Readers may also enjoy Steampipe [1]. It's an open source "ops as code" CLI to query 83+ services with SQL (AWS, GitHub, Terraform, etc) that comes with hundreds of ready to use benchmarks (CIS, NIST, Cost) and dashboards built in HCL. The AWS Compliance mod [2] and Trivy plugin [3] are specific examples. (Disclaimer - I'm a lead on the project.)
This is genuinely badass, this would have solved so many head aches in my career with AWS.
Searching / filtering for resources in AWS SDK has always been cludgy and limited, sometimes requiring querying and then filtering locally to find specific records.
I'm a big fan of Security Hub, it's a great tool for smaller shops to have better native visibility in their environment.
My main issue with it is the standards, PCI, AWS Foundations. These all have "Versions" which aren't controllable. For example AWS Foundations has been at 1.0.0 for over two years, despite receiving several updates and changes over time.
This doesn't make sense to me but probably because I've not understood trivy. Inspecting file type things (docker, file, terraform) was what trivy had been doing so far. This however is now a network inspection and doesn't feel like it fits?
So in theory this can fit pretty well, if you look it as a tool that can scan things at various stages of the development pipeline. As the rulesets are the same this means you can get consistent results when scanning your terraform and then in production against the running resources.
If it works then it can solve a big problem in security scanning which is different tools applying different rules, which causes frustration as it reduces the risk of "it passed in dev, why is is failing in prod"
(full disclosure, I used to work for Aqua who make Trivy)
[+] [-] nathanwallace|3 years ago|reply
1 - https://steampipe.io 2 - https://hub.steampipe.io/mods/turbot/aws_compliance 3 - https://hub.steampipe.io/plugins/turbot/trivy
[+] [-] bearjaws|3 years ago|reply
Searching / filtering for resources in AWS SDK has always been cludgy and limited, sometimes requiring querying and then filtering locally to find specific records.
Also love the pro-SQL approach.
[+] [-] yevpats|3 years ago|reply
Shout out to steampipe bellow as a similar project though that takes a more real-time approach rather then ELT which has it's use-cases as well.
[+] [-] bearjaws|3 years ago|reply
You do pay for it (~$30 a month for my job) but you quite literally check a box and have no setup.
[+] [-] wronglebowski|3 years ago|reply
My main issue with it is the standards, PCI, AWS Foundations. These all have "Versions" which aren't controllable. For example AWS Foundations has been at 1.0.0 for over two years, despite receiving several updates and changes over time.
[+] [-] politelemon|3 years ago|reply
[+] [-] raesene9|3 years ago|reply
If it works then it can solve a big problem in security scanning which is different tools applying different rules, which causes frustration as it reduces the risk of "it passed in dev, why is is failing in prod"
(full disclosure, I used to work for Aqua who make Trivy)
[+] [-] pritambarhate|3 years ago|reply
./trivy aws --region us-east-1
panic: runtime error: invalid memory address or nil pointer dereference
Posted a Github issue as well
[+] [-] itaysk|3 years ago|reply
[+] [-] FujiApple|3 years ago|reply
[+] [-] InfoSecErik|3 years ago|reply
[+] [-] user3939382|3 years ago|reply
[+] [-] u1tron|3 years ago|reply
[+] [-] bfung|3 years ago|reply
Whereas container scanning in ECR, who knows when someone will actually fix the issue.