Yet Another Testing & Auditing Solution

YATAS is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.

brew tap stangirard/tap
brew install yatas

cp .yatas.yml.example .yatas.yml

Modify .yatas.yml to your needs.

yatas ## --details 

Flags:

• --details: Show details of the issues found.
• --compare: Compare the results of the previous run with the current run and show the differences.
• --ci: Exit code 1 if there are issues found, 0 otherwise.
• --resume: Only shows the number of tests passing and failing.

You can ignore results of checks by add the following to your .yatas.yml file:

ignore:
  - id: "AWS_VPC_004"
    regex: true
    values: 
      - "VPC Flow Logs are not enabled on vpc-.*"
  - id: "AWS_VPC_003"
    regex: false
    values: 
      - "VPC has only one gateway on vpc-08ffec87e034a8953"

You can exclude a test by adding the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    exclude:
      - AWS_S3_001

To only run a specific test, add the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    include:
      - "AWS_VPC_003"
      - "AWS_VPC_004"

• AWS_APG_001 Apigateway Cloudwatch Logs enabled
• AWS_APG_002 APIGateway stages protected, by ACL

• AWS_ASG_001 Autoscaling Desired Capacity vs Max Capacity below 80%

• AWS_BAK_001 EC2 Snapshots Encryption
• AWS_BAK_002 EC2 Snapshots Age

• AWS_CFT_001 TLS 1.2 Minimum
• AWS_CFT_002 Cloudfront HTTPS Only
• AWS_CFT_003 Standard Logging Enabled
• AWS_CFT_004 Cookies Logging Enabled
• AWS_CFT_005 ACL Used

• AWS_CLD_001 Cloudtrails Encryption
• AWS_CLD_002 Cloudtrails Global Service Events Activated
• AWS_CLD_003 Cloudtrails Multi Region

• AWS_DYN_001 Dynamodb Encryption
• AWS_DYN_002 Dynamodb Continuous Backups

• AWS_EC2_001 EC2 Public IP
• AWS_EC2_002 Monitoring Enabled

• AWS_ECR_001 Image Scanning Enabled

• AWS_ELB_001 ELB Access Logs Enabled

• AWS_GD_001 GuardDuty Enabled

• AWS_IAM_001 IAM 2FA
• AWS_IAM_002 IAM Access Key Age
• AWS_IAM_003 IAM User Can Elevate Rights

• AWS_LMD_001 Lambda Private
• AWS_LMD_002 Lambda In Security Group

• AWS_RDS_001 RDS Encryption
• AWS_RDS_002 RDS Backup
• AWS_RDS_003 RDS Minor Auto Upgrade
• AWS_RDS_004 RDS Private
• AWS_RDS_005 RDS Logging
• AWS_RDS_006 RDS Delete Protection

• AWS_S3_001 S3 Encryption
• AWS_S3_002 S3 Bucket in one zone
• AWS_S3_003 S3 Bucket object versioning
• AWS_S3_004 S3 Bucket retention policy
• AWS_S3_005 S3 Public Access Block

• AWS_VOL_001 EC2 Volumes Encryption
• AWS_VOL_002 EC2 Volumes Type
• AWS_VOL_003 EC2 Volumes Snapshots

• AWS_VPC_001 VPC CIDR
• AWS_VPC_002 VPC Only One
• AWS_VPC_003 VPC Gateway
• AWS_VPC_004 VPC Flow Logs
• AWS_VPC_005 At least 2 subnets
• AWS_VPC_006 Subnets in different zone