ScoutSuite Cheat Sheet
Multi-cloud security auditing tool that generates HTML reports highlighting misconfigurations and risky permissions.
Overview
ScoutSuite collects read-only configuration from AWS, Azure, GCP, and others, then flags misconfigurations (public S3, open security groups, weak IAM). Ideal for cloud posture review at engagement start.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
pip install scoutsuiteOr docker
docker pull rossja/ncc-scoutsuiteEssential commands
AWS (default profile)
scout aws --report-dir scout-reportAzure
scout azure --cli --report-dir scout-azureGCP
scout gcp --user-account --report-dir scout-gcpOpen report
firefox scout-report/scoutsuite-report/scoutsuite.htmlCommon workflows
AWS full assessment —
export AWS_PROFILE=pentest-readonlyscout aws --report-dir ./reports/client-aws-$(date +%F) --max-workers 10Specific services only (faster)
scout aws --services s3,iam,ec2 --report-dir ./reports/quickAzure with service principal —
scout azure --tenant-id TENANT --client-id APP_ID --client-secret SECRET--subscription-id SUB_ID --report-dir scout-azureGCP user account —
gcloud auth application-default loginscout gcp --user-account --project-id PROJECT_ID --report-dir scout-gcpFilter / re-run —
scout aws --report-dir report2 --ruleset custom.jsonFlags reference
--report-dir DIR | Output location |
|---|---|
--services s3,iam | Limit API calls |
--max-workers N | Parallelism |
--no-browser | Skip auto-open |
--fetch-local | Use cached data only |
--update | Refresh rules database |
--debug | Verbose errors |
Quick one-liners
Audit AWS with an assumed role (cross-account engagements)
scout aws --profile pentest --report-dir ./outAudit a single AWS region only (faster, fewer API calls)
scout aws --regions us-east-1 --report-dir ./outUse temporary STS credentials
scout aws --access-keys --access-key-id AKIA... --secret-access-key ... --session-token ...Run headless in CI (no auto-open browser)
scout aws --no-browser --report-dir ./outRe-render a report from already-fetched data
scout aws --fetch-local --report-dir ./outAzure audit using the logged-in az CLI session
scout azure --cli --report-dir ./outReading the report
Danger (red) findings are confirmed misconfigurations — triage these first
# Dashboard → sort by 'Danger' severityWarning (orange) findings need manual context before reporting
# e.g. a public bucket may be intentional (static site)Filter findings to a single service for focused review
# Open services/<service>/ in the HTML reportExport raw collected config for diffing between runs
# scoutsuite-results/scoutsuite_results_*.js holds the full JSONTips
- Use read-only audit credentials; ScoutSuite performs many API calls.
- Findings are heuristics — verify critical items manually with CLI.
- Large accounts: scope --services first to avoid rate limits.
- Pair with Prowler (AWS-focused, CIS) for compliance overlap.