You are one week into a cloud penetration test. The client handed you an AWS access key, pointed you at three Azure subscriptions, and mentioned a GCP project that “someone on the platform team set up last year.” Your objective: find everything that is exposed, misconfigured, or one IAM policy away from a full compromise.
You start with AWS. You enumerate S3 buckets, check their policies by hand, and flag the ones with public access. You pull IAM users and roles, try to trace which ones can escalate to admin, and give up somewhere around the third layer of AssumeRole chains. You switch to Azure, realize your AWS tooling is useless here, install a different scanner, learn its flags, and start over. By day three you have a spreadsheet, six terminal tabs, and the growing suspicion that you are missing something.
Aurelian replaces all that.
By day three, you have a JSON file with every public resource, every hardcoded credential, and every privilege escalation path across all three accounts. The spreadsheet is gone. The reporting has already started.
TL;DR: Aurelian is an open-source cloud security framework written in Go that unifies reconnaissance, secrets discovery, and IAM analysis across AWS, Azure, and GCP. It ships 25 modules today, evaluates resource policies using real IAM evaluation logic (not flag checks), validates discovered credentials against live APIs, and maps privilege escalation paths to Neo4j. It runs as a CLI or a Go library. Get it at GitHub.
Where Aurelian Fits
Aurelian covers cloud infrastructure – the deployed environment where misconfigurations, exposed resources, and leaked credentials become real risks. It sits alongside two other Praetorian tools: Titus for secrets discovery and Trajan for CI/CD pipeline testing. In practice, they form a pipeline: Aurelian finds a Lambda function, Titus scans its environment variables and validates discovered AWS credentials against STS, and Trajan uses the live keys to test the CI/CD pipeline for further compromise.
Aurelian is the successor to Nebula, Praetorian’s internal cloud reconnaissance framework. Nebula proved the module set and the operational workflows over years of engagements. Aurelian is a ground-up rewrite that takes those same capabilities – public resource discovery, secrets scanning, IAM privilege escalation path analysis, subdomain takeover – and rebuilds them on a streaming pipeline architecture designed for scale.
$ aurelian [platform] [category] [module] [flags]
$ aurelian aws recon public-resources --output-format json
$ aurelian azure recon find-secrets --subscription-id
$ aurelian gcp recon list-all --project-id myproject
$ aurelian aws analyze analyze-iam-permissions --gaad-file gaad.json
Finding What Is Actually Public
The public-resources module is the one we reach for most often on engagements. Most cloud security tools check a boolean flag – is PubliclyAccessible set to true? – and call it a day. That misses a lot. A resource can have a perfectly private configuration flag and a resource policy that grants s3:GetObject to *.
Aurelian evaluates the actual policy. It enumerates resources via the AWS Cloud Control API, enriches each one with service-specific properties (RDS accessibility settings, Cognito self-signup configuration, Lambda function URL auth types), fetches the resource-based policy, and runs it through an IAM policy evaluation engine that considers condition keys, SCPs, and resource ARN patterns. This is not a heuristic. It is the same evaluation logic AWS uses internally.
Resources confirmed public are high severity. Resources with ambiguous policies that need deeper inspection are medium. Private resources are not emitted. The evaluation handles the edge cases that trip up simpler tools: wildcards with conditions, cross-account trust chains, and principal patterns that look broad but are actually scoped by SCPs.
Azure and GCP have their own public-resources modules. Azure uses Resource Graph queries to detect exposed storage accounts, databases, key vaults, and web apps. GCP checks both network exposure and anonymous access across resource types with meaningful public indicators.
$ aurelian aws recon public-resources --output-format json -f results.json
$ aurelian azure recon public-resources --subscription-id
$ aurelian gcp recon public-resources --project-id myproject
Pulling Secrets Out of Cloud Resources
We’ve found credentials hardcoded or leaked in almost every place imaginable – EC2 user data scripts, Lambda environment variables, CloudFormation templates, CloudWatch log files, and dozens more across AWS alone. Azure and GCP have their own nooks and crannies where secrets can hide. The problem is that most of these locations are readable by anyone with basic access to the account, and many are logged, cached, or returned in API responses that were never designed to protect sensitive data. A secret stored in a CloudWatch log event or an SSM document isn’t encrypted at rest in any meaningful sense – it’s one overly broad IAM policy away from exposure. Aurelian simplifies the daunting task of hunting for secrets to a single command.
The find-secrets module on each platform enumerates these resources, extracts the content, and feeds it into Titus for scanning.
When the --validate flag is enabled, Aurelian hands discovered credentials back to Titus’s validation engine, which makes controlled API calls to determine whether the key is live. A confirmed active AWS key is high severity. The output includes: account ID, region, resource type, resource ARN, match context, and validation status. You can review the results using titus explore or process the resulting JSON in an automated pipeline.
$ aurelian aws recon find-secrets --validate
$ aurelian azure recon find-secrets --subscription-id
$ aurelian gcp recon find-secrets --project-id myproject
Mapping IAM Privilege Escalation
The account-auth-details module pulls the full GetAccountAuthorizationDetails dataset – every user, role, group, and policy in the AWS account. The analyze-iam-permissions module consumes that data and evaluates every principal’s effective permissions to detect privilege escalation paths, cross-account access, and create-then-use attack patterns.
$ aurelian aws recon account-auth-details -f gaad.json
$ aurelian aws analyze analyze-iam-permissions --gaad-file gaad.json
$ aurelian aws recon graph --neo4j-uri bolt://localhost:7687
The graph module takes this further. It collects IAM data, evaluates permissions, and exports the full relationship graph to Neo4j. Once loaded, you can query it with Cypher:
// Which roles can reach admin in 3 hops or fewer?
MATCH path = (attacker:Principal)-[:CAN_PRIVESC*1..3]->(target:Principal)
WHERE target.isAdmin = true
RETURN path
Catching Dangling DNS
Subdomain takeover detection spans all three cloud providers, with multiple modules targeting different vulnerability classes.
- cloudfront-s3-takeover finds CloudFront distributions whose S3 origins point to buckets that no longer exist. It cross-references Route53 records to determine whether DNS is actively routing traffic to the vulnerable distribution. A distribution with a missing bucket is medium severity. Active DNS pointing to it is high. An origin bucket owned by someone else is critical – the takeover may have already happened.
- subdomain-takeover takes a broader view, enumerating all records from public hosted zones and checking for Elastic Beanstalk CNAME hijacking, dangling Elastic IP A records, and orphaned NS delegations.
- cdk-bucket-takeover detects missing CDK staging buckets with insecure IAM policies that could allow account-level compromise.
Azure has its own subdomain-takeover module covering App Service, Blob Storage, Traffic Manager, and CDN Classic domains using Azure CheckNameAvailability APIs to confirm names are claimable. GCP has a matching module that detects dangling DNS records in Cloud DNS zones.
$ aurelian aws recon cloudfront-s3-takeover
$ aurelian aws recon subdomain-takeover
$ aurelian azure recon subdomain-takeover --subscription-id
$ aurelian gcp recon subdomain-takeover --project-id myproject
The Rest of the Toolkit
Aurelian ships 25 modules today across 16 AWS, 5 Azure, and 4 GCP modules. Beyond the ones covered above:
- expand-actions – Expands wildcard IAM action patterns (e.g.
s3:Get*) into the full list of matching AWS actions. - ip-lookup – Checks an IP against AWS published ranges to identify the service, region, and network border group.
- known-account – Looks up an AWS account ID against known public databases to identify the owning organization.
- conditional-access-policies (Azure) – Fetches and enriches Conditional Access Policies from Entra ID with full UUID resolution for users, groups, roles, and applications.
- get-console – Generates a federated AWS Console sign-in URL from STS credentials.
- list-all (AWS/Azure/GCP) – Full resource enumeration. AWS uses CloudControl API, Azure uses Resource Graph, GCP walks the org/folder/project hierarchy.
- org-policies – Collects SCPs and RCPs with the full organizational hierarchy and policy-to-target mappings.
- resource-policies – Retrieves resource-based policies for S3, Lambda, SNS, SQS, EFS, OpenSearch, and Elasticsearch.
- whoami – Covert caller identity lookup using AWS APIs that leak the caller ARN without logging to CloudTrail.
Getting Started
Aurelian can be installed via the latest release, go install, built from source, or run in Docker. It can also be imported as a Go library for integration into custom tooling.
Install:
go install github.com/praetorian-inc/aurelian@latest
Build from source:
git clone https://github.com/praetorian-inc/aurelian.git
cd aurelian
go build -v -ldflags="-s -w" -o aurelian main.go
Docker:
docker build -t aurelian .
docker run --rm -v ~/.aws:/root/.aws aurelian aws recon public-resources
What Is Next
Active development is adding:
- ECR container image scanning – Pull images from private and public ECR repositories, extract container layers, and scan for embedded secrets via Titus. No Docker daemon dependency.
- Azure misconfiguration detection – 13 templates covering AKS local accounts, NSG unrestricted ports, App Service auth gaps, database firewall misconfigurations, overprivileged custom roles, and VM managed identity escalation.
- Azure IAM graph – Full Entra ID, RBAC, PIM, and managed identity privilege escalation analysis exported to Neo4j with enrichment queries across multiple escalation categories.
- GCP IAM graph – Extending the same privilege escalation graph analysis to GCP, mapping IAM bindings, service accounts, and escalation paths.
Frequently Asked Questions
What is Aurelian?
Aurelian is an open-source cloud security framework written in Go that unifies reconnaissance, secrets discovery, and IAM analysis across AWS, Azure, and GCP. It ships 25 modules, evaluates resource policies using real IAM evaluation logic, validates discovered credentials against live APIs, and maps privilege escalation paths to Neo4j. It runs as a CLI or a Go library. Aurelian is the heart of Praetorian Guard’s cloud capabilities.
Can Aurelian detect IAM privilege escalation paths?
Yes. The analyze-iam-permissions module evaluates every principal’s effective permissions to detect privilege escalation paths, cross-account access, and create-then-use attack patterns. The graph module exports the full relationship graph to Neo4j for Cypher-based querying of multi-hop escalation chains.
How does Aurelian find exposed cloud resources?
Unlike tools that check a single boolean flag, Aurelian evaluates the actual resource policy using an IAM policy evaluation engine that considers condition keys, SCPs, and resource ARN patterns. It identifies resources that are truly public even when configuration flags say otherwise.
