Audit of your AWS account - Open-Source
YATAS is a command line tool that audits your AWS infrastructure. It is open source and free to use.
I'm going to present you a small tools that I wrote that allows you to audit your aws infrastructure in less than 30 seconds.
How does YATAS work?
YATAS is a command line tool that runs on your local machine. It uses the AWS SDK to interact with your AWS account and fetch information about your resources. It then runs a series of tests against those resources to check for potential security issues and misconfigurations.
YATAS is designed to be easily extensible so that you can add your own tests or customize the existing ones to fit your needs.
Why should you use YATAS?
YATAS is a fast and easy way to audit your AWS infrastructure. It is open source and free to use. It is also easily extensible so that you can add your own tests or customize the existing ones to fit your needs.
But the main reason is security. By auditing your AWS infrastructure with YAMAS, you will be able to find potential security issues and misconfigurations that could lead to data breaches or data loss.
YATAS is also a great way to check if your infrastructure is compliant with industry best practices and standards such as PCI DSS, HIPAA, etc.
Finally, auditing your AWS infrastructure with YATAS can help you save money by identifying unused resources or underutilized resources.
Security is often taken into consideration in the latest stage of building an infrastructure.
How do I get started?
To get started with YATAS, you first need to install it on your local machine. You can do this with Homebrew:
brew tap stangirard/tap
brew install yatas
Once YATAS is installed, you can run it with the following command:
yatas
This will run all of the tests against your AWS account. You can also use the --init flag to create a .yatas.yml file in your current directory. This file allows you to configure which tests you want to run and how you want the results to be displayed.
The flags available are:
–details: Show details of the issues found.–compare: Compare the results of the previous run with the current run and show the differences.–ci: Exit code 1 if there are issues found, 0 otherwise.–resume: Only shows the number of tests passing and failing.–time: Shows the time each test took to run in order to help you find bottlenecks.–init: Creates a .yatas.yml file in the current directory.–progress: Don’t show the progress bar.
What checks will be ran?
There are currently more than 50 tests available for YATAS on AWS.
AWS - 56 Checks
AWS Certificate Manager
- AWS_ACM_001 ACM certificates are valid
- AWS_ACM_002 ACM certificate expires in more than 90 days
- AWS_ACM_003 ACM certificates are used
APIGateway
- AWS_APG_001 ApiGateways logs are sent to Cloudwatch
- AWS_APG_002 ApiGateways are protected by an ACL
- AWS_APG_003 ApiGateways have tracing enabled
AutoScaling
- AWS_ASG_001 Autoscaling maximum capacity is below 80%
- AWS_ASG_002 Autoscaling group are in two availability zones
Backup
- AWS_BAK_001 EC2’s Snapshots are encrypted
- AWS_BAK_002 EC2’s snapshots are younger than a day old
Cloudfront
- AWS_CFT_001 Cloudfronts enforce TLS 1.2 at least
- AWS_CFT_002 Cloudfronts only allow HTTPS or redirect to HTTPS
- AWS_CFT_003 Cloudfronts queries are logged
- AWS_CFT_004 Cloudfronts are logging Cookies
- AWS_CFT_005 Cloudfronts are protected by an ACL
CloudTrail
- AWS_CLD_001 Cloudtrails are encrypted
- AWS_CLD_002 Cloudtrails have Global Service Events Activated
- AWS_CLD_003 Cloudtrails are in multiple regions
DynamoDB
- AWS_DYN_001 Dynamodbs are encrypted
- AWS_DYN_002 Dynamodb have continuous backup enabled with PITR
EC2
- AWS_EC2_001 EC2s don’t have a public IP
- AWS_EC2_002 EC2s have the monitoring option enabled
ECR
- AWS_ECR_001 ECRs image are scanned on push
- AWS_ECR_002 ECRs are encrypted
- AWS_ECR_003 ECRs tags are immutable
EKS
- AWS_EKS_001 EKS clusters have logging enabled
- AWS_EKS_002 EKS clusters have private endpoint or strict public access
LoadBalancer
- AWS_ELB_001 ELB have access logs enabled
GuardDuty
- AWS_GDT_001 GuardDuty is enabled in the account
IAM
- AWS_IAM_001 IAM Users have 2FA activated
- AWS_IAM_002 IAM access key younger than 90 days
- AWS_IAM_003 IAM User can’t elevate rights
- AWS_IAM_004 IAM Users have not used their password for 120 days
Lambda
- AWS_LMD_001 Lambdas are private
- AWS_LMD_002 Lambdas are in a security group
RDS
- AWS_RDS_001 RDS are encrypted
- AWS_RDS_002 RDS are backedup automatically with PITR
- AWS_RDS_003 RDS have minor versions automatically updated
- AWS_RDS_004 RDS aren’t publicly accessible
- AWS_RDS_005 RDS logs are exported to cloudwatch
- AWS_RDS_006 RDS have the deletion protection enabled
S3 Bucket
- AWS_S3_001 S3 are encrypted
- AWS_S3_002 S3 buckets are not global but in one zone
- AWS_S3_003 S3 buckets are versioned
- AWS_S3_004 S3 buckets have a retention policy
- AWS_S3_005 S3 bucket have public access block enabled
Volume
- AWS_VOL_001 EC2’s volumes are encrypted
- AWS_VOL_002 EC2 are using GP3
- AWS_VOL_003 EC2 have snapshots
- AWS_VOL_004 EC2’s volumes are unused
VPC
- AWS_VPC_001 VPC CIDRs are bigger than /20
- AWS_VPC_002 VPC can’t be in the same account
- AWS_VPC_003 VPC only have one Gateway
- AWS_VPC_004 VPC Flow Logs are activated
- AWS_VPC_005 VPC have at least 2 subnets
- AWS_VPC_006 VPC’s Subnets are in different zones
All those checks allow you to easily audit your AWS infrastructure.
How do I contribute?
If you want to contribute to YATAS, you can start by Forking the project and then creating a Pull Request with your changes.
You can also create an Issue if you find a bug or have an idea for a new feature.
StanGirard