ape

README

ape: AWS account scanner

• about
• quickstart
• concept

about

ape is a tool for scanning AWS accounts to discover issues such as security vulnerabilities. It's fast, and it's written in Go, so there are no dependencies to install.

compatibility

Only tested on Linux and MacOS.

quickstart

docker

The following will run the AWS CIS Foundations preset against a single account.

$ docker run --rm -t quay.io/jonhadfield/ape \
             --run-preset=cis-foundations \
             --access-key-id=ACCESS-KEY-ID \
             --secret-access-key=SECRET-ACCESS-KEY   

Replace 'ACCESS-KEY-ID' and 'SECRET-ACCESS-KEY' with your credentials. To create a user with the minimum permissions required to run this preset, see here.

install and run

Download the latest release here: https://github.com/jonhadfield/ape/releases and install:

$ install <ape binary> /usr/local/bin/ape

To run the built-in AWS CIS Foundations preset, set your AWS credentials and then run:

$ ape --run-preset=cis-foundations

concept

the basics

ape runs playbook files containing a list of tasks called plays. Each play defines one or more policies to run, and it's the policies that tell ape how to find issues through the use of filters. All of these are defined using a simple markup language called YAML.

playbook

A playbook file, in its simplest form, is a list of plays. By default, each play will be executed in turn against the account matching the credentials ape is called with. Other configuration items, including email and Slack reporting integrations are also defined here.

play

A play lists the policies to run and also lets you define which targets (AWS accounts) and regions to run them against.

policy

A policy defines the AWS resource type and one or more filters to run against items of that type.

filter

A filter consists of one or more resource criterion (instance attribute) and value to match on.

Documentation

Index

• func ListSupported()
• func LoadConfigs(l []interface{}, input LoadConfigsInput) (configs r.Configs, err error)
• func ParsePlaybookFileContent(content []byte) (playbook r.Playbook, err error)
• func ParsePoliciesFileContent(content []byte) (policies r.Policies, err error)
• type CreatePlanInput
• type CreatePlanOutput
  • func CreatePlan(loggers []interface{}, input *CreatePlanInput) (output CreatePlanOutput, err error)
• type EnforcePlanInput
• type LoadConfigsInput
• type PlanItem

Functions

func ListSupported

func ListSupported()

func LoadConfigs

func LoadConfigs(l []interface{}, input LoadConfigsInput) (configs r.Configs, err error)

func ParsePlaybookFileContent

func ParsePlaybookFileContent(content []byte) (playbook r.Playbook, err error)

func ParsePoliciesFileContent

func ParsePoliciesFileContent(content []byte) (policies r.Policies, err error)

Types

type CreatePlanInput

type CreatePlanInput struct {
	Playbook   r.Playbook
	Accounts   []r.Account
	Policies   r.Policies
	Args       r.CommandLineArgs
	AssueRole  string
	OutputFile string
}

type CreatePlanOutput

type CreatePlanOutput struct {
	Plan  *plan
	Email r.Email
	Slack r.Slack
}

func CreatePlan

func CreatePlan(loggers []interface{}, input *CreatePlanInput) (output CreatePlanOutput, err error)

type EnforcePlanInput

type EnforcePlanInput struct {
	RoleArn         string
	ExternalID      string
	RoleSessionName string
	Args            r.CommandLineArgs
	Email           r.Email
	Slack           r.Slack
}

type LoadConfigsInput

type LoadConfigsInput struct {
	PlaybookFilePath string
	PoliciesFilePath string
	AccountsFilePath string
	Args             r.CommandLineArgs
}

type PlanItem

type PlanItem struct {
	ID     string
	Target planItemTarget
	Policy r.Policy

	Play *r.Play
	// contains filtered or unexported fields
}