-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add AWS Cloud scanning (#2493)
* feat: Added AWS Cloud scanning Co-authored-by: Owen Rumney <[email protected]>
- Loading branch information
Showing
32 changed files
with
2,569 additions
and
50 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
# Amazon Web Services | ||
|
||
!!! warning "EXPERIMENTAL" | ||
This feature might change without preserving backwards compatibility. | ||
|
||
The Trivy AWS CLI allows you to scan your AWS account for misconfigurations. You can either run the CLI locally or integrate it into your CI/CD pipeline. | ||
|
||
Whilst you can already scan the infrastructure-as-code that defines your AWS resources with `trivy config`, you can now scan your live AWS account(s) directly too. | ||
|
||
The included checks cover all of the aspects of the [AWS CIS 1.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html) automated benchmarks. | ||
|
||
Trivy uses the same [authentication methods](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) as the AWS CLI to configure and authenticate your access to the AWS platform. | ||
|
||
You will need permissions configured to read all AWS resources - we recommend using a group/role with the `ReadOnlyAccess` and `SecurityAudit` policies attached. | ||
|
||
Once you've scanned your account, you can run additional commands to filter the results without having to run the entire scan again - results are cached locally per AWS account/region. | ||
|
||
## CLI Commands | ||
|
||
Scan a full AWS account (all supported services): | ||
|
||
```shell | ||
trivy aws --region us-east-1 | ||
``` | ||
|
||
You can allow Trivy to determine the AWS region etc. by using the standard AWS configuration files and environment variables. The `--region` flag overrides these. | ||
|
||
![AWS Summary Report](../../../imgs/trivy-aws.png) | ||
|
||
The summary view is the default when scanning multiple services. | ||
|
||
Scan a specific service: | ||
|
||
```shell | ||
trivy aws --service s3 | ||
``` | ||
|
||
Scan multiple services: | ||
|
||
```shell | ||
# --service s3,ec2 works too | ||
trivy aws --service s3 --service ec2 | ||
``` | ||
|
||
Show results for a specific AWS resource: | ||
|
||
```shell | ||
trivy aws --service s3 --arn arn:aws:s3:::example-bucket | ||
``` | ||
|
||
All ARNs with detected issues will be displayed when showing results for their associated service. | ||
|
||
## Cached Results | ||
|
||
By default, Trivy will cache results for each service for 24 hours. This means you can filter and view results for a service without having to wait for the scan to run again. If you want to force the cache to be refreshed with the latest data, you can use `--update-cache`. Or if you'd like to use cached data for a different timeframe, you can specify `--max-cache-age` (e.g. `--max-cache-age 2h`.) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.