Skip to content
This repository has been archived by the owner on Feb 23, 2024. It is now read-only.

Latest commit

 

History

History
154 lines (117 loc) · 4.53 KB

inspec-portefaix.md

File metadata and controls

154 lines (117 loc) · 4.53 KB
Raw

+++ title = "Inspec Portefaix" description = "Instructions for check Portefaix infrastructure on AWS" weight = 20 +++

Inspec is used to check infrastructure.

Check:

❯ make -f hack/build/aws.mk inspec-debug
Test infrastructure

 ────────────────────────────── Platform Details ──────────────────────────────

Name:      aws
Families:  cloud, api
Release:   train-aws: v0.1.15, aws-sdk-core: v3.94.0

Execute tests:

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/<SERVICE> ENV=staging

You could upload JSON results file to Heimdall Lite to display ressults

CIS AWS Foundations Benchmark

You could perform tests according to the CIS AWS Foundations Benchmark:

❯ make -f hack/build/aws.mk inspec-aws-cis ENV=staging

CIS Kubernetes Benchmark

❯ make -f hack/build/aws.mk inspec-aws-kubernetes ENV=staging

VPC

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/vpc ENV=staging

VPC

Code Description
vpc-1 Ensure that VPC exist and tags correcly set
vpc-2 Ensure that VPC have an Internet Gateway
vpc-3 Check AWS Security Groups does not have undesirable rules
vpc-4 Ensure that VPC Subnets exists

EKS

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/eks ENV=staging

EKS

Code Description
eks-1 Ensure the AWS EKS Cluster is running a minimal version
eks-2 Ensure the AWS EKS Cluster control plane has audit logs enabled
eks-3 Ensure the AWS EKS Cluster is not public
eks-4 Ensure the AWS EKS Cluster has application secrets encryption enabled
eks-5 Ensure AWS EKS Cluster Subnets are specific
eks-6 Ensure AWS EKS Cluster Nodegroups do not allow remote access from all IPs

Sops

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/sops ENV=staging

Sops

Code Description
sops-1 Ensure that Kms key exist
sops-2 Ensure IAM roles and policies exists

Observability

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/observability ENV=staging

Observability

Code Description
grafana-1 Ensure IAM roles and policies exists
prometheus-1 Ensure IAM roles and policies exists
thanos-1 Ensure that S3 bucket exist and tags correcly set
thanos-2 Ensure that S3 log bucket exist and tags correcly set
thanos-3 Ensure that Kms key exist
thanos-4 Ensure IAM roles and policies exists
loki-1 Ensure that S3 bucket exist and tags correcly set
loki-2 Ensure that S3 log bucket exist and tags correcly set
loki-3 Ensure that Kms key exist
loki-4 Ensure IAM roles and policies exists
tempo-1 Ensure that S3 bucket exist and tags correcly set
tempo-2 Ensure that S3 log bucket exist and tags correcly set
tempo-3 Ensure that Kms key exist
tempo-4 Ensure IAM roles and policies exists

Velero

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/velero ENV=staging

Velero

Code Description
velero-1 Ensure that S3 bucket exist and tags correcly set
velero-2 Ensure that S3 log bucket exist and tags correcly set
velero-3 Ensure that Kms key exist
velero-4 Ensure IAM roles and policies exists

Vector

❯ make -f hack/build/aws.mk inspec-test SERVICE=iac/aws/vector ENV=staging

Vector

Code Description
vector-1 Ensure that S3 bucket exist and tags correcly set
vector-2 Ensure that S3 log bucket exist and tags correcly set
vector-3 Ensure that Kms key exist
vector-4 Ensure IAM roles and policies exists