yatas-gcp

command module

v1.8.0 Latest Latest Go to latest Published: Jan 26, 2024 License: Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/padok-team/yatas-gcp

Links

Open Source Insights

README ¶

yatas-logo

YATAS

Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure Cloud environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.

GCP Plugin setup

In your .yatas.yml file. More information on YATAS homepage.

plugins:
  - name: "gcp"
    enabled: true
    source: "github.com/padok-team/yatas-gcp"
    version: "latest"
    description: "Check for GCP good practices"

pluginsConfiguration:
  - pluginName: "gcp"
    accounts:
      - project: "project-1"
        computeRegions:
          - europe-west1
          - europe-west2
          - europe-west3
      - project: "project-2"
        computeRegions:
          - us-east1

GCP - 27 Checks

FUN

GCP_FUN_001 CloudFunctions are not directly exposed on the internet
GCP_FUN_002 CloudFunctions do not use the default Compute Engine service account
GCP_FUN_003 CloudFunctions do not have plain text secrets in environment variables
GCP_FUN_004 CloudFunctions require IAM authentication

GCS

GCP_GCS_001 Check if GCS buckets are using object versioning
GCP_GCS_002 Check if GCS buckets are encrypted with a custom KMS key
GCP_GCS_003 Check if GCS buckets are not public

GKE

GCP_GKE_001 GKE Control Plane is Regional (HA)
GCP_GKE_002 Workload Identity is enabled
GCP_GKE_003 GKE Control Plane does not have a public endpoint

IAM

GCP_IAM_001 Service accounts cannot escalate privileges
GCP_IAM_002 Service accounts keys are not older than 90 days

LB

GCP_LB_001 Check if SSL certificates attached to HTTPS forwarding rules are in auto-renewed (managed mode)

NET

GCP_NET_001 SSH ingress firewall rules only allow IAP
GCP_NET_002 SSH ingress firewall rules apply on specific tags or service accounts

RUN

GCP_RUN_001 CloudRun services are not directly exposed on the internet
GCP_RUN_002 CloudRun services do not use the default Compute Engine service account
GCP_RUN_003 CloudRun services do not have plain text secrets in environment variables

SQL

GCP_SQL_001 Check if SQL Instances are Regional (HA)
GCP_SQL_002 Check if SQL Instances have backups enabled with Point in Time Recovery
GCP_SQL_003 Check if SQL Instances have encrypted traffic enforced
GCP_SQL_004 Check if SQL Instances are not exposed with a public IP
GCP_SQL_005 Check if SQL Instances are encrypted at rest with a customer-managed key
GCP_SQL_006 Check if SQL backups are stored in a multi-regional location

VM

GCP_VM_001 Check if VM instance is not using a public IP address
GCP_VM_002 Check if VM Disk is encrypted with a customer-managed key
GCP_VM_003 Check VM instance group is multi-zonal

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
gcp
cloudrun
functions
gcs
gke
iam
instance
loadbalancing
network
sql
internal
logger

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL