padok-team / yatas Goto Github PK

:owl::mag_right: A simple tool to audit your AWS/GCP infrastructure for misconfiguration or potential security issues with plugins integration

License: Apache License 2.0

Makefile 0.92% Go 99.08%

audit aws configuration security assessment best-practices devsecops cloud cli hardening

yatas's Introduction

YATAS

Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure AWS environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.

Features

YATAS is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.

No details	Details

Installation

brew tap padok-team/tap
brew install yatas

yatas --init

Modify .yatas.yml to your needs.

yatas --install

Installs the plugins you need.

Usage

yatas -h

Flags:

--details: Show details of the issues found.
--compare: Compare the results of the previous run with the current run and show the differences.
--ci: Exit code 1 if there are issues found, 0 otherwise.
--resume: Only shows the number of tests passing and failing.
--time: Shows the time each test took to run in order to help you find bottlenecks.
--init: Creates a .yatas.yml file in the current directory.
--install: Installs the plugins you need.
--only-failure: Only show the tests that failed.

Plugins

Checks Plugins

Plugins	Description	Checks
AWS Audit	AWS checks	Good practices and security checks
GCP Audit	GCP checks	Good practices and security checks

Reporting Plugins

Plugins	Description
Markdown Reports	Generates a markdown report
Notion Reports	Generates a Notion Database report
HTML Reports	Generates an HTML report

Checks

Ignore results for known issues

You can ignore results of checks by adding the following to your .yatas.yml file:

ignore:
  - id: "AWS_VPC_004"
    regex: true
    values: 
      - "VPC Flow Logs are not enabled on vpc-.*"
  - id: "AWS_VPC_003"
    regex: false
    values: 
      - "VPC has only one gateway on vpc-08ffec87e034a8953"

Exclude a test

You can exclude a test by adding the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    exclude:
      - AWS_S3_001

Specify which tests to run

To only run a specific test, add the following to your .yatas.yml file:

plugins:
  - name: "aws"
    enabled: true
    description: "Check for AWS good practices"
    include:
      - "AWS_VPC_003"
      - "AWS_VPC_004"

Get error logs

You can get the error logs by adding the following to your env variables:

export YATAS_LOG=debug

The available log levels are: debug, info, warn, error, fatal, panic and off by default

How to create a new plugin ?

You'd like to add a new plugin ? Then simply visit yatas-plugin and follow the instructions.

Contributors ❤️

Your contributions are very welcome, feel free to add new rules to YATAS !

yatas's People

Contributors

Stargazers

Watchers

yatas's Issues

Feature Roadmap

Add the following cloud providers:

AWS - ongoing Yatas AWS Plugin
Azure
GCP

Add the following plugins:

A pentest plugin for websites
A custom plugin that allows any command to be run - ongoing
A kubernetes plugin

Reporting:

Markdown report - Yatas Markdown Plugin
HTML export

Core:

Allow dynamic loading of plugins - Implemented in v0.10

Panic: unexpected EOF

$yantas
New version available for plugin aws : 1.4.0
panic: unexpected EOF

goroutine 1 [running]:
github.com/padok-team/yatas/plugins/commons.(*YatasRPC).Run(0x14000406008, 0x140001254a4?)
/home/runner/work/YATAS/YATAS/plugins/commons/commons.go:23 +0xd0
github.com/padok-team/yatas/plugins/manager.RunPlugin({{0x140001254a4, 0x3}, 0x1, {0x1400013a660, 0x1f}, {0x0, 0x0}, {0x140001254d0, 0x6}, {0x1400013a780, ...}, ...}, ...)
/home/runner/work/YATAS/YATAS/plugins/manager/manager.go:69 +0x424
github.com/padok-team/yatas/internal/cli.runChecksPlugins(0x1400018c500, 0x140001d7df0)
/home/runner/work/YATAS/YATAS/internal/cli/cli.go:43 +0x18c
github.com/padok-team/yatas/internal/cli.Execute()
/home/runner/work/YATAS/YATAS/internal/cli/cli.go:130 +0xe0
main.run()
/home/runner/work/YATAS/YATAS/main.go:52 +0x88
main.main()
/home/runner/work/YATAS/YATAS/main.go:14 +0x1c

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

github-actions

.github/workflows/codecov.yml

actions/checkout v4

actions/setup-go v5

codecov/codecov-action v3

.github/workflows/label.yml

actions/labeler v4

.github/workflows/release.yml

actions/checkout v4

actions/setup-go v5

goreleaser/goreleaser-action v5

gomod

go.mod

go 1.20

github.com/fatih/color v1.15.0

github.com/google/go-github/v35 v35.3.0

github.com/hashicorp/go-hclog v1.5.0

github.com/hashicorp/go-plugin v1.4.10

github.com/mitchellh/go-homedir v1.1.0

github.com/stretchr/testify v1.7.5

golang.org/x/oauth2 v0.7.0

gopkg.in/yaml.v3 v3.0.1

npm

package.json

standard-version 9.5.0

Check this box to trigger a request for Renovate to run again on this repository

AWS_S3_002 Check is not accurate

It seems like S3 location check is not working as it should. Here is a quick explanation of the observed behaviour
I anonymized this example by changing account names and bucket names for privacy.

Test conditions & setup

Situation :

single AWS Account, spanning over 2 regions (us-east-1 and eu-west-1)

2 config entries in .yayas.yml, one per region :

aws:
  - name: "Account EU WEST 1"
    profile: "profile"
    sso: false
    region: "eu-west-1"
  - name: "Account US EAST 1"
    profile: "profile"
    sso: false
    region: "us-east-1"

Setup :

create bucket "eu-storage" in "eu-west-1"
create bucket "us-storage" in "us-east-1"

Observed behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :

Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is in eu-west-1
	S3 bucket us-storage is global but should be in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is global but shoud be in us-east-1
	S3 bucket us-storage is in us-east-1
[...]

Expected behaviour on check AWS_S3_002 S3 buckets are not global but in one zone :

Name: Account EU WEST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket eu-storage is in eu-west-1
[...]
Name: Account US EAST 1 (XX/63)
[...]
❌ AWS_S3_002 S3 buckets are not global but in one zone - (XX/YY)
	S3 bucket us-storage is in us-east-1
[...]

Identified cause of bug

In plugins/aws/s3/getter.go, L19 :

	resp, err := svc.ListBuckets(context.TODO(), params)

The ListBuckets function here uses the equivalent ListBuckets AWS API endpoint. This is therefore the same as running aws s3 ls. It turns out that the returned list of buckets is a global list, even if AWS_REGION=eu-west-1 is set : the region parameter is ignored.

Maybe this check should be modified, in order to check in bucket options of global replication is enabled rather than comparing the LocationConstraint on buckets ?

No progress being shown

Hi there,

After I run yatas I can't see the progress being shown, unlike the animated picture written on README. However, I can see the scan results.

I just wondering, without progress status, I am not sure whether yatas is running properly or not.

Installation failure

Problem: The YATAS --install crashes on download AWS plugin.

Debug Logs :

2022/11/07 15:52:57 [DEBUG] Mkdir plugin dir: /Users/thomas/.yatas.d/plugins/github.com/StanGirard/yatas-aws/latest
GOGOGOGOG StanGirard yatas-aws latest
GOGOGOGOG StanGirard yatas-aws latest
2022/11/07 15:52:57 [DEBUG] Request to https://api.github.com/repos/StanGirard/yatas-aws/releases/tags/latest
2022/11/07 15:53:00 [DEBUG] asset found: checksums.txt
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_darwin_amd64.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_darwin_arm64.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_linux_386.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_linux_amd64.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_linux_arm.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_linux_arm64.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_windows_386.zip
2022/11/07 15:53:00 [DEBUG] asset found: yatas-aws_windows_amd64.zip
2022/11/07 15:53:00 [DEBUG] Download checksums.txt
2022/11/07 15:53:00 [DEBUG] Request to https://api.github.com/repos/StanGirard/yatas-aws/releases/assets/80782091
/var/folders/vj/xghtc_2n7m9bt492dgtzp0d80000gn/T/yatas-tmp-3634564388
&{[] {0x14000308300} <nil> <nil>}
2022/11/07 15:53:01 [DEBUG] Downloaded to /var/folders/vj/xghtc_2n7m9bt492dgtzp0d80000gn/T/yatas-tmp-3634564388
2022/11/07 15:53:01 [DEBUG] Download yatas-aws_darwin_arm64.zip
2022/11/07 15:53:01 [DEBUG] Request to https://api.github.com/repos/StanGirard/yatas-aws/releases/assets/80782085
/var/folders/vj/xghtc_2n7m9bt492dgtzp0d80000gn/T/yatas-tmp-4100168039
&{[] {0x140001c5080} <nil> <nil>}
2022/11/07 15:53:02 [DEBUG] Downloaded to /var/folders/vj/xghtc_2n7m9bt492dgtzp0d80000gn/T/yatas-tmp-4100168039
failed to extract binary from yatas-aws_darwin_arm64.zip: zip: not a valid zip file

.yatas.yml

plugins:
  - name: "aws"
    enabled: true
    source: "github.com/StanGirard/yatas-aws"
    version: "latest"
    description: "Check for AWS good practices"
    exclude:
     # - AWS_S3_001
    include:
     # - "AWS_VPC_004"
     # - "AWS_VPC_003"

ignore:
  - id: "AWS_VPC_004"
    regex: true
    values:
      - "VPC Flow Logs are not enabled on vpc-888.*"
  - id: "AWS_VPC_003"
    regex: false
    values:
      - "VPC has only one gateway on vpc-08ffec87e034a8953"

pluginsConfiguration:
  - pluginName: aws
    accounts:
      - profile: "my-awesome-profile"
        sso: false
        region: "eu-west-3"
        name: "yatas"

It may be due to old links that point to @StanGirard profile instead of Padok profile.

By the way, after two tries, the --install command gets rate limited.
Logs on the third try.

2022/11/07 15:56:23 [DEBUG] Mkdir plugin dir: /Users/thomas/.yatas.d/plugins/github.com/StanGirard/yatas-aws/latest
GOGOGOGOG StanGirard yatas-aws latest
GOGOGOGOG StanGirard yatas-aws latest
2022/11/07 15:56:23 [DEBUG] Request to https://api.github.com/repos/StanGirard/yatas-aws/releases/tags/latest
failed to fetch GitHub releases: GET https://api.github.com/repos/StanGirard/yatas-aws/releases/latest: 403 API rate limit exceeded for 195.135.98.90. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) [rate reset in 39m15s]

[Feature Request] Please include APIGateway ID in related logs

When running yatas --details, API Gateway related logs only include stage names, and not the API Gateway's identifier.

This means that in a setup in which I have multiple API Gateways with a single stage each (the stage always being called "default"), I get identical logs.

Logs I obtain :

❌ AWS_APG_001 ApiGateways logs are sent to Cloudwatch - 0/9
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
	Cloudwatch logs are not enabled on default
❌ AWS_APG_002 ApiGateways are protected by an ACL - 0/9
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
	Stage default is not protected by ACL
❌ AWS_APG_003 ApiGateways have tracing enabled - 0/9
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default
	Tracing is not enabled on default

Logs I would like :

❌ AWS_APG_001 ApiGateways logs are sent to Cloudwatch - 0/9
	Cloudwatch logs are not enabled on stage default in APG xxxxxxxx
	Cloudwatch logs are not enabled on stage default in APG yyyyyyyy
	Cloudwatch logs are not enabled on stage default in APG zzzzzzzz
	Cloudwatch logs are not enabled on stage default in APG aaaaaaaa
	Cloudwatch logs are not enabled on stage default in APG bbbbbbbb
	Cloudwatch logs are not enabled on stage default in APG cccccccc
	Cloudwatch logs are not enabled on stage default in APG dddddddd
	Cloudwatch logs are not enabled on stage default in APG eeeeeeee
	Cloudwatch logs are not enabled on stage default in APG ffffffff
❌ AWS_APG_002 ApiGateways are protected by an ACL - 0/9
	Stage default in APG xxxxxxxx is not protected by ACL
	Stage default in APG yyyyyyyy is not protected by ACL
	Stage default in APG zzzzzzzz is not protected by ACL
	Stage default in APG aaaaaaaa is not protected by ACL
	Stage default in APG bbbbbbbb is not protected by ACL
	Stage default in APG cccccccc is not protected by ACL
	Stage default in APG dddddddd is not protected by ACL
	Stage default in APG eeeeeeee is not protected by ACL
	Stage default in APG ffffffff is not protected by ACL
❌ AWS_APG_003 ApiGateways have tracing enabled - 0/9
	Tracing is not enabled on stage default in APG xxxxxxxx
	Tracing is not enabled on stage default in APG yyyyyyyy
	Tracing is not enabled on stage default in APG zzzzzzzz
	Tracing is not enabled on stage default in APG aaaaaaaa
	Tracing is not enabled on stage default in APG bbbbbbbb
	Tracing is not enabled on stage default in APG cccccccc
	Tracing is not enabled on stage default in APG dddddddd
	Tracing is not enabled on stage default in APG eeeeeeee
	Tracing is not enabled on stage default in APG ffffffff

Update all patch dependencies (patch) (`github.com/aws/aws-sdk-go-v2/service/cloudfront`, `github.com/aws/aws-sdk-go-v2/service/cloudtrail`, `github.com/aws/aws-sdk-go-v2/service/dynamodb`, `github.com/aws/aws-sdk-go-v2/service/ecr`, `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2`, `github.com/aws/aws-sdk-go-v2/service/iam`, `github.com/aws/aws-sdk-go-v2/service/lambda`, `github.com/aws/aws-sdk-go-v2/service/rds`, `github.com/aws/aws-sdk-go-v2/service/s3`)

`ioutil` package is deprecated