6 releases

0.1.4 Apr 4, 2024
0.1.3 Mar 27, 2024
0.1.1-alpha Feb 18, 2024

#10 in #aws-access

Download history 208/week @ 2024-02-16 33/week @ 2024-02-23 133/week @ 2024-03-01 13/week @ 2024-03-08 2/week @ 2024-03-15 227/week @ 2024-03-22 64/week @ 2024-03-29 59/week @ 2024-04-05 3/week @ 2024-04-12

421 downloads per month

MIT license

650 lines


A minimal AWS sigv4 verification library that can be used as an external authoriser with your favourite proxy. Clotho aims to be fast and secure.

Why do you need Clotho ?

  1. Security. It's a way of enforcing AWS account,region or service access to public endpoints that don't support VPC endpoints or for resources that don't support policies. Other solutions don't support the AWS API.
  2. Cost. You don't have to pay for AWS Private Endpoints - if you only care for cross account attacks. You can use a proxy of your choosing and authorise requests.

Clotho expects a config.yaml file as an allowlist for allowed accounts, regions, and services. Wildcards are supported using "*".

The current implementation derives the AWS Account ID offline using the technique described in a short note on AWS KEY ID by Tal Be'ery. Currently doesn't work with keys issued before ~2019, but maybe that's a good thing.

You can find docs at docs.rs

For more in-depth info on the why see https://me.costaskou.com/articles/cross-account-access-in-public-cloud/

What's included

See integrations for working examples.

Run the example cargo run --example examplecli -- --config examples/config.yaml.example --credential AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request

The binary folder contains

You should be able to target other architectures with cross, e.g. cross build --target aarch64-unknown-linux-gnu --bin clothohud

Cost Savings

A back-of-the-envelope calculation comparing VPC Endpoints and Clotho, with the following assumptions:

  • Running on us-east-1
  • Everything runs across x3 AZs
  • There is no intra region traffic when reaching Clotho instances
  • There are no egress costs for reaching out to AWS Services in the same region - Reference
  • Clotho runs on graviton and the pricing is on-demand
Traffic VPCE Count VPCE Price Clotho Cost Clotho instance type
1 TB 10 $226 $9.072 t4g x3
1 TB 20 $433 $9.072 t4g x3
10 TB 10 $316 $83.16 c6gd x3
10 TB 20 $532 $83.16 c6gd x3
100 TB 10 $1216 $1078.27 c7gn.2xlarge x3
100 TB 20 $1432 $1078.27 c7gn.2xlarge x3

With Clotho you pay only for the compute cost. The vertical scale up calculation is in order to accomodate for higher network bandwidth bursts. A VPC Endpoint can burst to 100 Gbit/s with sustained 10Gbit/s.

A t4g instance would cater for up to 5 Gbit/s, and a c7gn.2xlarge up to 50Gbit/s . Figures taken from ec2instances.info


It doesn't support API access, only console access.


~581K SLoC