ape is a tool for scanning AWS accounts to discover issues such as security vulnerabilities. It's fast, and it's written in Go, so there are no dependencies to install.
Only tested on Linux and MacOS.
The following will run the AWS CIS Foundations preset against a single account.
$ docker run --rm -t quay.io/jonhadfield/ape \
--run-preset=cis-foundations \
--access-key-id=ACCESS-KEY-ID \
--secret-access-key=SECRET-ACCESS-KEY
Replace 'ACCESS-KEY-ID' and 'SECRET-ACCESS-KEY' with your credentials. To create a user with the minimum permissions required to run this preset, see here.
Download the latest release here: https://github.com/jonhadfield/ape/releases and install:
$ install <ape binary> /usr/local/bin/ape
To run the built-in AWS CIS Foundations preset, set your AWS credentials and then run:
$ ape --run-preset=cis-foundations
ape runs playbook files containing a list of tasks called plays. Each play defines one or more policies to run, and it's the policies that tell ape how to find issues through the use of filters. All of these are defined using a simple markup language called YAML.
A playbook file, in its simplest form, is a list of plays. By default, each play will be executed in turn against the account matching the credentials ape is called with. Other configuration items, including email and Slack reporting integrations are also defined here.
A play lists the policies to run and also lets you define which targets (AWS accounts) and regions to run them against.
A policy defines the AWS resource type and one or more filters to run against items of that type.
A filter consists of one or more resource criterion (instance attribute) and value to match on.