Security Vulnerability Assessment Tool

for Cloud Services

Huilin Chang
MS in Cybersecurity, College of
Computing, Georgia Institution of
Technology
[email protected]

Abstract • June 2021: The data breaches of Turkish cosmetics

retailer Cosmolog Kozmetik and COVID testing sites
With growing reliance on cloud platforms like AWS, businesses emphasized the diversity of personal health data at risk.
are faced with security vulnerabilities predominantly caused by • February 2021: LogicGate's breach and data exposure by
misconfigurations. Current existing assessment tools lack Prestige Software in November 2020 further stressed the
comprehensive real-time monitoring and user-specific urgency for improved cloud security.
customization. This paper presents the development and These incidents, often resulting from simple
evaluation of a Security Vulnerability Assessment Tool tailored misconfigurations and oversight, underline the far-reaching
for AWS environments. Through event-driven, real-time consequences of security lapses in cloud environments.
monitoring and integration with other AWS services, this tool
aims to not only detect but effectively mitigate security Limitations of Current Cloud Security Tools
vulnerabilities. Preliminary evaluations, presented in two case
studies, demonstrate this tool’s accuracy in identifying While existing tools for cloud security are functional, they
misconfigurations. often lack the sophistication needed for comprehensive, real-
Keywords— Cloud service, Security, AWS, Tool
time monitoring and fail to offer necessary customization for
I. INTRODUCTION varying user environments. This paper focuses on addressing
these gaps by introducing a Security Vulnerability
Use of cloud services has surged in the last decade,
Assessment Tool tailored for AWS. This tool aims to not only
predominantly with Amazon Web Services (AWS), Azure,
identify but also effectively mitigate security vulnerabilities
and Google Cloud Platform (GCP). This has caused a
by integrating event-driven real-time monitoring with AWS
paradigm shift in how businesses operate, with companies
services. Preliminary evaluations, demonstrated through two
attracted to the flexibility and scalability of these platforms.
case studies, indicate significant progress in detecting
However, with greater widespread adoption comes various
misconfigurations.
potential security vulnerabilities, primarily through
misconfigurations.
Context and the Need for Continuous Innovation in Cloud
Security
A Review of Recent Cloud Security Breaches
As the cloud computing landscape evolves rapidly, security
The landscape of cloud security is marked by a series of
remains a paramount concern for organizations utilizing
notable breaches, emphasizing the need for robust security
cloud services. Tools like AWS Self-Service Security
measures. A chronological examination of these incidents
Assessment Solutions v2.0 and AWS Inspector, despite their
offers insight into the nature and challenge of cloud
capabilities, exhibit limitations. For example, AWS Self-
vulnerabilities [1-7]:
Service Security Assessment Solutions v2.0 lacks
comprehensive service coverage, customization, real-time
• June 2022: A former AWS employee's involvement in
monitoring, and has a potentially unintuitive user interface
the Capital One breach highlighted the risks of insider
for novices. AWS Inspector, initially focused on Amazon
threats.
EC2 instances, now struggles to provide extensive service
• May 2022: The Pegasus Airlines breach exposed 23
coverage and detailed assessments for containerized
million files, demonstrating the scale of data at risk.
applications, lacks continuous monitoring, and faces
• December 2021: FlexBooker's breach impacted 3 million
integration challenges.
users, showcasing the extensive reach of cloud
vulnerabilities.
By recognizing these limitations, this paper highlights the
• August 2021: SeniorAdvisor's exposure of personal data
necessity for more robust, adaptive, and user-friendly
affected over 3 million senior citizens, a vulnerable
security assessment tools that align with the complicated and
group.
dynamic nature of cloud environments. The proposed
• July 2021: PeopleGIS exposed sensitive information
Security Vulnerability Assessment Tool is a step towards
from over 80 municipalities, underlining the threats to
filling this crucial need in the domain of cloud security.
public sector data.
 II. METHODS
A. Motivation
The rapid adoption of cloud platforms, notably AWS, Azure,
and GCP, has equipped businesses with unprecedented
scalability and operational flexibility. However, these
benefits are accompanied by challenges. An abundance of
security risks, predominantly stemming from
misconfigurations, has led to significant data breaches and
complex compliance issues.
Existing tools, such as AWS’s Self-Service Security
Assessment Solutions v2.0, offer partial solutions but fall
short in areas such as real-time monitoring, comprehensive
risk assessment, and user-specific customization. This gap
underscores the urgent need for a more sophisticated tool
capable of accurately identifying and mitigating
vulnerabilities related to misconfigurations.
To address these vulnerabilities, businesses often resort to
resources like AWS forums, whitepapers, and academic
research. Although they provide valuable insights into
common errors and misconfigurations, a systematic approach
to identify, classify, and rectify these vulnerabilities is
notably absent. The frequency of AWS-related data breaches
underlines this problem, emphasizing the crucial need for our
proposed tool.
A significant advancement in this domain is the adaptation of
a classification system akin to Common Vulnerabilities and
Exposures (CVE). This system aims to identify and
categorize vulnerabilities, and deliver actionable insights for
their mitigation, tailored to the specific operational contexts
of users.
B. Research
The rise of cloud computing has made keeping data safe more
complicated, especially with services like Amazon Web
Services (AWS). Existing literature underscores the
importance of exhaustive service coverage in security
assessment tools, which is critical for ensuring that no aspect
of the cloud environment remains unmonitored and
susceptible to breaches. There have been instances when not
having a full check-up led to issues, thereby reinforcing the
imperative for comprehensive assessment solutions [8-25].
Parallel to the breadth of service coverage is the need for deep
customization. Along with checking everything, these tools
also need to customizable to fit each company’s own way of
doing things. If they are too fixed or rigid and cannot be
adjusted, they might not catch all the potential security risks,
neglecting the unique operational and architectural nuances
of organizations, and therefore being less effective and
potentially leading to configuration errors [26-30]. The
stream of research in this area advocates for flexible,
customizable tools that can adapt to an organization’s specific
cloud ecosystem.
Being able to continuously monitor potential problems is
another critical requirement. Real-time monitoring emerges
as another pivotal theme in the literature, positing that the
dynamic nature of cloud environments necessitates
continuous vigilance. Tools that only perform periodic scans,
such as AWS’s own tools, are not enough to manage
constantly evolving threats.
2
Integration capabilities or the lack thereof also feature
prominently in the literature. Studies illustrate that security
tools which fail to integrate seamlessly with both AWS
services and third-party solutions limit the scope of security
measures and can leave blind spots within the security setup
of organizations. The ability to define custom vulnerabilities
and the timeliness of notifications are identified as areas
where current tools fall short. Security tools must allow
organizations to specify their own security rules and the need
for prompt notifications to ensure swift response to potential
threats.
The critical need for Security Vulnerability Assessment Tool
is comprehensive, customizable, offers user-friendly, capable
of advanced threat detection, integrates smoothly across
cloud services, and provides timely alerts. This research aims
to bridge these gaps by developing a tool tailored for AWS
environments, setting a new benchmark for cloud
management [31-35].
C. Approach, Methodology, and Design
The development of the Security Vulnerability Assessment
Tool for AWS was based on a robust multi-faceted
methodology. Initially, a comprehensive analysis of the
current landscape of cloud security was undertaken,
emphasizing the pervasive issue of misconfigurations in
AWS. Recognizing the inadequacies of existing solutions,
development pivoted towards the design of a solution
specifically tailored for AWS environments.
The methodology begins with extensive literature review and
consultation with both primary (e.g. AWS forums) and
secondary (e.g. academic research, whitepapers) resources to
gather an understanding of prevalent vulnerabilities. The
critical step following this is the requirement analysis phase,
which details the tool’s requisite functionalities, laying the
groundwork for subsequent prototyping. Leveraging AWS
SDKs, particularly for Python (Boto3), an initial prototype of
the tool was developed, focusing on AWS-specific
misconfigurations.
Furthermore, as the tool’s development progressed, seamless
integration with other AWS services is prioritized, enhancing
its usability and efficacy. Real-time monitoring and event-
triggered assessments form the core of this approach. Lastly,
in the spirit of comprehensive solution, the tool is developed
to align with globally recognized vulnerability classification
systems, like the CVE, to offer users actionable insights into
potential security threats.
Throughout this methodology, the emphasis is on continuous
learning, iterative development, and ensuring the tool
remains adept at addressing the evolving challenges of AWS
environments.
This application is an AWS Vulnerability Scanner and Dual
List built using PyQt5. It is a GUI application designed to
scan selected AWS services for vulnerabilities. The
application provides a user-friendly interface, featuring a dual
list selector for users to easily choose the AWS services they
wish to scan. The scan results are displayed in real-time
within the application window, allowing users to promptly
address any identified vulnerabilities.
Features
• Dark-Themed User Interface: A sleek, user-friendly
interface that reduces eye strain, ensuring user comfort
during prolonged use.
• Dual List Selector: Enables users to effortlessly select
AWS services for scanning.
• Real-Time Scan Results: Users can view the scanning
process and results in real-time, facilitating immediate
action for identified vulnerabilities.
• AWS Service Support: The application supports a
wide range of AWS services, offering comprehensive
vulnerability scanning.
I. User Interface (UI):
• Main Application Window: Serves as the central
interaction point for users, providing access to the
scanner’s functions.
• Service List Widget: Displays the list of AWS services
categorized for ease of use, like Compute, Storage,
Database, Networking, Security, Identity & Compliance,
Analytics, Application Integration, Deployment &
Management and Others.
• Dual-list Widget: Enables a straightforward selection
process for AWS services that need to be scanned,
supporting both single and multiple actions.
II. Backend Services:
• Initialization Script: Utilizes PyQt5 for UI elements and
initializes the application.
• AWS Service Integration: Leverages the Boto3 library
for AWS API interactions, retrieving configuration
details.
• Scan Engine: This is the core of the application,
analyzing service configurations, comparing them to
known vulnerability criteria, and pinpointing security
risks.
• Scan Controller: Orchestrates the scanning process,
including execution and real-time progress updates.
III. Result Storage:
This component is responsible for the temporary storage of
scan outcomes, which are immediately displayed to the user.
This feature facilitates the prompt assessment and
remediation of identified security vulnerabilities.
Additionally, the tool provides a feature to export the scan
results to a text file. This allows users to save the results for
later review or for documentation purposes, ensuring they
have a record of the vulnerabilities that were found during the
scan and can revisit the findings as needed.
IV. Communication & Integration:
• AWS CLI Configuration: Configures the necessary
AWS credentials, enabling the tool to interact with the
user’s AWS ecosystem.
• Python Environment: Operates within Python 3.x,
replying on PyQt5 and Boto3, among other libraries.
V. User Feedback & Control:
• Real-time Feedback Systems: Offers a dynamic view of
scanning activity, showing vulnerabilities as they are
detected in real time.
• Scan Control Buttons: Provides user control over the
scanning process with “Scan” and “Stop Scan”
functionalities.
3
• Result Viewer: Presents a digest of the scan, listing
vulnerabilities along with remediation recommendations
post-analysis.
VI. Security:
• Read-only Scan: Ensures a non-intrusive scan by reading
service configurations without altering them.
• Safe Stop Mechanism: Allows interruption of the scan
safely, with the tool summarizing findings up to the point
of cessation.
VII. Target Environment:
The tool is engineered to support a broad array of AWS
services, aiming to provide an exhaustive security assessment
tool. It can scan core services addressing varied needs across
AWS suites.
VIII. Services Covered:
Our Security Vulnerability Assessment Tool is designed to
comprehensively scan a wide range of AWS services,
categorizing them into distinct groups based on their
functionality and use cases. This categorization not only aids
in organized scanning but also ensures that a broad spectrum
of AWS services is covered, mitigating the risk of overlooked
vulnerabilities. Below is a detailed breakdown of the AWS
service groups and the individual services within each group
that our tool is capable of scanning:
Compute:
• Amazon EC2 (Elastic Compute Cloud): For assessing
virtual server configurations.
• AWS Lambda: To check serverless computing setups.
• Amazon EC2 (Elastic Container Service): Focused on
container orchestration.
• EC2 Auto Scaling: Evaluating scaling policies and
configurations.
• AWS Elastic Beanstalk: Examining application
deployment and management services.
Storage:
• Amazon S3 (Simple Storage Service): Scanning for
bucket policies and access controls.
• Amazon Elastic Transcoder: Assessing media
transcoding services.
Database:
• Amazon RDS (Relational Database Service): For
database instance configurations.
• Amazon DynamoDB: NoSQL database, service checks.
• Amazon Redshift: Data warehouse service scanning.
• Amazon Athena: Serverless interactive query service
evaluation.
Networking:
• Amazon VPC (Virtual Private Cloud): Verifying
network configuration and security.
• Amazon Route 53: DNS service checks.
• Amazon CloudFront: Content delivery network service
assessments.
• Elastic Load Balancing (ELB): Load balancer
configuration checks.
• Amazon API Gateway: Evaluating API management.
Security Identity & Compliance:
• AWS Identity and Access Management (IAM):
Scanning for user and role configurations.
• AWS Key Management Service (KMS): Key storage and
management checks.
• AWS Secrets Manager: Security managing secrets.
• AWS WAF (Web Application Firewall): Firewall rule
evaluations.
• Amazon Inspector: Security assessment service checks.
• Amazon Cognito: User identity and access
configurations.
Analytics:
• Amazon CloudWatch: Monitoring service configuration
checks.
• Amazon Elasticsearch Service: Elasticsearch cluster
assessments.
• AWS Glue: Data integration service scanning.
Application Integrations:
• Amazon Simple Notification Service (SNS):
Notification service configurations.
• Amazon Simple Queue Service (SQS): Message queuing
service evaluations.
• AWS Step Functions: Workflow service checks. Fig. 1(b) User interface of the AWS Security
Deployment & Management: Vulnerability Tool after selecting scans (EC2, S3 and
• AWS CloudFormation: Infrastructure as code service VPC).
checks.
• AWS CodeDeploy: Automated deployment service Security Vulnerability Assessment Tools: AWS Services
assessments.
[Compute Services]
• AWS CloudTrail: Logging service evaluations. ├─ Amazon EC2 → Virtual server configurations
Others: ├─ AWS Lambda → Serverless computing setups
├─ Amazon ECS → Container orchestration
• Amazon SWF (Simple Workflow Service): Workflow ├─ EC2 Auto Scaling → Scaling policies
service for cloud applications. └─ AWS Elastic Beanstalk → Application deployment

• Amazon Elastic Container Registry (ECR): Docker [Storage Services]

container registry checks. ├─ Amazon S3 → Bucket policies, access controls
└─ Amazon Elastic Transcoder → Media transcoding
Each service within these categories is exhaustively scanned
to identify potential misconfigurations that could lead to [Database Services]
├─ Amazon RDS → Database instances
security vulnerabilities. Our tool’s scanning methods are ├─ Amazon DynamoDB → NoSQL service checks
specifically tailored to the nuances and typical configuration ├─ Amazon Redshift → Data warehouse scanning
└─ Amazon Athena → Serverless queries
pitfalls associated with each AWS service, ensuring both
depth and breadth in security assessments. Figure 1(a) shows [Networking Services]
├─ Amazon VPC → Network configuration
the user interface of this tool, Fig. 1(b) shows the user ├─ Amazon Route 53 → DNS checks
interface after selecting scans (EC2, S3 and VPC), Fig. 1(c) ├─ Amazon CloudFront → CDN assessments
├─ Elastic Load Balancing → Load balancing
shows an overview of AWS services covered by the Security └─ Amazon API Gateway → API management
Vulnerability Tool, and Fig. 1(d) shows the architectural
[Security, Identity & Compliance]
design of this tool. ├─ AWS IAM → User/role configurations
├─ AWS KMS → Key management
├─ AWS Secrets Manager → Managing secrets
├─ AWS WAF → Firewall rules
├─ Amazon Inspector → Security assessments
└─ Amazon Cognito → User identity/access

[Analytics Services]
├─ Amazon CloudWatch → Monitoring services
├─ Amazon Elasticsearch → Cluster assessments
└─ AWS Glue → Data integration

[Application Integration Services]

├─ Amazon SNS → Notification services
├─ Amazon SQS → Message queuing
└─ AWS Step Functions → Workflow checks

[Deployment & Management Services]

├─ AWS CloudFormation → Infrastructure code
├─ AWS CodeDeploy → Automated deployment
└─ AWS CloudTrail → Logging services

[Other Services]
├─ Amazon SWF → Workflow services
Fig. 1(a) User interface of the AWS Security └─ Amazon ECR → Docker registry checks
Vulnerability Tool.

4
Fig. 1(c): Overview of AWS services covered by the Security might arise from different local environments. The
Vulnerability Tool. deployment strategy for AWS Vulnerability Scanner is
Types of Misconfigurations Detected: designed to be flexible, catering to both users who prefer
For each detected vulnerability, the tool provides a risk a local Python environment and those who opt for a
assessment based on factors like potential exposure, data Docker-based solution. The Docker deployment, in
security implications and compliance requirements. The risk particular, offers a streamlined, consistent, and isolated
levels (e.g., High, Medium, Low) and recommendations are environment, enhancing the tool’s usability and reliability
determined based on industry standards and best practices, across different systems.
potentially integrating CVSS (Common Vulnerability X. User Profiles and Needs:
Scoring System) scores for a more standardized risk Our primary user base consists of cloud administrators and
assessment. This approach helps prioritize remediation security professionals, DevOps teams, and small and
efforts based on the severity of the vulnerability [36]. medium-sized businesses (SMBs) and startups.
CVSS scoring: Cloud Administrators and Security Professionals:
The tool creates a custom scoring system for AWS • Require a tool that provides comprehensive insights
vulnerabilities [34-36]: into the current security situation.
1. Scoring Process: • Need capabilities for detailed and customizable
o Base Score: Calculated considering impact and security assessments.
exploitability metrics. It is the intrinsic and fundamental • Value real-time alerts and integration with existing
score associated with a vulnerability. security workflows.
o Temporal Score: Refines the Base Score over time,
DevOps Teams:
considering the current exploitability remediation level,
• Seek automated and continuous security assessment
and confidence in the reported vulnerability details.
o Environmental Score: Customizes the Temporal Score solutions.
by accounting for the potential impact on a specific • Benefit from integration with CI/CD pipelines for
organization, factoring in security controls, and how continuous compliance.
critical affected systems are. • Prefer tools that offer actionable insights and
2. Scoring Metrics: recommendations.
2.1. Exploitability Metrics: SMBs and Startups:
o Access Vector (AV) • Require cost-effective solutions for cloud security.
o Access Complexity (AC) • Need simple, user-friendly interfaces for ease of use
o Authentication (Au) without deep technical expertise.
2.2. Impact Metrics: • Value comprehensive coverage without the
o Confidentiality Impact (C) need for extensive configurations.
o Integrity Impact (I)
o Availability Impact (A)
2.3 Temporal Metrics:
o Exploitability (E)
o Remediation Level (RL)
o Report Confidence (RC)
2.4 Environmental Metrics:
o Collateral Damage Potential (CDP)
o Target Distribution (TD)
o Confidentiality, Integrity, and Availability Requirement
(CR, IR, AR)
IX. Deployment Strategy:
A. The AWS Vulnerability Scanner is designed as a
standalone GUI application that users can deploy within
their local environment. It operates by interfacing with the
AWS environment through secure API calls facilitated by
AWS CLI and Boto3. The approach ensures that users can
conduct vulnerability assessments from their workstations
with real-time insights and immediate visibility into
potential security risks. The application’s deployment is
straightforward, requiring a Python environment and the
installation of necessary libraries.
B. Docker deployment: To simplify deployment and ensure
a consistent environment regardless of the user’s local
setup, the tool also offers a Docker-based deployment
option. Using Docker, the application is packaged along Fig. 1(d) Architectural design.
with its dependencies, eliminating discrepancies that

5
 III. TESTING
Testing Environment
The testing environment for this tool includes both simulated
AWS environments, leveraging the ‘moto’ library to mock
AWS services, and a graphical user interface (GUI)
application developed using PyQt5. The ‘moto’ library
allows simulating AWS resources without incurring costs or
side effects in a real cloud environment. This approach
ensures that the tests can run in isolation making them
reproducible and independent of actual AWS configurations.
Testing Methodology:
The testing methodology employs a suite of unit and
integration tests, written using the ‘pytest’ framework, to
validate both the functionality of the AWS interactions and
the GUI elements. The tests are designed to simulate user
interactions with the GUI, as well as the application’s
responses to various AWS service scenarios, such as creating
resources, managing permissions, and detecting
configurations [37-38].
For GUI elements, user actions like button clicks and list item
selections are simulated, as well as the expected state changes
within the application. The tests include verifying the
enablement state of buttons before and after actions, the
population of list widgets with AWS service names, and the
response of the application to user interactions, such as
moving items between lists.
The AWS service mocking involves simulating different
AWS resources and configurations. For example, mock EC2
instances were created with public IPs and open security
groups to test the scanning procedures for potential
vulnerabilities. CloudWatch alarms, S3 buckets with various
access policies, and lambda functions with specific IAM roles
were also simulated.
All 23 tests passed, indicating that the application’s
components interact correctly with the mocked AWS services
and the GUI elements behave as expected. The test results are
indicative of a robust testing strategy, providing the tool’s
effectiveness in the simulated environment.
The Mock Testing script consists of unit tests for a cloud
security scanning application, particularly focusing on AWS
services as shown in Fig. 2.
1. Libraries and Resources Initialization
• Libraries: Importation of required libraries
including ‘pytest’, ‘boto3’, ‘moto’, ‘zipfile’, and
‘PyQt5’.
• Resource Creation: Creation of a ZIP file
containing a lambda function, essential for testing
AWS Lambda.
2. Mocking and Testing Utility:
• MockEmitter Class: A utility class to mock the
emission of messages during the testing phase,
used to capture and store messages emitted during
tests.
• Application Instance: Instantiation of
‘Qapplication’ for testing GUI elements.
3. Testing AWS Services and GUI Elements:
The testing process is extensive, covering a range of
AWS services and the application’s GUI elements, and
is structured into several function tests.
6
• GUI Initialization Tests: To confirm that the main
window and other GUI elements like dual list
widgets are initialized correctly.
• Service Selection Test: Uses ‘moto’ to mock AWS
EC2 and IAM, and testing if the scan can identify
specific vulnerabilities.
• EC2 Scan Test: Uses ‘moto’ to mock AWS EC2
and IAM, and tests if the scan can identify specific
vulnerabilities.
• S3 Scan Test: Mocks S3 and tests if the scanner
identifies vulnerabilities related to bucket
permissions.
• IAM Scan Test: Evaluates if the scan identifies
vulnerabilities in AWS IAM configurations.
• SQS Scan Test: Checks for vulnerabilities in SQS,
particularly focusing on public access.
• SNS Scan Test: Evaluates the tool’s capability to
identify public access vulnerabilities in SNS
messages.
• Lambda Scan Test: Confirms that the scanning tool
can evaluate AWS Lambda functions, checking for
permissions and configurations.
• ElasticSearch Scan Test: Tests the tool’s ability to
scan and evaluate AWS ElasticSearch
configurations for vulnerabilities.
• CloudFront Scan Test: Evaluates the scanner’s
ability to identify CloudFront distributions without
a default root object.
4. Scanning Procedures and Button States:
• Scanning Procedure: Tests to ensure the scanning
procedure operates and populates the result box
correctly.
• Button State Tests: Confirms that button states
(enabled/disabled) change appropriately during and
after scans.
5. AWS VPC and ELB Tests:
• VPC Creation Test: Ensures that a VPS is
configured with correct CIDR block.
• ELB Scan Test: A test function to check
vulnerabilities in Elastic Load Balancer
configurations.
6. CloudWatch Alarms Test:
• Alarm Configuration Test: Confirms the
CloudWatch alarm configurations and ensures it
does not falsely identify the absence of alarms.
7. Interactive Tests:
• Scan Interruption Test: Confirms that the scan can
interrupt/stop and evaluate the state of the scan and
stop buttons before, during, and after a scan.
• Result Box Content Test: Confirms the result box
is populated after the scan.
8. Emission Tests:
• Signal Emission Test: Ensures the scan thread
emits signals as expected, validating the interactive
feedback mechanism of the tool.
 • The scalability of this tool in handling large AWS
environments is crucial, especially in comparison to
AWS-native tools.
Cost:
• AWS Solutions follows the AWS pricing model, which
might incur usage-based charges.
Fig. 2 Testing result • If this tool is free or has a different pricing model, it
could be a more economical option for users.
Customizability and Extensibility:
IV. RESULTS • AWS Solutions offers customization within a
Findings from Testing: The results demonstrate the tool’s standardized framework.
effectiveness in detecting misconfigurations, with a high • This tool could provide greater customizability, such as
percentage of true positives and negatives. adding new scanning capabilities or integrating with
Comparison with Existing Tools: external tools.
AWS Inspector vs. This Tool • Scalability to Other Cloud Platforms: Initially
Integration and Ecosystem: designed for AWS, this tool is engineered for seamless
• AWS Inspector is closely integrated with the AWS scalability to other cloud platforms, such as Azure. It
ecosystem, offering specialized insights for AWS allows for easy integration and adaptation of scanning
services. capabilities to Azure services, enabling a unified
• This tool interfaces with a diverse range of AWS approach to cloud security across multiple cloud
services, potentially providing broader functionality than environments. This scalability ensures that organizations
AWS Inspector. using multi-cloud strategies can maintain a consistent
User Interface: security posture across all their cloud assets. (Fig. 3).
• AWS Inspector utilizes the AWS Management Console,
offering a familiar interface to those accustomed to
AWS.
• This tool boasts a dark-themed UI and a dual list selector,
potentially offering a more intuitive and visually
appealing experience.
Customizability:
• AWS Inspector follows standard security assessments
based on common practices and compliance standards.
• This tool allows more tailored scans and specific
vulnerability checks, offering enhanced adaptability to
individual user needs.
Real-Time Feedback:
• AWS Inspector conducts scheduled assessments, with
reports delivered after analysis.
• This tool provides immediate scan results, facilitating
swift identification and action on vulnerabilities.
AWS Self-Service Security Assessment Solution v2.0 vs.
This Tool
Scope and Depth of Assessment:
• The AWS Self-Service Security Assessment Solutions Fig. 3. Scalability to the Azure Platform: Extending
v2.0 includes a comprehensive set of tools, but many Capabilities
require manual effort and in-depth AWS knowledge.
• This tool automates vulnerability scanning, offering a
more streamlined approach for users. TABLE 1. COMPARSION TABLE
Ease of Use: Comparison AWS Inspector and AWS This Tool
• AWS Solutions might be more complex for users less Criteria Self-Service Security
familiar with AWS services. Integration and • Closely integrated with • Interfaces with a
• This tool’s user-friendly UI and instant feedback make it Ecosystem AWS diverse range of
accessible to a wider audience, including those without a • Specialized insights for AWS services
strong technical background. AWS services • Potentially broader
Scalability: functionality
• AWS Solutions scales with AWS environments, but User Interface • Utilizes the AWS • Dark-themed UI
scalability can vary between tools within the Solutions. Management Console • Dual list selector

7
 • Familiar interface for • Potentially more
AWS users intuitive and
visually appealing
• Tailored scans and
specific
vulnerability checks
Customizability • Standard security • Enhanced
assessments adaptability to user
• Based on common needs
practices and standards
Real-time • Scheduled assessments • Immediate scan
Feedback with post-analysis reports results
• Swift identification
and action on
vulnerabilities
• Automates
vulnerability
scanning
Scope and • Comprehensive toolset • More streamlined
Depth of requiring manual approach
Assessment
Ease of Use • May be complex for less • User-friendly UI
familiar users and instant feedback
• Accessible to a
wider audience,
including non-
technical users
Scalability • Scales with AWS • Handles large AWS
environments environments
• Scalability varies across • Crucial scalability in
tools comparison to
AWS-native tools
Cost • Usage-based charges per • Potentially more
AWS pricing model economical if free
or differently priced
Customizability • Customization within a • Great
and standardized framework customizability and
Extensibility extensibility
• New scanning
capabilities, external
tool integration
To conclude, while AWS Inspector and AWS Self-Service
Security Assessment Solutions v2.0 provide integrated and
comprehensive security solutions for AWS, this tool
differentiates itself with its user-centric interface, immediate
feedback capabilities and potential for greater customization
and flexibility in scanning various AWS services.
EC2 Instances: Tested EC2 instance for potential security
threats by simulating 100 instances with public IP
assignments, VPCs, subnets and security groups.
S3 Bucket Misconfigurations: Tested S3 scripts among 120
instances including write access, public access, versioning,
encryption, logging, read access and bucket policies. Proper
configuration of S3 buckets is crucial for data integrity and
security. The test aims to ensure that the bucket where the
Bzure price data is archived is private, encrypted and has
logging enabled to track any access or changes, which aligns
with data security best practices.
SNS Misconfigurations: Tested SMS topics by checking
100 instances for common misconfigurations. This ensures
that only authorized stakeholders receive notifications and
that the notification system itself does not introduce
vulnerabilities.
Misconfiguration Tests and Results:
EC2 Instances (100 tested):
• True Positives (TP): 50% (instances correctly identified
with misconfigurations).
• True Negatives (TN): 50% (instances correctly identified
with misconfigurations).
S3 Buckets (120 tested):
• True Positives (TP): 80% (buckets correctly identified
with misconfigurations).
• True Negatives (TN): 40% (buckets correctly identified
without misconfigurations).
SNS Topics (100 tested):
• True Positives (TP): 50% (topics correctly identified
with misconfigurations).
• True Negatives (TN): 50 % (topics correctly identified
without misconfigurations).
Total across all services (320 instances):
• True Positives: 56.98% (instances correctly identified
with misconfigurations).
• True Negatives: 43.02% (instances correctly identified
without misconfigurations)
Case Study 1 emphasizes the importance of proper AWS
configuration and the need for ongoing security checks. It
also reflects the effectiveness of the testing tool and the
necessity for continuous education and improvement in cloud
management practices, particularly for newly onboarded
engineers handling critical data.

Case Studies:
Case Study 1: Extracting Bzure Price API Data: A newly
onboarded engineer is assigned the task of daily extraction of
Bzure price API data. Using an EC2 instance, they are to
perform API calls, transform the acquired data, and archive it Fig. 4(a). Pipeline of Case Study 1.
in an S3 bucket. Upon completion of these tasks, stakeholders
are to be informed via SNS notification. Figures 4(a) and 4(b)
present a pipeline and systematic summary of Case Study 1,
respectively.
Tests Conducted:

8
 better prepared to manage the security of AWS resources.

Fig. 4(b). Systematic summary of Case Study 1.

Case Study 2: AWS Misconfiguration in Rainfall Data Fig. 5(a). Pipeline of Case Study 2.
Extraction
A junior engineer is tasked with collecting hourly rainfall
data and, due to inexperience, incurs multiple
misconfigurations across AWS services. Figures 5(a) and
5(b) present a pipeline and systematic summary of Case
Study 2, respectively.
Tests Conducted:
• Lambda Function Creation: A lambda function was
created with an overprivileged role, which is a security
concern because it could lead to unauthorized access or
actions.
• Glue Jobs’ role: Glue jobs were created with an
overprivileged role, indicating a misconfiguration in this
area.
• S3 Data Storage and Validation: The test involved
storing and validating multiple S3 objects to ensure data Fig. 5(b). Systematic summary of Case Study 2.
integrity.
• Redshift Cluster Encryption and Logging: The test
checked whether the Redshift data warehouse cluster V. LIMITATIONS AND FUTURE WORK
was encrypted, which is critical to protect data at rest. The Security Vulnerability Assessment Tool, designed
The test verified if logging was enabled for the Redshift primarily for AWS, shows promise but also has some
cluster, which is important for monitoring and security limitations that can be improved. Future updates can include
auditing. enhancing the tool’s ability to conduct behavioral analysis.
Misconfiguration Tests and Results: By better understanding the complex behaviors within cloud
Out of 200 instances tested across the services: infrastructure, the tool could detect subtle security issues not
• True Positives: 24.72% were correctly identified as immediately obvious from setups alone. As security threats
misconfigured. are ever-changing, there is a need to create new ways to
• True Negatives: 75.28% were correctly identified as quickly identify and stop new kinds of cyber-attacks. The
well-configured. tool’s reliance on AWS’s own systems means it could face
challenges if those systems change, suggesting a need
• False Positives & Negatives: There were no inaccuracies
contingency plans to keep the tool functioning without issues.
reported in the test results.
Additional improvements to the tool could include leveraging
This case study underscores the necessity of security artificial intelligence to predict security risks before they
awareness in cloud operations, especially for engineers who happen using advanced algorithms. Making the tool open
are new to AWS. It shows a proactive approach in using source could also make it more powerful, tapping into a wider
automated tests to identify potential security risks, which is pool of knowledge by allowing developers to improve and
best practice in cloud security management. It also suggests extend the tool’s functions. Lastly, with many organizations
that while the junior engineer had made misconfigurations, using more than one cloud provider, adapting this tool to
there was an effective safety net in place to catch these before work with others like Azure could help maintain robust
they became critical issues. A startup can use these findings security across different platforms.
to refine their onboarding and training, ensuring engineers are

VI. CONCLUSIONS
This extensive research and testing have led to critical
insights into the configuration and security of AWS
resources. The two case studies, focusing on the extraction of
Bzure price API data and rainfall data collection, have

9
demonstrated the effectiveness of this tool in identifying
misconfigurations. This has been quantitatively measured
through a high percentage of true positives and true negatives.
The tool has shown broader functionality than AWS
Inspector by interfacing with a wide range of AWS services
and providing immediate feedback, which is crucial for
timely vulnerability management.
The findings reinforce the paramount importance of stringent
cloud security practices. Misconfigurations in cloud services,
as seen with the EC2 instances and S3 buckets, pose
significant risks. The tool’s capability to identify and alert to
such vulnerabilities promptly helps mitigate potential threats.
The immediate feedback mechanism empowers users to act
swiftly, enhancing the security posture within AWS
environments.
The tool is particularly relevant for cloud engineers and
security teams who are responsible for maintaining the
security and integrity of cloud resources. It addresses specific
challenges such as event-driven detection of
misconfigurations, a user-friendly interface for easier
navigation, and customizability for tailored security
assessments. Users without a strong technical background
can also benefit from the intuitive UI and simplified feedback
mechanism.
Moving forward, future objectives include expanding the
tool’s capabilities to encompass more AWS services and
integrate with additional security frameworks. Machine
learning techniques will also be introduced to predict
potential misconfigurations based on usage patterns.
Furthermore, the potential for automated remediation actions
based on the identified vulnerabilities will be explored.
ACKNOWLEDGMENT
This work would not have been possible without the support
and guidance of several distinguished individuals and teams.
I extend my deepest gratitude to Professor Mustaque Ahamad,
whose expertise and mentorship were instrumental in shaping
the research and its outcomes. His insightful comments and
unwavering support throughout the project were invaluable.
My sincere thanks also go to TA Subhiksha Ramanathan for
her astute observations and detailed feedback, which
significantly enhanced the quality of this work.
Furthermore, I am grateful for the collaboration and insights
provided by the AWS Marketing Intelligence Team. Their
expertise in marketing intelligence has been a vital
contribution to this research.
Their collective wisdom and support have been fundamental
to the success of this endeavor.
REFERENCES
[1] S. Hollister, “Massive Capital One breach exposes personal info of
100 million Americans,” The Verge, Jul. 29, 2019.
https://www.theverge.com/2019/7/29/20746493/massive-capital-one-
breach-exposes-personal-info-of-100-million-americans.
[2] “Turkish Based Airline’s Sensitive EFB Data
Leaked,” SafetyDetectives.
https://www.safetydetectives.com/news/pegasus-leak-
10
report/#:~:text=Almost%2023%20million%20files%20were
(accessed Sep. 26, 2023).
[3] R. M. published, “Data breach exposes millions of seniors’
data,” ITPro, Aug. 09, 2021. https://www.itpro.com/data-insights/big-
data/360525/data-breach-exposes-details-on-millions-of-us-seniors
(accessed Sep. 26, 2023).
[4] P. Paganini, “Over 80 US Municipalities ’ Sensitive Information,
Including Resident’s Personal Data, Left Vulnerable in Massive Data
Breach,” Security Affairs, Jul. 23, 2021.
https://securityaffairs.com/120477/data-breach/us-municipalities-
data-breach.html (accessed Nov. 08, 2023).
[5] “Data Breach: Hundreds of Thousands of Customers’ Personal
Information Exposed,” WizCase.
https://www.wizcase.com/blog/cosmolog-breach-report/ (accessed
Nov. 08, 2023).
[6] M. X. Heiligenstein, “Amazon Web Services (AWS) Data Breach
Timeline,” Firewall Times, Aug. 27, 2021.
https://firewalltimes.com/amazon-web-services-data-breach-timeline/.
[7] “Report: Hotel Reservation Platform Leaves Millions of People
Exposed in Massive Data Breach,” Website Planet, Nov. 06, 2020.
https://www.websiteplanet.com/blog/prestige-soft-breach-report/
[8] J. Guffey and Y. Li, “Cloud Service Misconfigurations: Emerging
Threats, Enterprise Data Breaches and Solutions,” 2023 IEEE 13th
Annual Computing and Communication Workshop and Conference
(CCWC), Mar. 2023, doi:
https://doi.org/10.1109/ccwc57344.2023.10099296.
[9] D. K. Saini, K. Kumar, and P. Gupta, “Security Issues in IoT and
Cloud Computing Service Models with Suggested
Solutions,” Security and Communication Networks, vol. 2022, pp. 1–
9, Apr. 2022, doi: https://doi.org/10.1155/2022/4943225.
[10] A. Verdet, M. Hamdaqa, L. Da Silva, and F. Khomh, “Exploring
Security Practices in Infrastructure as Code: An Empirical
Study,” arXiv.org, Aug. 07, 2023. https://arxiv.org/abs/2308.03952
(accessed Aug. 25, 2023).
[11] A. S. Muhammed and D. Ucuz, “Comparison of the IOT platform
vendors, Microsoft Azure, Amazon Web Services, and google cloud,
from users’ perspectives,” 2020 8th International Symposium on
Digital Forensics and Security (ISDFS), 2020.
doi:10.1109/isdfs49300.2020.9116254.
[12] Satyavathi Divadari, J. Surya Prasad, and P. B. Honnavalli,
“Managing Data Protection and Privacy on Cloud,” pp. 383–396, Jan.
2023, doi: https://doi.org/10.1007/978-981-19-6088-8_33.
[13] S. Devi and T. S. Bharti, “Study of Architecture and Issues in
Services of Cloud Computing,” IEEE Xplore, Dec. 01, 2021.
https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9725679
(accessed Aug. 12, 2023).
[14] G. Sagar and V. Syrovatskyi, “Cloud: On Demand Computing
Resources for Scale and Speed,” Technical Building Blocks, pp. 53–
104, 2022, doi: https://doi.org/10.1007/978-1-4842-8658-6_2.
[15] M. Jartelius, “The 2020 Data Breach Investigations Report – a CSO’s
perspective,” Network Security, vol. 2020, no. 7, pp. 9–12, Jul. 2020,
doi: https://doi.org/10.1016/s1353-4858(20)30079-9.
[16] D. Chen, M. M. Chowdhury, and S. Latif, “Data Breaches in
Corporate Setting,” 2021 International Conference on Electrical,
Computer, Communications and Mechatronics Engineering
(ICECCME), Oct. 2021, doi:
https://doi.org/10.1109/iceccme52200.2021.9590974.
[17] S. Mishra, M. Kumar, N. Singh, and S. Dwivedi, “A Survey on AWS
Cloud Computing Security Challenges & Solutions,” IEEE Xplore,
May 01, 2022. https://ieeexplore.ieee.org/abstract/document/9788254
[18] S. An et al., “CloudSafe: A Tool for an Automated Security Analysis
for Cloud Computing,” IEEE Xplore, Aug. 01, 2019.
https://ieeexplore.ieee.org/abstract/document/8887392 (accessed Sep.
01, 2023).
[19] S. An, A. Leung, J. B. Hong, T. Eom, and J. S. Park, “Toward
Automated Security Analysis and Enforcement for Cloud Computing
Using Graphical Models for Security,” IEEE Access, vol. 10, pp.
75117–75134, 2022, doi:
https://doi.org/10.1109/access.2022.3190545.
[20] ISO, “ISO/IEC 27001 standard – information security management
systems,” ISO, 2022. https://www.iso.org/standard/27001
[21] R. Python, “Python and PyQt: Building a GUI Desktop Calculator –
Real Python,” realpython.com. https://realpython.com/python-pyqt-
gui-calculator/.
[22] “Graphical User Interfaces with Tk — Python 3.7.4
documentation,” Python.org, 2019.
https://docs.python.org/3/library/tk.html.
[23] Docker, “Docker Documentation,” Docker Documentation, Oct. 31,
2019. https://docs.docker.com/.
[24] “How to Proactively Detect and Repair Common Misconfigurations
on AWS Using AvailabilityGuard NXG,” Amazon Web Services, [33]
Dec. 17, 2019. https://aws.amazon.com/blogs/apn/how-to-
proactively-detect-and-repair-common-misconfigurations-on-aws-
using-availabilityguard-nxg/
[34]
[25] “AWS Well-Architected - Build secure, efficient cloud
applications,” Amazon Web Services,
Inc. https://aws.amazon.com/architecture/well-architected/?wa-lens-
whitepapers.sort-by=item.additionalFields.sortDate&wa-lens-
[35]
whitepapers.sort-order=desc&wa-guidance-whitepapers.sort-
by=item.additionalFields.sortDate&wa-guidance-whitepapers.sort-
order=desc. [36]
[26] “AWS Whitepapers & Guides,” Amazon Web Services,
Inc. https://aws.amazon.com/whitepapers/?whitepapers-main.sort-
by=item.additionalFields.sortDate&whitepapers-main.sort-
order=desc&awsf.whitepapers-content-type=. [38]
[27] Amazon, “AWS Documentation,” Amazon.com, 2019.
https://docs.aws.amazon.com/.
[28] “AWS Security Blog,” Amazon.com, Nov. 06, 2019.
https://aws.amazon.com/blogs/security/.
[29] “What’s the Real Cost of an AWS
Misconfiguration?,” shardsecure.com, Mar. 01, 2023.
https://shardsecure.com/blog/real-cost-aws-misconfiguration
(accessed Sep. 26, 2023).
[30] “Common Vulnerability Scoring System Version 3.1
Calculator,” FIRST — Forum of Incident Response and Security
Teams.
11
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:
N/UI:N/S:U/C:H/I:H/A:L (accessed Sep. 29, 2023).
[31] Amazon.com, 2023. https://docs.aws.amazon.com/inspector/
(accessed Oct. 12, 2023).
[32] “OWASP RISK RATING CALCULATOR,” owasp-risk-rating.com.
https://owasp-risk-rating.com/
“Moto: Mock AWS Services — Moto 4.2.6.dev
documentation,” docs.getmoto.org. http://docs.getmoto.org/en/latest/
(accessed Oct. 12, 2023).
Imperva, “What is CVE and CVSS | Vulnerability Scoring Explained
| Imperva,” Learning Center.
https://www.imperva.com/learn/application-security/cve-cvss-
vulnerability/.
NIST, “NVD - Vulnerability Metrics,” Nist.gov, 2019.
https://nvd.nist.gov/vuln-metrics/cvss.
“NVD - CVSS v2 Calculator,” nvd.nist.gov. https://nvd.nist.gov/vuln-
metrics/cvss/v2-calculator.
[37] “pytest: helps you write better programs — pytest
documentation,” docs.pytest.org. https://docs.pytest.org/en/7.4.x/
“Pytest Tutorial,” www.tutorialspoint.com.
https://www.tutorialspoint.com/pytest/index.htm (accessed Nov. 29,
2023).
Appendix A
AWS Vulnerability Scanner User Guide
Introduction
The AWS Vulnerability Scanner is a specialized tool designed to help AWS users identify and diagnose potential
misconfigurations and vulnerabilities in their AWS environment. With the proliferation of AWS services, ensuring proper
security configurations is paramount. This tool provides a user-friendly interface, enabling users to scan a selection of AWS
services and receive immediate feedback on potential areas of concern.

Architecture of the AWS Vulnerability Scanner:

• User Interface (UI):

• Main Application Window: Acts as the primary entry point for users to interact with the scanner.
• Service List Widget: Displays available AWS services grouped by category (e.g., Compute, Storage,
Database).
• Dual-list Widget: Allows users to select AWS services they wish to scan. Supports individual and bulk
selection/deselection.
• Backend Services:
• Initialization Script: Helps launch the AWS Vulnerability Scanner application. Uses the PyQt5 library for UI
rendering.
• AWS Service Integration: Uses the Boto3 library to interface with AWS services and fetch configuration
details.
• Scan Engine: The core component that processes AWS service configurations, checks against vulnerability
definitions, and identifies potential threats.
• Scan Controller: Manages the scan lifecycle, including starting, stopping, and monitoring the scan progress.
• Database & Storage:
• Result Store: Temporarily stores the scan results for display in the result box. Users can review potential
vulnerabilities and misconfigurations.
• Communication & Integration:
• AWS CLI Configuration: Ensures the application has the necessary credentials to interact with the user's
AWS environment.
• Python Environment: Runs on Python 3.x and requires specific libraries like PyQt5 and Boto3.
• User Feedback & Control:
• Real-time Feedback System: Provides users with a live view of the scanning process, including identified
vulnerabilities.
• Scan Control Buttons: Includes "Scan" and "Stop Scan" buttons for user control over the scanning process.
• Result Viewer: Displays a post-scan summary of vulnerabilities, suggestions, or findings for users to take
corrective actions.
• Security:
• Read-only Scan: The tool only reads configurations from AWS services without making any changes,
ensuring safety.
• Safe Stop Mechanism: Users can halt the scanning process anytime, and the system provides a summary up
to the stopped point.

12
User Interface

13
Architecture Design Diagram

14
System Requirements
1. Python 3.x
2. PyQt5 library
3. Boto3 library
Setup
1. Ensure that the AWS CLI is configured with the appropriate credentials and default region.
2. Install the required Python libraries if not already installed.
3. Run the provided Python script to launch the AWS Vulnerability Scanner application.
How to Use the AWS Vulnerability Scanner:
1. Launch the Application
After running the script, the main window of the application will appear.
2. Explore Available AWS Services
a. On the left side, you will see a list of AWS services that you can scan.
b. Each service is grouped by its category for better clarity, e.g. Compute, Storage, Database.
3. Select AWS Services for Scanning
a. Using the dual-list widget, you can:
i. Select individual services to move them to the “Selected list by clicking on the “>” button.
ii. Move services back to the “Available” list using the “<” button.
iii. Move all services to the “Selected” list using the “>>” button.
iv. Return all services to the “Available” list using the “<<” button.
b. Ensure you have selected the AWS services you wish to scan.
4. Start the Scan
Click the “Scan” button to initiate the vulnerability scanning process. Once the scan begins:
a. The Scan button will be disabled.
b. The Stop Scan button will become active.
5. Monitor the Scan
a. The application will provide real-time feedback in the result box at the bottom.
b. Here you will see potential vulnerabilities or misconfigurations identified for each AWS service.
6. Stop the Scan (if needed)
If for any reason you wish to stop the scanning process, click the “Stop Scan” button. This will halt the scan,
and the application will provide a summary of the results up to that point.
7. Review Results
Once the scan completes:
a. Review the results in the result box to identify potential areas of concern.
b. Take note of any suggestions or findings to rectify them in your AWS environment.
Conclusion
The AWS Vulnerability Scanner is an invaluable tool for AWS users aiming to secure their environments. Regular
use will ensure that your configurations align with best practices and that potential vulnerabilities are identified and
rectified in a timely manner. Happy scanning!

Dockerizing the AWS Vulnerability Scanner:

Introduction
This guide outlines the process to set up and run a PyQt application inside a Docker container and access it using a
VNC Viewer. This approach is beneficial for running GUI applications in isolated environments.

Prerequisites
• Docker installed on your system.
• VNC Viewer installed for accessing the GUI.
• The Dockerfile and the application source code.

15
 Step 1: Building the Docker Image
• Prepare the Dockerfile: Ensure your Dockerfile is in the same directory as your PyQt application source
code. The Dockerfile should be set up to install all necessary dependencies, including PyQt and VNC
server packages.
• Build the Image:
• Open a terminal or command prompt.
• Navigate to the directory containing the Dockerfile.
• Run the following command to build the Docker image:

docker build -t my-pyqt-app

• my-pyqt-app is the default name of the Docker image. You can choose any name you prefer.

Step 2: Running the Docker Container

• Run the following command to start the container:

docker run -p 5900:5900 -d --name pyqt-container my-pyqt-app

• -p 5900:5900 maps the VNC server port inside the container to a port on your host machine.
• --name pyqt-container sets the name of the container. You can use any name you prefer.
• my-pyqt-app is the name of the Docker image built in the previous step.

Step 3: Accessing the Application via VNC Viewer

• Find the Container's IP Address:
• Run docker inspect pyqt-container to get details about the container.
• Look for the IPAddress under NetworkSettings.
• Connect Using VNC Viewer:
• Open VNC Viewer on your system.
• Connect to the IP address of the container found above, followed by :5900 (e.g.,
172.17.0.2:5900).
• If prompted, enter the VNC password set in the Dockerfile.

Step 4: Using the Application

• Once connected through VNC Viewer, you should see the PyQt application's GUI. Interact with the
application as you would normally.

Troubleshooting
• If the application GUI does not appear, check the Docker container logs using docker logs pyqt-
container.
• Ensure that the VNC server and Xvfb are running correctly within the container.
• If encountering network issues, verify that Docker's network settings and VNC port mappings are
configured correctly.

This setup allows you to run and access PyQt GUI applications within a Docker container, leveraging the power of
containerization and remote GUI access via VNC.

16
Example of Dockerfile

# Use an official Python runtime as a parent image

FROM python:3.8

# Set the working directory in the container

WORKDIR /usr/src/app

# Install VNC, xvfb (virtual frame buffer), X11, Qt and other necessary packages for GUI
RUN apt-get update && apt-get install -y \
x11vnc \
xvfb

RUN apt-get install -y \

libqt5widgets5 \
libqt5gui5

RUN apt-get install -y \

libqt5core5a \
libqt5dbus5

RUN apt-get install -y \

qt5-gtk-platformtheme \
qt5ct \
libxcb-xinerama0

# Clean up
RUN rm -rf /var/lib/apt/lists/*

# Copy the requirements.txt file into the container

COPY requirements.txt .

# Install Python dependencies from requirements.txt

RUN pip install --no-cache-dir -r requirements.txt

# Copy the application source into the container

COPY . .

# Set up VNC (Configure as needed)

RUN mkdir ~/.vnc
# Set a VNC password here
RUN x11vnc -storepasswd yourVNCpassword ~/.vnc/passwd

# Start VNC and the application

CMD Xvfb :1 -screen 0 1024x768x16 & \
DISPLAY=:1.0 x11vnc -forever -usepw -create & \
DISPLAY=:1.0 python ./app1116.py

17
18
Appendix B: Source Codes

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37