Yet Another Testing & Auditing Solution
The goal of YATAS is to help you create a secure Cloud environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.
In your .yatas.yml
file. More information on YATAS homepage.
plugins:
- name: "gcp"
enabled: true
source: "github.com/padok-team/yatas-gcp"
version: "latest"
description: "Check for GCP good practices"
pluginsConfiguration:
- pluginName: "gcp"
accounts:
- project: "project-1"
computeRegions:
- europe-west1
- europe-west2
- europe-west3
- project: "project-2"
computeRegions:
- us-east1
- GCP_FUN_001 CloudFunctions are not directly exposed on the internet
- GCP_FUN_002 CloudFunctions do not use the default Compute Engine service account
- GCP_FUN_003 CloudFunctions do not have plain text secrets in environment variables
- GCP_FUN_004 CloudFunctions require IAM authentication
- GCP_GCS_001 Check if GCS buckets are using object versioning
- GCP_GCS_002 Check if GCS buckets are encrypted with a custom KMS key
- GCP_GCS_003 Check if GCS buckets are not public
- GCP_GKE_001 GKE Control Plane is Regional (HA)
- GCP_GKE_002 Workload Identity is enabled
- GCP_GKE_003 GKE Control Plane does not have a public endpoint
- GCP_IAM_001 Service accounts cannot escalate privileges
- GCP_IAM_002 Service accounts keys are not older than 90 days
- GCP_LB_001 Check if SSL certificates attached to HTTPS forwarding rules are in auto-renewed (managed mode)
- GCP_NET_001 SSH ingress firewall rules only allow IAP
- GCP_NET_002 SSH ingress firewall rules apply on specific tags or service accounts
- GCP_RUN_001 CloudRun services are not directly exposed on the internet
- GCP_RUN_002 CloudRun services do not use the default Compute Engine service account
- GCP_RUN_003 CloudRun services do not have plain text secrets in environment variables
- GCP_SQL_001 Check if SQL Instances are Regional (HA)
- GCP_SQL_002 Check if SQL Instances have backups enabled with Point in Time Recovery
- GCP_SQL_003 Check if SQL Instances have encrypted traffic enforced
- GCP_SQL_004 Check if SQL Instances are not exposed with a public IP
- GCP_SQL_005 Check if SQL Instances are encrypted at rest with a customer-managed key
- GCP_SQL_006 Check if SQL backups are stored in a multi-regional location
- GCP_VM_001 Check if VM instance is not using a public IP address
- GCP_VM_002 Check if VM Disk is encrypted with a customer-managed key
- GCP_VM_003 Check VM instance group is multi-zonal
See CONTRIBUTING.md