loading
loading
Recon
List assets from multiple cloud providers in one inventory.
overview
cloudlist pulls an asset inventory straight from your cloud providers' APIs. Hand it provider credentials and it enumerates the hostnames and IPs your accounts run across AWS, Azure, GCP, DigitalOcean, Cloudflare, and many more. Unlike brute-force tools that guess names from outside, cloudlist reads the source of truth, so the list it returns is what you own rather than what you can find.
That makes it the bridge between cloud inventory and security testing. Export only IPs or only hostnames, filter to specific services or providers, and emit JSON so the inventory flows cleanly into the rest of a pipeline. Run it on a schedule and you have a living map of an estate that changes as engineers spin resources up and down.
On Trickest, cloudlist is a Recon node that takes a provider config and writes a file and a folder of results. Feed its hostnames into a prober and scanner so security testing always runs against the current, authoritative set of assets your accounts expose.
use cases
Read hosts and IPs from your provider accounts to produce an authoritative list of what the organization runs, not a guess from the outside.
Export hostnames and pass them to a prober and scanner so security runs cover the live estate rather than a stale spreadsheet.
Use -provider or -service to narrow the inventory to a single account or resource type when you only need part of the footprint.
Run cloudlist on a schedule and diff results to catch assets engineers add or remove over time.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| provider-config | FILE | -provider-config | Provider credentials config file that drives the inventory. |
| provider | STRING | -provider | Display results for the given providers, comma-separated (aws, gcp, azure, ...). |
| service | STRING | -service | Query and display results from the given services, comma-separated (ec2, s3, route53, ...). |
| host | BOOLEAN | -host | Display only hostnames in results. |
| ip | BOOLEAN | -ip | Display only IPs in results. |
| json | BOOLEAN | -json | Write output in JSON format. |
| exclude-private | BOOLEAN | -exclude-private | Exclude private IPs from CLI output. |
| id | STRING | -id | Display results for the given ids, comma-separated. |
Showing key inputs. cloudlist exposes 12 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| id | STRING | -id | display results for given ids (comma-separated) |
| ip | BOOLEAN | -ip | display only ips in results |
| host | BOOLEAN | -host | display only hostnames in results |
| json | BOOLEAN | -json | write output in json format |
| config | FILE | -config | cloudlist flag config file |
| silent | BOOLEAN | -silent | display only results in output |
| service | STRING | -service | query and display results from given service, comma-separated (default ingress,ecs,eks,lambda,nomad,instance,consul,custom,service,route53,fastly,cloud-run,elb,cloudfront,cloud-function,publicip,ec2,gke,droplet,domain,s3,compute,vm,app,dns,alb,lightsail,apigateway) |
| verbose | BOOLEAN | -v | display verbose output |
| provider | STRING | -provider | display results for given providers, comma-separated (default linode,nomad,openstack,custom,arvancloud,digitalocean,scw,cloudflare,heroku,kubernetes,aws,do,alibaba,namecheap,terraform,r1c,fastly,consul,hetzner,gcp,azure) |
| exclude-private | BOOLEAN | -exclude-private | exclude private ips in cli output |
| provider-config | FILE | -provider-config | provider config file |
| disable-update-check | BOOLEAN | -disable-update-check | disable automatic cloudlist update check |
example
# inventory AWS and GCP assets, drop private IPs, write resultscloudlist -provider-config providers.yaml -provider aws,gcp -exclude-private -o assets.txtapp.example.comapi.example.comstaging.example.comcdn.example.com198.51.100.24198.51.100.25203.0.113.10203.0.113.11vpn.example.com… (218 assets across 3 providers for the real run behind this page)guidance
Use cloudlist when you hold provider credentials and want a true inventory of the assets your accounts run. It reads accounts from the inside, so for finding public resources you do not own, use cloud-enum instead. It lists assets, it does not test them, so follow it with httpx.
Brute-forces public cloud names from outside. cloudlist reads your own accounts via their APIs.
Maps IP ranges from ASN data. cloudlist enumerates assets straight from cloud providers.
Broad OSINT discovery from public sources. cloudlist is authoritative for accounts you control.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
A provider config feeds cloudlist, which reads the accounts' assets and passes the hostnames to httpx so only live ones land as output.
Facts on this page come from the live Trickest tool library.