{"id":13782583,"url":"https://github.com/DenizParlak/hayat","last_synced_at":"2025-05-11T15:32:39.739Z","repository":{"id":92370736,"uuid":"160221706","full_name":"DenizParlak/hayat","owner":"DenizParlak","description":"Hayat is a script for report and analyze Google Cloud Platform resources.","archived":false,"fork":false,"pushed_at":"2020-01-07T15:20:57.000Z","size":3022,"stargazers_count":80,"open_issues_count":0,"forks_count":14,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-05T13:17:11.994Z","etag":null,"topics":["cloud","gcp","gcp-cloud-functions","gcp-hardening","gcp-security","hardening"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DenizParlak.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-12-03T16:33:48.000Z","updated_at":"2025-02-02T13:02:52.000Z","dependencies_parsed_at":"2023-05-17T00:45:29.659Z","dependency_job_id":null,"html_url":"https://github.com/DenizParlak/hayat","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fhayat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fhayat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fhayat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DenizParlak%2Fhayat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DenizParlak","download_url":"https://codeload.github.com/DenizParlak/hayat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253588779,"owners_count":21932324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","gcp","gcp-cloud-functions","gcp-hardening","gcp-security","hardening"],"created_at":"2024-08-03T18:01:39.555Z","updated_at":"2025-05-11T15:32:37.947Z","avatar_url":"https://github.com/DenizParlak.png","language":"Shell","funding_links":[],"categories":["Shell","GCP Security","0x02 工具 :hammer_and_wrench:"],"sub_categories":["Offensive","1 云服务工具"],"readme":"# Hayat\n\nGoogle Cloud Platform Auditing \u0026amp; Hardening Script ~\n\n\n# What does that mean \"Hayat\"?\n\nWell, I had a hard time finding a unique name, honestly. \"Hayat\" is a Turkish word which means \"Life\" in English and also my niece's name. Ready to meet her?\n\n\u003cimg src=\"https://github.com/DenizParlak/hayat/blob/master/hayat3.jpg\" width=\"248\"\u003e\n\n😍 😍 😍\n\n----------------------------------------------------------------------------------------------------------------------------\n\nHayat is a auditing \u0026 hardening script for Google Cloud Platform services such as:\n\n- Identity \u0026 Access Management\n- Logging and monitoring\n- Networking\n- Virtual Machines\n- Storage\n- Cloud SQL Instances\n- Kubernetes Clusters\n\nfor now.\n\n## Identity \u0026 Access Management\n- Ensure that corporate login credentials are used instead of Gmail accounts.\n- Ensure that there are only GCP-managed service account keys for each service account.\n- Ensure that ServiceAccount has no Admin privileges.\n- Ensure that IAM users are not assigned Service Account User role at project level.\n- Ensure user-managed/external keys for service accounts are rotated every 90 days or less.\n- Ensure that Separation of duties is enforced while assigning service account related roles to users.\n\n## Logging and Monitoring\n- Ensure that sinks are configured for all Log entries.\n- Ensure that object versioning is enabled on log-buckets.\n\n## Networking\n- Ensure the default network does not exist in a project.\n- Ensure legacy networks does not exists for a project.\n- Ensure that DNSSEC is enabled for Cloud DNS.\n- Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.\n- Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.\n- Ensure that RDP access is restricted from the Internet.\n- Ensure that SSH access is restricted from the Internet.\n- Ensure Private Google Access is enabled for all subnetwork in VPC Network.\n- Ensure VPC Flow logs is enabled for every subnet in VPC Network.\n\n## Virtual Machines\n- Ensure that instances are not configured to use the default service account with full access to all Cloud APIs.\n- Ensure \"Block Project-wide SSH keys\" enabled for VM instances.\n- Ensure oslogin is enabled for a Project.\n- Ensure 'Enable connecting to serial ports' is not enabled for VM Instance.\n- Ensure that IP forwarding is not enabled on Instances.\n- Ensure VM disks for critical VMs are encrypted with CustomerSupplied Encryption Keys (CSEK)\n\n## Storage\n- Ensure that Cloud Storage bucket is not anonymously or publicly accessible.\n- Ensure that logging is enabled for Cloud storage bucket.\n\n## Cloud SQL Database Services\n- Ensure that Cloud SQL database instance requires all incoming connections to use SSL.\n- Ensure that Cloud SQL database Instances are not open to the world.\n- Ensure that MySql database instance does not allow anyone to connect with administrative privileges.\n- Ensure that MySQL Database Instance does not allows root login from any host.\n\n## Kubernetes Engine\n- Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.\n- Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.\n- Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.\n- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.\n- Ensure Kubernetes Clusters are configured with Labels.\n- Ensure Kubernetes web UI / Dashboard is disabled.\n- Ensure `Automatic node repair` is enabled for Kubernetes Clusters.\n- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.\n- Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.\n- Ensure Basic Authentication is disabled on Kubernetes Engine Clusters.\n- Ensure Network policy is enabled on Kubernetes Engine Clusters.\n- Ensure Kubernetes Cluster is created with Client Certificate enabled.\n- Ensure Kubernetes Cluster is created with Alias IP ranges enabled.\n- Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters.\n- Ensure Kubernetes Cluster is created with Private cluster enabled.\n- Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets.\n- Ensure default Service account is not used for Project access in Kubernetes Clusters\n- Ensure Kubernetes Clusters created with limited service account Access scopes for Project access.\n\n# Requirements\n\nHayat has been written in bash script using gcloud and it's compatible with Linux and OSX.\n\n# Usage\n\ngit clone https://github.com/DenizParlak/Hayat.git \u0026\u0026 cd Hayat \u0026\u0026 chmod +x hayat.sh \u0026\u0026 ./hayat.sh\n\nYou can use with specific functions, e.g if you want to scan just Kubernetes Cluster:\n\n./hayat.sh --only-k8s\n\n# Screenshots\n\n![image](https://github.com/DenizParlak/hayat/blob/master/h1.jpg)\n\n![image](https://github.com/DenizParlak/hayat/blob/master/h2.jpg)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDenizParlak%2Fhayat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDenizParlak%2Fhayat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDenizParlak%2Fhayat/lists"}