feat: 🎸 s3 and ec2 volumes encryption

.yatas.yml.example

@@ -1,23 +1,14 @@
 plugins:
-  - name: "hds"
+  - name: "aws"
     enabled: true
-    description: "Rose is a plugin that allows you to use the rose language."
-    cloud_provider: "aws"
-  - name: "rose"
-    enabled: true
-    description: "Rose is a plugin that allows you to use the rose language."
-    cloud_provider: "aws"
+    description: "Check for AWS good practices"
+
 
 aws:
   enabled: true
   account:
-    name: "parent"
-    access_key: "xxxx"
-    secret_key: "xxxx"
-    region: "us-east-1"
-    profile: "default"
-    role_arn: "arn:aws:iam::123456789012:role/roleName"
-    role_session_name: "sessionName"
-    role_external_id: "externalId"
+    profile: ""
+    sso: false
+    region: "eu-west-3"
 
 

README.md

@@ -1,2 +1,34 @@
 # YATAS
 Yet Another Testing & Auditing Solution 
+
+## Features
+YATAS is a simple and easy to use tool to audit your infrastructure for misconfiguration or potential security issues.
+
+## Installation
+
+```bash
+brew tap stangirard/tap
+brew install yatas
+```
+
+```bash
+cp .yatas.yml.example .yatas.yml
+```
+
+Modify .yatas.yml to your needs.
+
+## Usage
+
+```bash
+yatas ## --details 
+```
+
+Flags:
+- `--details`: Show details of the issues found.
+
+## Plugins
+
+| Name | Description | Checks |
+|------|-------------|--------|
+| *AWS* | AWS checks | EC2 and S3 encryption |
+

internal/aws/aws.go

@@ -1,24 +1,27 @@
 package aws
 
 import (
-	"fmt"
-
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/stangirard/yatas/internal/aws/s3"
+	"github.com/stangirard/yatas/internal/aws/volumes"
 	"github.com/stangirard/yatas/internal/config"
 	"github.com/stangirard/yatas/internal/logger"
 	"github.com/stangirard/yatas/internal/types"
 )
 
 func Run(c *config.Config) ([]types.Check, error) {
 	s := initAuth(c)
-	logger.Info("Starting AWS tests")
+	logger.Info("Launching AWS checks")
 	checks := initTest(s)
 	return checks, nil
 }
 
 func initTest(s *session.Session) []types.Check {
 
-	fmt.Println("Ran AWS")
-	return s3.RunS3Test(s)
+	var checks []types.Check
+	checks = append(checks, s3.RunS3Test(s)...)
+	checks = append(checks, volumes.RunVolumesTest(s)...)
+	logger.Info("AWS checks completed ✅")
+
+	return checks
 }

internal/aws/volumes/volumes.go

@@ -0,0 +1,54 @@
+package volumes
+
+import (
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/stangirard/yatas/internal/logger"
+	"github.com/stangirard/yatas/internal/types"
+)
+
+func GetVolumes(s *session.Session) []*ec2.Volume {
+	svc := ec2.New(s)
+	input := &ec2.DescribeVolumesInput{}
+	result, err := svc.DescribeVolumes(input)
+	if err != nil {
+		panic(err)
+	}
+	return result.Volumes
+}
+
+func checkIfEncryptionEnabled(s *session.Session, volumes []*ec2.Volume, c *[]types.Check) {
+	var check types.Check
+	check.Name = "EC2 Volumes Encryption"
+	check.Description = "Check if EC2 encryption is enabled"
+	check.Status = "OK"
+	svc := ec2.New(s)
+	for _, volume := range volumes {
+		params := &ec2.DescribeVolumesInput{
+			VolumeIds: []*string{volume.VolumeId},
+		}
+		resp, err := svc.DescribeVolumes(params)
+		if err != nil {
+			panic(err)
+		}
+		if *resp.Volumes[0].Encrypted == false {
+			check.Status = "FAIL"
+			status := "FAIL"
+			Message := "EC2 encryption is not enabled on " + *volume.VolumeId
+			check.Results = append(check.Results, types.Result{Status: status, Message: Message})
+		} else {
+			status := "OK"
+			Message := "EC2 encryption is enabled on " + *volume.VolumeId
+			check.Results = append(check.Results, types.Result{Status: status, Message: Message})
+		}
+	}
+	*c = append(*c, check)
+}
+
+func RunVolumesTest(s *session.Session) []types.Check {
+	var checks []types.Check
+	logger.Debug("Starting EC2 volumes tests")
+	volumes := GetVolumes(s)
+	checkIfEncryptionEnabled(s, volumes, &checks)
+	return checks
+}

internal/plugins/plugins.go

@@ -24,7 +24,7 @@ func Execute(c *config.Config) ([]types.Check, error) {
 func runPlugins(c *config.Config, plugins []string) ([]types.Check, error) {
 	var checksAll []types.Check
 	for _, plugin := range plugins {
-		logger.Info(fmt.Sprint("Running plugin: ", plugin))
+		logger.Debug(fmt.Sprint("Running plugin: ", plugin))
 		switch plugin {
 		case "aws":
 			checks, err := aws.Run(c)
@@ -46,7 +46,7 @@ func findPlugins(c *config.Config) []string {
 			plugins = append(plugins, plugin.Name)
 		}
 	}
-	logger.Info(fmt.Sprint("Plugins Found in config: ", plugins))
+	logger.Debug(fmt.Sprint("Plugins Found in config: ", plugins))
 
 	return plugins
 }

internal/report/report.go

@@ -1,6 +1,7 @@
 package report
 
 import (
+	"flag"
 	"fmt"
 
 	"github.com/stangirard/yatas/internal/types"
@@ -12,13 +13,18 @@ var status = map[string]string{
 	"FAIL": "❌",
 }
 
+var details = flag.Bool("details", false, "print detailed results")
+
 func PrettyPrintChecks(checks []types.Check) {
+	flag.Parse()
 	for _, check := range checks {
-		fmt.Println("✓ Check: ", check.Name)
-		fmt.Println("\tDescritpion: ", check.Description)
-		fmt.Println("\tStatus: ", status[check.Status])
-		for _, result := range check.Results {
-			fmt.Println("\t\t🧪Result: ", status[result.Status], result.Message)
+		fmt.Println("✓ Check: ", check.Name, " - ", status[check.Status])
+		if *details {
+			fmt.Println("\tDescritpion: ", check.Description)
+			fmt.Println("\tResults:")
+			for _, result := range check.Results {
+				fmt.Println("\t\t", status[result.Status], result.Message)
+			}
 		}
 
 	}