Usage
Command line usage
Cloud provider configuration
Luminaut supports AWS and GCP cloud environments. The commands in this documentation assumes that your shell is already configured with the necessary AWS and GCP credentials.
You can confirm your AWS credential configuration by running aws sts get-caller-identity. For additional information on configuring AWS credentials, see the AWS CLI documentation.
You can confirm your GCP credential configuration by running gcloud auth list. For additional information on configuring GCP credentials, see the GCP SDK documentation.
Command line interface
No arguments are required to run luminaut. If no configuration file is specified with -c/--config, luminaut will use default configuration settings and run available tools to start detecting resources.
The default configuration options are shown in the Configuration section.
Luminaut help is available with the argument --help.
$ luminaut --help
usage: luminaut [-h] [-c CONFIG] [--log LOG] [--verbose] [--version]
Luminaut: Casting light on shadow cloud deployments.
options:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Configuration file. (default: None)
--log LOG Log file. (default: luminaut.log)
--verbose Verbose output in the log file. (default: False)
--version show program's version number and exit
Examples
By default, Luminaut will run all available tools. It requires configuration of AWS or GCP roles with the necessary permissions (see Configuration section for details), otherwise the first step of public IP detection will fail.
luminaut
The AWS Config scanner takes at least 50 seconds to run per resource type. If you would like to disable this, you can do so as shown in the provided configs/disable_aws_config.toml configuration file. You can provide this configuration with -c configs/disable_aws_config.toml.
luminaut -c configs/disable_aws_config.toml
Similarly, if you’d like to enable Shodan, you will need to specify a configuration file that includes the Shodan API key. See the Configuration section for more information on the configuration file specification.
Usage with docker
When running with docker, we need to supply a few arguments:
-itto run the container interactively and display the output in the terminal.-v ~/.aws:/home/app/.awsto mount the AWS credentials from your host machine to the container, if you are using AWS.-e AWS_PROFILE=aws-profile-nameto set the AWS profile to use in the container. Replaceaws-profile-namewith the name of your AWS profile.-v ~/.config/gcloud:/home/app/.config/gcloudto mount the GCP credentials from your host machine to the container, if you are using GCP.-v $(pwd)/configs:/app/configsto mount the configuration file from your host machine to the container.luminautto select the luminaut container.--helpto display the help message, though replace this with your desired arguments (ie-c disable_aws_config.toml).
Note that saved files, such as the log file and JSON reports, will be saved within the container. You may want to mount another volume to save the report files. If you would like to run other commands within the container, you can override the default entrypoint by adding --entrypoint /bin/bash.
Examples
Bash, zsh, and similar terminals:
docker run -it \
-v ~/.aws:/home/app/.aws \
-e AWS_PROFILE=aws-profile-name \
-v ~/.config/gcloud:/home/app/.config/gcloud \
-v $(pwd)/configs:/app/configs \
luminaut --help
Powershell:
docker run -it `
-v $env:USERPROFILE\.aws:/home/app/.aws `
-e AWS_PROFILE=aws-profile-name `
-v $env:APPDATA\gcloud:/home/app/.config/gcloud `
-v ${PWD}\configs:/app/configs `
luminaut --help
Library usage
Luminaut is also designed for use as a Python library. For example usage, see the examples/ directory within the root of the repository for scripts that showcase how to leverage Luminaut functionality as a Python library.