Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, PCI-DSS, ISO27001, GDPR, HIPAA, FFIEC, SOC2, AWS FTR, ENS and custom security frameworks.

Stars: ✭ 8,046 (+14529.09%)

Mutual labels: gcp, hardening

Terraformer

CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code

Stars: ✭ 6,316 (+11383.64%)

Mutual labels: cloud, gcp

Terracognita

Reads from existing Cloud Providers (reverse Terraform) and generates your infrastructure as code on Terraform configuration

Stars: ✭ 452 (+721.82%)

Mutual labels: cloud, gcp

Arvados

An open source platform for managing and analyzing biomedical big data

Stars: ✭ 274 (+398.18%)

Mutual labels: cloud, gcp

Go Cloud

The Go Cloud Development Kit (Go CDK): A library and tools for open cloud development in Go.

Stars: ✭ 8,124 (+14670.91%)

Mutual labels: cloud, gcp

Scoutsuite

Multi-Cloud Security Auditing Tool

Stars: ✭ 3,803 (+6814.55%)

Mutual labels: cloud, gcp

Prowler

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains more than 200 controls covering CIS, ISO27001, GDPR, HIPAA, SOC2, ENS and other security frameworks.

Stars: ✭ 4,561 (+8192.73%)

Mutual labels: cloud, hardening

Cloudblock

Cloudblock automates deployment of secure ad-blocking for all of your devices - even when mobile. Step-by-step text and video guides included! Compatible clouds include AWS, Azure, Google Cloud, and Oracle Cloud. Cloudblock deploys Wireguard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible.

Stars: ✭ 257 (+367.27%)

Mutual labels: cloud, gcp

Fake Gcs Server

Google Cloud Storage emulator & testing library.

Stars: ✭ 316 (+474.55%)

Mutual labels: cloud, gcp

Engine

Deploy your apps on any Cloud provider in just a few seconds

Stars: ✭ 1,132 (+1958.18%)

Mutual labels: cloud, gcp

Infracost

Cloud cost estimates for Terraform in pull requests💰📉 Love your cloud bill!

Stars: ✭ 4,505 (+8090.91%)

Mutual labels: cloud, gcp

Terratag

Terratag is a CLI tool that enables users of Terraform to automatically create and maintain tags across their entire set of AWS, Azure, and GCP resources

Stars: ✭ 385 (+600%)

Mutual labels: cloud, gcp

Fsfirestore

Functional F# library to access Firestore database hosted on Google Cloud Platform (GCP) or Firebase.

Stars: ✭ 22 (-60%)

Mutual labels: cloud, gcp

View All Similar Projects ➔

Hayat

Google Cloud Platform Auditing & Hardening Script ~

What does that mean "Hayat"?

Well, I had a hard time finding a unique name, honestly. "Hayat" is a Turkish word which means "Life" in English and also my niece's name. Ready to meet her?

😍 😍 😍

Hayat is a auditing & hardening script for Google Cloud Platform services such as:

Identity & Access Management
Logging and monitoring
Networking
Virtual Machines
Storage
Cloud SQL Instances
Kubernetes Clusters

for now.

Identity & Access Management

Ensure that corporate login credentials are used instead of Gmail accounts.
Ensure that there are only GCP-managed service account keys for each service account.
Ensure that ServiceAccount has no Admin privileges.
Ensure that IAM users are not assigned Service Account User role at project level.
Ensure user-managed/external keys for service accounts are rotated every 90 days or less.
Ensure that Separation of duties is enforced while assigning service account related roles to users.

Logging and Monitoring

Ensure that sinks are configured for all Log entries.
Ensure that object versioning is enabled on log-buckets.

Networking

Ensure the default network does not exist in a project.
Ensure legacy networks does not exists for a project.
Ensure that DNSSEC is enabled for Cloud DNS.
Ensure that RSASHA1 is not used for key-signing key in Cloud DNS DNSSEC.
Ensure that RSASHA1 is not used for zone-signing key in Cloud DNS DNSSEC.
Ensure that RDP access is restricted from the Internet.
Ensure that SSH access is restricted from the Internet.
Ensure Private Google Access is enabled for all subnetwork in VPC Network.
Ensure VPC Flow logs is enabled for every subnet in VPC Network.

Virtual Machines

Ensure that instances are not configured to use the default service account with full access to all Cloud APIs.
Ensure "Block Project-wide SSH keys" enabled for VM instances.
Ensure oslogin is enabled for a Project.
Ensure 'Enable connecting to serial ports' is not enabled for VM Instance.
Ensure that IP forwarding is not enabled on Instances.
Ensure VM disks for critical VMs are encrypted with CustomerSupplied Encryption Keys (CSEK)

Storage

Ensure that Cloud Storage bucket is not anonymously or publicly accessible.
Ensure that logging is enabled for Cloud storage bucket.

Cloud SQL Database Services

Ensure that Cloud SQL database instance requires all incoming connections to use SSL.
Ensure that Cloud SQL database Instances are not open to the world.
Ensure that MySql database instance does not allow anyone to connect with administrative privileges.
Ensure that MySQL Database Instance does not allows root login from any host.

Kubernetes Engine

Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.
Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine Clusters.
Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters.
Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters.
Ensure Kubernetes Clusters are configured with Labels.
Ensure Kubernetes web UI / Dashboard is disabled.
Ensure Automatic node repair is enabled for Kubernetes Clusters.
Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes.
Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image.
Ensure Basic Authentication is disabled on Kubernetes Engine Clusters.
Ensure Network policy is enabled on Kubernetes Engine Clusters.
Ensure Kubernetes Cluster is created with Client Certificate enabled.
Ensure Kubernetes Cluster is created with Alias IP ranges enabled.
Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters.
Ensure Kubernetes Cluster is created with Private cluster enabled.
Ensure Private Google Access is set on Kubernetes Engine Cluster Subnets.
Ensure default Service account is not used for Project access in Kubernetes Clusters
Ensure Kubernetes Clusters created with limited service account Access scopes for Project access.

Requirements

Hayat has been written in bash script using gcloud and it's compatible with Linux and OSX.

Usage

git clone https://github.com/DenizParlak/Hayat.git && cd Hayat && chmod +x hayat.sh && ./hayat.sh

You can use with specific functions, e.g if you want to scan just Kubernetes Cluster:

./hayat.sh --only-k8s

Screenshots

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 55

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (0) 🔗