Twilio Security Scanner: Audit and Harden Your Twilio Configs in Seconds
Twilio Security Scanner
A security scanning tool for Twilio accounts that helps detect misconfigurations and security risks, including:
- Public serverless functions and assets
- Unencrypted HTTP webhooks in phone numbers and messaging services
- API keys older than 90 days
This tool is useful for DevOps, Security Engineers, and compliance teams looking to audit their Twilio configurations for security best practices.
Output
The scanner checks for several security concerns:
Serverless Functions and Assets
- Lists all public functions and assets
- Outputs URLs and paths for each public endpoint
- Saves findings to CSV if specified with
-oflag
Webhook Security
- Identifies phone numbers using unencrypted HTTP webhooks
- Checks messaging services for unencrypted HTTP URLs
- Reports both primary and fallback URLs using HTTP
API Key Age
- Identifies API keys older than 90 days
- Reports key names for rotation
Trusted Apps
- Lists all trusted connect applications
- Shows count of connected applications
CSV Output
When using the -o flag, the scanner will save public serverless findings to a CSV file with:
- Type (Function/Asset)
- URL
- Path
- SID
- Service Name – The friendly name of the Twilio service containing this function/asset
- Service SID – The unique identifier of the service
Remediation Steps
Public Functions and Assets
If the scanner finds public functions or assets, you can:
- Locate the function/asset in the Twilio Console using the provided service name
- Navigate to: Console → Functions and Assets → Services → [Service Name]
- Review the function/asset visibility settings
- Change visibility from “Public” to “Protected” if the endpoint should not be publicly accessible
- Consider implementing authentication for endpoints that need controlled access
Note: Making a function/asset protected will require valid Twilio credentials to access it.
Note about Deployment State: Functions and assets can exist in two states:
- Saved but not deployed: Even if marked as “public”, they are not accessible until deployed
- Deployed: Will be publicly accessible if marked as “public”
Unencrypted HTTP Webhooks
For webhooks using HTTP instead of HTTPS:
- Update all webhook URLs to use HTTPS
- Ensure your webhook endpoints support HTTPS
- Update both primary and fallback URLs
Old API Keys
For API keys older than 90 days:
- Create new replacement API keys
- Update applications to use the new keys
- Revoke the old keys after confirming all systems are working
