ScoutSuite is an open-source multi-cloud security auditing tool built by NCC Group. It works by pulling configuration data from cloud provider APIs and presenting the results as a self-contained HTML report that maps your environment against a set of security rules. It supports AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud Infrastructure, making it one of the broadest-coverage tools available for cloud security reviews. If you’re assessing a cloud environment for the first time, ScoutSuite gives you an excellent high-level picture fast.
How ScoutSuite Works
ScoutSuite is read-only — it calls cloud provider APIs to gather configuration data and never modifies anything in your environment. All the analysis happens locally, and the output is a single HTML report file you can open in any browser. There’s no external service, no data upload, and no ongoing dependency once the scan is complete. This makes it particularly suitable for client engagements where you need to be careful about data handling.
The tool checks for a wide range of issues across services including IAM, compute, storage, networking, databases, logging, and monitoring. Common findings include overly permissive IAM policies, publicly accessible storage buckets, unencrypted databases, security groups open to the world, missing audit logging, and outdated or insecure TLS configurations.
Installation
ScoutSuite requires Python 3.8 or later. The cleanest way to install it is in a virtual environment to avoid dependency conflicts:
python3 -m venv scoutsuite-venv source scoutsuite-venv/bin/activate pip install scoutsuite
Or install directly from the GitHub repository to get the latest version:
git clone https://github.com/nccgroup/ScoutSuite cd ScoutSuite pip install -r requirements.txt
Verify the installation:
scout --help
Authentication
ScoutSuite uses your existing cloud CLI credentials. For AWS, configure the AWS CLI with a profile that has at least read-only access — the SecurityAudit managed policy is ideal, supplemented by ViewOnlyAccess for services it doesn’t fully cover:
aws configure --profile audit-profile
For Azure, log in via the Azure CLI:
az login
For GCP, set up application default credentials:
gcloud auth application-default login
Running a Scan
AWS
A basic AWS scan using a named profile:
scout aws --profile audit-profile
ScoutSuite will enumerate every supported service across every region by default. On large accounts this can take 20–30 minutes. To restrict to specific regions:
scout aws --profile audit-profile --regions eu-west-1 eu-west-2
To skip specific services you’re not interested in (speeding up the scan considerably):
scout aws --profile audit-profile --skip cloudformation glacier
Azure
To scan an Azure subscription after logging in with the Azure CLI:
scout azure --cli
If you have multiple subscriptions, specify the one you want:
scout azure --cli --subscription-ids your-subscription-id
GCP
To scan a GCP project using your application default credentials:
scout gcp --user-account --project-id your-project-id
The HTML Report
Once the scan completes, ScoutSuite generates a report in a scoutsuite-report directory. Open the HTML file it creates in your browser — it works entirely offline with no external dependencies.
The report is well designed and genuinely useful. The left-hand panel lists every service ScoutSuite assessed. Clicking into a service shows you a breakdown of rules — each marked as a danger (red), warning (orange), or good (green). Clicking a specific finding drills into the affected resources, showing you exactly which S3 bucket, security group, or IAM role triggered the rule and what the problem is.
The summary page gives you a risk heat map across all services, which is useful for prioritising where to focus remediation effort. High-severity findings to look for include publicly accessible S3 buckets, IAM users with administrator access and no MFA, security groups with unrestricted inbound rules on sensitive ports like SSH and RDP, and CloudTrail or other audit logging not being enabled.
Useful Flags and Options
ScoutSuite separates the data gathering phase from the report generation phase, storing the raw gathered data in a scoutsuite-report/scoutsuite-results/ directory. This means you can regenerate the report against previously collected data without re-scanning the cloud account — handy when you want to re-run analysis after making changes:
scout aws --profile audit-profile --no-browser
The --no-browser flag prevents ScoutSuite from automatically opening the report, which is useful when running on a headless server or over SSH. To force a fresh data gather even if cached data exists from a previous run:
scout aws --profile audit-profile --force
For cross-account scanning using an assumed IAM role:
scout aws --profile audit-profile --assume-role arn:aws:iam::123456789012:role/AuditRole
You can also increase the number of threads ScoutSuite uses for API calls, which significantly speeds up scans on large accounts — though be aware that very high thread counts can trigger AWS API rate limiting:
scout aws --profile audit-profile --max-workers 10
ScoutSuite vs Prowler
ScoutSuite and Prowler are the two most commonly used open-source cloud security auditing tools, and they complement each other well. ScoutSuite’s strength is its report — the interactive HTML output is excellent for navigating a complex environment and is straightforward to share with clients or stakeholders who aren’t comfortable reading raw JSON. Prowler’s strength is its compliance framework mapping and its deeper AWS coverage, particularly around newer services, and its native integration with AWS Security Hub for teams that want findings centralised there.
In practice, running both on the same environment and cross-referencing the results is worth the extra time. Each occasionally surfaces findings the other misses, and having two independent tools flag the same issue gives you more confidence when prioritising remediation.
Neither tool replaces manual review of IAM policies, architecture decisions, or the contextual judgment required for a thorough cloud security assessment — but both are excellent at eliminating the tedium of checking hundreds of resources by hand and ensuring nothing obvious gets missed.
For broader context on cloud and infrastructure security tooling, the top penetration testing tools roundup is worth a read alongside this.
Leave a Reply
You must be logged in to post a comment.