Complete quantum-cryptography vulnerability assessment for Azure and AWS environments
This comprehensive assessment suite scans your cloud infrastructure for quantum-vulnerable cryptographic algorithms and generates OMB M-23-02 compliant reports. The tools are 100% free and open source.
Educational Purpose Only: All code samples and scripts provided on this page are for educational and illustrative purposes. They are NOT production-ready and have NOT been thoroughly tested in all environments.
Recommendation: Treat these examples as starting points for learning and development. Adapt, test, and validate according to your specific requirements and security standards.
git clone https://github.com/spindynamics/pqc-tools.git cd pqc-tools
# Make setup script executable chmod +x setup.sh # Run setup (installs Python dependencies) ./setup.sh
This installs: azure-identity, azure-keyvault, boto3, cryptography, and reporting libraries.
source venv/bin/activate
# Login to Azure az login # Set subscription (if you have multiple) az account set --subscription YOUR_SUBSCRIPTION_ID # Verify access az account show
# Configure AWS credentials aws configure # Or use environment variables export AWS_ACCESS_KEY_ID=your_access_key export AWS_SECRET_ACCESS_KEY=your_secret_key export AWS_DEFAULT_REGION=us-east-1 # Verify access aws sts get-caller-identity
Scans all Azure resources in a subscription for quantum-vulnerable cryptography
python azure/azure_pqc_scanner.py \ --subscription-id YOUR_SUBSCRIPTION_ID \ --output reports/azure-pqc-assessment.json \ --verbose # Optional: Scan specific resource groups python azure/azure_pqc_scanner.py \ --subscription-id YOUR_SUBSCRIPTION_ID \ --resource-group your-rg-name \ --output reports/azure-rg-assessment.json
Output: JSON report with vulnerable keys, certificates, and recommendations
Scans AWS KMS, ACM certificates, and EC2 key pairs across regions
python aws/aws_pqc_scanner.py \ --region us-east-1 \ --output reports/aws-pqc-assessment.json \ --verbose # Scan multiple regions python aws/aws_pqc_scanner.py \ --region us-east-1,us-west-2,eu-west-1 \ --output reports/aws-multi-region-assessment.json # Scan all regions (takes longer) python aws/aws_pqc_scanner.py \ --all-regions \ --output reports/aws-global-assessment.json
Output: JSON report with KMS keys, certificates, and security findings
Analyzes TLS endpoints for quantum-vulnerable cipher suites
python shared/tls_scanner.py \ --endpoints-file endpoints.txt \ --output reports/tls-assessment.json # Example endpoints.txt: # api.example.com:443 # vpn.example.com:443 # database.example.com:5432
Output: TLS version, cipher suites, key exchange methods, certificate algorithms
Discovers all X.509 certificates and checks for quantum-vulnerable signatures
# Azure Certificate Scan python azure/certificate_scanner.py \ --subscription-id YOUR_SUBSCRIPTION_ID \ --output reports/azure-certificates.json # AWS Certificate Scan (ACM + IAM) python aws/certificate_scanner.py \ --region us-east-1 \ --output reports/aws-certificates.json
Output: Certificate inventory with expiration dates, signature algorithms, key sizes
Audits VPN gateways for quantum-vulnerable key exchange and encryption
# Azure VPN Gateway scan python azure/vpn_scanner.py \ --subscription-id YOUR_SUBSCRIPTION_ID \ --output reports/azure-vpn-assessment.json # AWS VPN scan python aws/vpn_scanner.py \ --region us-east-1 \ --output reports/aws-vpn-assessment.json
Output: VPN connection details, IKE versions, encryption algorithms, DH groups
Scans for RSA/ECDSA SSH keys in cloud instances
# Azure VM SSH keys python azure/ssh_key_scanner.py \ --subscription-id YOUR_SUBSCRIPTION_ID \ --output reports/azure-ssh-keys.json # AWS EC2 SSH keys python aws/ssh_key_scanner.py \ --region us-east-1 \ --output reports/aws-ssh-keys.json
Output: SSH key types, key sizes, associated VMs, recommendations
Aggregates all scan results into executive summary and compliance report
python shared/generate_compliance_report.py \ --input-dir reports/ \ --output reports/omb-m23-02-compliance-report.pdf \ --format pdf # Also generate HTML report python shared/generate_compliance_report.py \ --input-dir reports/ \ --output reports/pqc-assessment-summary.html \ --format html
Output: Executive summary, risk scores, prioritized remediation plan, CNSA 2.0 timeline
Run all scripts in sequence for a comprehensive assessment:
#!/bin/bash # complete-assessment.sh - Run full PQC assessment # Activate environment source venv/bin/activate # Create reports directory mkdir -p reports echo "Starting PQC Assessment..." echo "==========================" # Azure Assessment echo "1. Running Azure Key Vault scan..." python azure/azure_pqc_scanner.py \ --subscription-id $AZURE_SUBSCRIPTION_ID \ --output reports/azure-keys.json echo "2. Running Azure Certificate scan..." python azure/certificate_scanner.py \ --subscription-id $AZURE_SUBSCRIPTION_ID \ --output reports/azure-certs.json echo "3. Running Azure VPN scan..." python azure/vpn_scanner.py \ --subscription-id $AZURE_SUBSCRIPTION_ID \ --output reports/azure-vpn.json # AWS Assessment echo "4. Running AWS KMS scan..." python aws/aws_pqc_scanner.py \ --region us-east-1 \ --output reports/aws-keys.json echo "5. Running AWS Certificate scan..." python aws/certificate_scanner.py \ --region us-east-1 \ --output reports/aws-certs.json # TLS/Network Scans echo "6. Running TLS configuration scan..." python shared/tls_scanner.py \ --endpoints-file endpoints.txt \ --output reports/tls-config.json # Generate Reports echo "7. Generating compliance reports..." python shared/generate_compliance_report.py \ --input-dir reports/ \ --output reports/pqc-assessment-final.pdf \ --format pdf python shared/generate_compliance_report.py \ --input-dir reports/ \ --output reports/pqc-assessment-final.html \ --format html echo "" echo "Assessment Complete!" echo "====================" echo "Reports available in: reports/" echo "- pqc-assessment-final.pdf" echo "- pqc-assessment-final.html"
AZURE_SUBSCRIPTION_ID - Your Azure subscription IDAWS_DEFAULT_REGION - Your primary AWS regionendpoints.txt with your TLS endpointsEach scanner produces a JSON file with findings:
{
"scan_date": "2024-11-06T10:30:00Z",
"scan_type": "azure_key_vault",
"subscription_id": "xxxxx",
"total_keys_scanned": 127,
"vulnerable_keys": 89,
"findings": [
{
"resource_id": "/subscriptions/.../vaults/prod-kv/keys/app-signing-key",
"key_name": "app-signing-key",
"key_type": "RSA",
"key_size": 2048,
"risk_level": "HIGH",
"reason": "RSA-2048 vulnerable to quantum attacks",
"recommended_action": "Migrate to ML-DSA-65 or hybrid RSA+ML-DSA",
"priority": 1
}
],
"summary": {
"critical": 15,
"high": 42,
"medium": 32,
"low": 0
}
}
The final compliance report includes:
| Risk Level | Description | Action Required | Timeline |
|---|---|---|---|
| CRITICAL | Long-lived data with RSA/ECC encryption | Immediate migration to PQC | 0-6 months |
| HIGH | Internet-facing services with classical crypto | Plan hybrid PQC deployment | 6-12 months |
| MEDIUM | Internal systems with RSA/ECC | Include in migration roadmap | 12-24 months |
| LOW | Short-lived sessions with modern crypto | Monitor, migrate during refresh cycles | 24-36 months |
# Azure: Insufficient permissions # Solution: Ensure your account has "Key Vault Reader" role az role assignment create \ --assignee YOUR_EMAIL \ --role "Key Vault Reader" \ --scope /subscriptions/YOUR_SUBSCRIPTION_ID # AWS: Access denied to KMS # Solution: Attach "AWSKeyManagementServicePowerUser" policy aws iam attach-user-policy \ --user-name YOUR_USERNAME \ --policy-arn arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser
# If setup.sh fails, manually install: pip install azure-identity azure-keyvault-keys azure-keyvault-certificates pip install boto3 botocore pip install cryptography pyOpenSSL pip install reportlab jinja2 # for PDF/HTML reports
100% Free & Open Source Educational Resource
SpinDynamics.io - Making Quantum Security Accessible to All
← Return to Homepage