yatas: audit AWS/GCP infrastructure for misconfiguration or potential security issues

by do son ·

audit AWS

YATAS – Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure AWS environment without too much hassle. It won’t check for all best practices but only for the ones that are important for you based on my experience.

It is a simple tool to audit your AWS/GCP infrastructure for misconfiguration or potential security issues with plugins integration

AWS – 63 Checks

AWS Certificate Manager

  • AWS_ACM_001 ACM certificates are valid
  • AWS_ACM_002 ACM certificate expires in more than 90 days
  • AWS_ACM_003 ACM certificates are used

APIGateway

  • AWS_APG_001 ApiGateways logs are sent to Cloudwatch
  • AWS_APG_002 ApiGateways are protected by an ACL
  • AWS_APG_003 ApiGateways have tracing enabled

AutoScaling

  • AWS_ASG_001 Autoscaling maximum capacity is below 80%
  • AWS_ASG_002 Autoscaling group are in two availability zones

Backup

  • AWS_BAK_001 EC2’s Snapshots are encrypted
  • AWS_BAK_002 EC2’s snapshots are younger than a day old

Cloudfront

  • AWS_CFT_001 Cloudfronts enforce TLS 1.2 at least
  • AWS_CFT_002 Cloudfronts only allow HTTPS or redirect to HTTPS
  • AWS_CFT_003 Cloudfronts queries are logged
  • AWS_CFT_004 Cloudfronts are logging Cookies
  • AWS_CFT_005 Cloudfronts are protected by an ACL

CloudTrail

  • AWS_CLD_001 Cloudtrails are encrypted
  • AWS_CLD_002 Cloudtrails have Global Service Events Activated
  • AWS_CLD_003 Cloudtrails are in multiple regions

COG

  • AWS_COG_001 Cognito allows unauthenticated users

DynamoDB

  • AWS_DYN_001 Dynamodbs are encrypted
  • AWS_DYN_002 Dynamodb have continuous backup enabled with PITR

EC2

  • AWS_EC2_001 EC2s don’t have a public IP
  • AWS_EC2_002 EC2s have the monitoring option enabled

ECR

  • AWS_ECR_001 ECRs image are scanned on push
  • AWS_ECR_002 ECRs are encrypted
  • AWS_ECR_003 ECRs tags are immutable

EKS

  • AWS_EKS_001 EKS clusters have logging enabled
  • AWS_EKS_002 EKS clusters have private endpoint or strict public access

LoadBalancer

  • AWS_ELB_001 ELB have access logs enabled

GuardDuty

  • AWS_GDT_001 GuardDuty is enabled in the account

IAM

  • AWS_IAM_001 IAM Users have 2FA activated
  • AWS_IAM_002 IAM access key younger than 90 days
  • AWS_IAM_003 IAM User can’t elevate rights
  • AWS_IAM_004 IAM Users have not used their password for 120 days

Lambda

  • AWS_LMD_001 Lambdas are private
  • AWS_LMD_002 Lambdas are in a security group
  • AWS_LMD_003 Lambdas are not with errors

RDS

  • AWS_RDS_001 RDS are encrypted
  • AWS_RDS_002 RDS are backedup automatically with PITR
  • AWS_RDS_003 RDS have minor versions automatically updated
  • AWS_RDS_004 RDS aren’t publicly accessible
  • AWS_RDS_005 RDS logs are exported to cloudwatch
  • AWS_RDS_006 RDS have the deletion protection enabled
  • AWS_RDS_007 Aurora Clusters have minor versions automatically updated
  • AWS_RDS_008 Aurora RDS are backedup automatically with PITR
  • AWS_RDS_009 Aurora RDS have the deletion protection enabled
  • AWS_RDS_010 Aurora RDS are encrypted
  • AWS_RDS_011 Aurora RDS logs are exported to cloudwatch
  • AWS_RDS_012 Aurora RDS aren’t publicly accessible

S3 Bucket

  • AWS_S3_001 S3 are encrypted
  • AWS_S3_002 S3 buckets are not global but in one zone
  • AWS_S3_003 S3 buckets are versioned
  • AWS_S3_004 S3 buckets have a retention policy
  • AWS_S3_005 S3 bucket have public access block enabled

Volume

  • AWS_VOL_001 EC2’s volumes are encrypted
  • AWS_VOL_002 EC2 are using GP3
  • AWS_VOL_003 EC2 have snapshots
  • AWS_VOL_004 EC2’s volumes are unused

VPC

  • AWS_VPC_001 VPC CIDRs are bigger than /20
  • AWS_VPC_002 VPC can’t be in the same account
  • AWS_VPC_003 VPC only have one Gateway
  • AWS_VPC_004 VPC Flow Logs are activated
  • AWS_VPC_005 VPC have at least 2 subnets

Install & Use

Copyright (C) 2023 padok-team

Tags: AWS Auditing Solution