Readers may also enjoy Steampipe [1]. It's an open source "ops as code" CLI to query 83+ services with SQL (AWS, GitHub, Terraform, etc) that comes with hundreds of ready to use benchmarks (CIS, NIST, Cost) and dashboards built in HCL. The AWS Compliance mod [2] and Trivy plugin [3] are specific examples. (Disclaimer - I'm a lead on the project.)

1 - https://steampipe.io 2 - https://hub.steampipe.io/mods/turbot/aws_compliance 3 - https://hub.steampipe.io/plugins/turbot/trivy

This is genuinely badass, this would have solved so many head aches in my career with AWS.

Searching / filtering for resources in AWS SDK has always been cludgy and limited, sometimes requiring querying and then filtering locally to find specific records.

Also love the pro-SQL approach.

Shameless plug, you can also enjoy CloudQuery (https://github.com/cloudquery/cloudquery) where we take a more ELT approach so you can use plain SQL for policies (https://github.com/cloudquery/cloudquery/tree/main/plugins/s...) and then use any BI tools for visualization and monitoring (https://github.com/cloudquery/cloudquery/tree/main/plugins/s...).

Shout out to steampipe bellow as a similar project though that takes a more real-time approach rather then ELT which has it's use-cases as well.

Why not use AWS Security Hub? It already supports reading in all your accounts into a centralized report and running it against multiple standards.

You do pay for it (~$30 a month for my job) but you quite literally check a box and have no setup.

I'm a big fan of Security Hub, it's a great tool for smaller shops to have better native visibility in their environment.

My main issue with it is the standards, PCI, AWS Foundations. These all have "Versions" which aren't controllable. For example AWS Foundations has been at 1.0.0 for over two years, despite receiving several updates and changes over time.

This doesn't make sense to me but probably because I've not understood trivy. Inspecting file type things (docker, file, terraform) was what trivy had been doing so far. This however is now a network inspection and doesn't feel like it fits?

So in theory this can fit pretty well, if you look it as a tool that can scan things at various stages of the development pipeline. As the rulesets are the same this means you can get consistent results when scanning your terraform and then in production against the running resources.

If it works then it can solve a big problem in security scanning which is different tools applying different rules, which causes frustration as it reduces the risk of "it passed in dev, why is is failing in prod"

(full disclosure, I used to work for Aqua who make Trivy)

Just tried it

./trivy aws --region us-east-1

panic: runtime error: invalid memory address or nil pointer dereference

Posted a Github issue as well

can you please try with v0.31.2?

TIL: https://github.com/rust-secure-code/cargo-auditable

Alternate tool in the same space: https://github.com/nccgroup/ScoutSuite

Also this https://www.fugue.co/ I learned about this tool by interviewing with them. Nice guys.

AWS has on it's one own native tool to scan the images.

One use case using trivy is in a CI/CD pipeline; fail container builds that have issues to begin with.

Whereas container scanning in ECR, who knows when someone will actually fix the issue.

There’s a fix for this. Assign production “visas” to specific image builds. The visa has a clear start and end date and can be renewed if evidence is provided that no security issues above a defined threshold are present.

That said, I really like Trivy. It has native output template support meaning you can plug it in where licensing gets trick (looking at you, Palo Alto Networking).