloud LTS (Log Tank Service) ListLogGroups action for the cloudlist `log` asset.
providers/huawei/msgsms
Package msgsms wraps Huawei Cloud MSGSMS template + sign listing for the cloudlist `sms` asset.
 Package msgsms wraps Huawei Cloud MSGSMS template + sign listing for the cloudlist `sms` asset.
providers/huawei/obs
providers/huawei/rds
providers/huawei/replay
providers/internal/credverify
providers/internal/httpclient
providers/jdcloud
providers/jdcloud/actiontrail
providers/jdcloud/api
providers/jdcloud/asset
providers/jdcloud/assistant
providers/jdcloud/auth
providers/jdcloud/dns
Package dns wraps JDCloud domainservice DescribeDomains + DescribeResourceRecord for the cloudlist `domain` asset.
 Package dns wraps JDCloud domainservice DescribeDomains + DescribeResourceRecord for the cloudlist `domain` asset.
providers/jdcloud/iam
providers/jdcloud/lavm
providers/jdcloud/logs
Package logs wraps the JDCloud log service describeLogTopics action for the cloudlist `log` asset.
 Package logs wraps the JDCloud log service describeLogTopics action for the cloudlist `log` asset.
providers/jdcloud/oss
providers/jdcloud/rds
Package rds wraps JDCloud RDS account lifecycle.
 Package rds wraps JDCloud RDS account lifecycle.
providers/jdcloud/replay
providers/jdcloud/sms
Package sms wraps JDCloud SMS for the cloudlist `sms` asset.
 Package sms wraps JDCloud SMS for the cloudlist `sms` asset.
providers/jdcloud/vm
providers/registry
Package registry is the single source of truth for provider self-description.
 Package registry is the single source of truth for provider self-description.
providers/replay
providers/tencent
providers/tencent/api
providers/tencent/auth
providers/tencent/billing
providers/tencent/cdb
providers/tencent/cloudaudit
providers/tencent/cls
Package cls wraps Tencent Cloud Log Service for the cloudlist `log` asset.
 Package cls wraps Tencent Cloud Log Service for the cloudlist `log` asset.
providers/tencent/cos
providers/tencent/cvm
providers/tencent/dns
providers/tencent/iam
providers/tencent/lighthouse
providers/tencent/replay
providers/tencent/sms
Package sms wraps Tencent Cloud SMS template + sign listing for the cloudlist `sms` asset.
 Package sms wraps Tencent Cloud SMS template + sign listing for the cloudlist `sms` asset.
providers/tencent/tat
providers/ucloud
providers/ucloud/api
providers/ucloud/auth
providers/ucloud/billing
providers/ucloud/iam
providers/ucloud/replay
providers/ucloud/uact
providers/ucloud/udb
providers/ucloud/udns
providers/ucloud/ufile
providers/ucloud/uhost
providers/ucloud/uloghub
Package uloghub wraps UCloud ULogHub DescribeULogTopic for the cloudlist `log` asset.
 Package uloghub wraps UCloud ULogHub DescribeULogTopic for the cloudlist `log` asset.
providers/ucloud/usms
Package usms wraps UCloud USMS for the cloudlist `sms` asset.
 Package usms wraps UCloud USMS for the cloudlist `sms` asset.
providers/volcengine
providers/volcengine/api
providers/volcengine/audit
providers/volcengine/auth
providers/volcengine/billing
providers/volcengine/dns
providers/volcengine/ecs
providers/volcengine/iam
providers/volcengine/rds
providers/volcengine/replay
providers/volcengine/sms
Package sms wraps Volcengine SMS for the cloudlist `sms` asset.
 Package sms wraps Volcengine SMS for the cloudlist `sms` asset.
providers/volcengine/tls
Package tls wraps the Volcengine TLS DescribeProjects action for the cloudlist `log` asset.
 Package tls wraps the Volcengine TLS DescribeProjects action for the cloudlist `log` asset.
providers/volcengine/tos
runtime/env
Package env carries the per-run configuration envelope that used to live as loose package-level globals in utils/const.go.
 Package env carries the per-run configuration envelope that used to live as loose package-level globals in utils/const.go.
runtime/paginate
Package paginate provides a thin generic skeleton for SDK pagination loops.
 Package paginate provides a thin generic skeleton for SDK pagination loops.
runtime/regionrun
Package regionrun runs per-region enumeration callbacks in parallel with a bounded concurrency.
 Package regionrun runs per-region enumeration callbacks in parallel with a bounded concurrency.
runtime/vmexecspec
schema
console
headless
payloads
argparse
Package argparse splits payload metadata strings into tokens with shell-style quoting so values containing spaces (passwords, etc.) survive intact.
 Package argparse splits payload metadata strings into tokens with shell-style quoting so values containing spaces (passwords, etc.) survive intact.
cache
confirm
logger
Package logger emits stage-level diagnostic messages from CTK in two interchangeable formats:
 Package logger emits stage-level diagnostic messages from CTK in two interchangeable formats:
processbar

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.