https://github.com/jonhadfield/ape
AWS account scanner
https://github.com/jonhadfield/ape
aws golang security
Last synced: 12 months ago
JSON representation
AWS account scanner
- Host: GitHub
- URL: https://github.com/jonhadfield/ape
- Owner: jonhadfield
- License: gpl-3.0
- Created: 2017-08-11T11:29:31.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2023-07-04T21:19:38.000Z (almost 3 years ago)
- Last Synced: 2024-10-03T00:18:00.244Z (over 1 year ago)
- Topics: aws, golang, security
- Language: Go
- Homepage:
- Size: 17 MB
- Stars: 5
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ape: AWS account scanner
[](https://circleci.com/gh/jonhadfield/ape/tree/master) [](https://goreportcard.com/report/github.com/jonhadfield/ape)
- [about](#about)
- [quickstart](#quickstart)
- [concept](#concept)
## about
ape is a tool for scanning AWS accounts to discover issues such as security vulnerabilities.
It's fast, and it's written in Go, so there are no dependencies to install.
## compatibility
Only tested on Linux and MacOS.
## quickstart
### docker
The following will run the [AWS CIS Foundations](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) preset against a single account.
```bash
$ docker run --rm -t quay.io/jonhadfield/ape \
--run-preset=cis-foundations \
--access-key-id=ACCESS-KEY-ID \
--secret-access-key=SECRET-ACCESS-KEY
```
Replace 'ACCESS-KEY-ID' and 'SECRET-ACCESS-KEY' with your credentials.
To create a user with the minimum permissions required to run this preset, see [here](https://github.com/jonhadfield/ape/blob/master/docs/cis-foundations-policy.md).
### install and run
Download the latest release here: https://github.com/jonhadfield/ape/releases and install:
``
$ install /usr/local/bin/ape
``
To run the built-in [AWS CIS Foundations](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf) preset, [set your AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) and then run:
``
$ ape --run-preset=cis-foundations
``
## concept
### the basics
ape runs **playbook** files containing a list of tasks called **plays**. Each **play** defines one or more **policies** to run, and it's the policies that tell ape how to find issues through the use of **filters**.
All of these are defined using a simple markup language called [YAML](http://yaml.org/).
#### playbook
A playbook file, in its simplest form, is a list of plays. By default, each play will be executed in turn against the account matching the credentials ape is called with.
Other configuration items, including email and Slack reporting integrations are also defined here.
#### play
A play lists the policies to run and also lets you define which **targets** (AWS accounts) and regions to run them against.
#### policy
A policy defines the AWS **resource** type and one or more **filters** to run against items of that type.
#### filter
A filter consists of one or more resource **criterion** (instance attribute) and value to match on.