Skip to content

padok-team/yatas-gcp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

99 Commits

.github/workflows

.github/workflows

 
 

docs

docs

 
 

gcp

gcp

 
 

internal

internal

 
 

logger

logger

 
 

.gitignore

.gitignore

 
 

.goreleaser.yml

.goreleaser.yml

 
 

.yatas.example.yml

.yatas.example.yml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

go.sum

go.sum

 
 

main.go

main.go

 
 

renovate.json

renovate.json

 
 

Repository files navigation

yatas-logo

YATAS

codecov goreport

Yet Another Testing & Auditing Solution

The goal of YATAS is to help you create a secure Cloud environment without too much hassle. It won't check for all best practices but only for the ones that are important for you based on my experience. Please feel free to tell me if you find something that is not covered.

GCP Plugin setup

In your .yatas.yml file. More information on YATAS homepage.

plugins:
  - name: "gcp"
    enabled: true
    source: "github.com/padok-team/yatas-gcp"
    version: "latest"
    description: "Check for GCP good practices"

pluginsConfiguration:
  - pluginName: "gcp"
    accounts:
      - project: "project-1"
        computeRegions:
          - europe-west1
          - europe-west2
          - europe-west3
      - project: "project-2"
        computeRegions:
          - us-east1

GCP - 27 Checks

FUN

  • GCP_FUN_001 CloudFunctions are not directly exposed on the internet
  • GCP_FUN_002 CloudFunctions do not use the default Compute Engine service account
  • GCP_FUN_003 CloudFunctions do not have plain text secrets in environment variables
  • GCP_FUN_004 CloudFunctions require IAM authentication

GCS

  • GCP_GCS_001 Check if GCS buckets are using object versioning
  • GCP_GCS_002 Check if GCS buckets are encrypted with a custom KMS key
  • GCP_GCS_003 Check if GCS buckets are not public

GKE

  • GCP_GKE_001 GKE Control Plane is Regional (HA)
  • GCP_GKE_002 Workload Identity is enabled
  • GCP_GKE_003 GKE Control Plane does not have a public endpoint

IAM

  • GCP_IAM_001 Service accounts cannot escalate privileges
  • GCP_IAM_002 Service accounts keys are not older than 90 days

LB

  • GCP_LB_001 Check if SSL certificates attached to HTTPS forwarding rules are in auto-renewed (managed mode)

NET

  • GCP_NET_001 SSH ingress firewall rules only allow IAP
  • GCP_NET_002 SSH ingress firewall rules apply on specific tags or service accounts

RUN

  • GCP_RUN_001 CloudRun services are not directly exposed on the internet
  • GCP_RUN_002 CloudRun services do not use the default Compute Engine service account
  • GCP_RUN_003 CloudRun services do not have plain text secrets in environment variables

SQL

  • GCP_SQL_001 Check if SQL Instances are Regional (HA)
  • GCP_SQL_002 Check if SQL Instances have backups enabled with Point in Time Recovery
  • GCP_SQL_003 Check if SQL Instances have encrypted traffic enforced
  • GCP_SQL_004 Check if SQL Instances are not exposed with a public IP
  • GCP_SQL_005 Check if SQL Instances are encrypted at rest with a customer-managed key
  • GCP_SQL_006 Check if SQL backups are stored in a multi-regional location

VM

  • GCP_VM_001 Check if VM instance is not using a public IP address
  • GCP_VM_002 Check if VM Disk is encrypted with a customer-managed key
  • GCP_VM_003 Check VM instance group is multi-zonal

Contribute

See CONTRIBUTING.md

About

Plugin for YATAS that audits GCP projects for misconfiguration and security issues

github.com/padok-team/YATAS

Topics

security gcp audit hardening misconfiguration yatas

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

4 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases 9

v1.8.0 Latest
Jan 26, 2024
+ 8 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages