Cloud Bench Checker

Connect to multiple clouds such as public cloud or cloud native via public APIs, and perform security baseline checks according to benchmark recommendations.

Feature

• ✅ Support for multiple clouds with parallel execution
• ✅ Support for switching from various authorization profiles
• ✅ Flexible baseline configuration in YAML format
• ✅ Flexible configuration to extract required data from cloud response with the support of JSONPath
• ✅ Flexible result validation with the support of JSON Schema

Caution

SECURITY DISCLAIMER: ALWAYS use the READONLY cloud authorizations (ak/sk/ClusterRole/etc...) to be configured in the project, and NEVER trust any rule provided by others, even if it is cloned or downloaded from this site.

Quick start

Download

1. Download the command tool for your OS from the release page.
2. Download a baseline configuration file of your interest from the template directory, e.g. "baseline.tmpl.conf".

Prepare cloud auth config

To conform to file of "baseline.tmpl.conf", authorization information should be stored in environment variables. An easy way to do this is by creating a file named "env.txt" similar to this:

TENCENTCLOUD_SECRET_ID=xxx
TENCENTCLOUD_SECRET_KEY=xxx
TENCENTCLOUD_REGION=xxx
ALIBABA_CLOUD_ACCESS_KEY_ID=xxx
ALIBABA_CLOUD_ACCESS_KEY_SECRET=xxx
ALIBABA_CLOUD_REGION=xxx
AZURE_CLIENT_ID=xxx
AZURE_TENANT_ID=xxx
AZURE_CLIENT_SECRET=xxx
AZURE_SUBSCRIPTION_ID=xxx

And then export the file as environment variables using one of the following commands:

under linux

export $(cat ./env.txt)

under Windows with Powershell

(Get-Content .\env.txt).ForEach({ $name, $value = $_ -Split "="; Set-Item -Path "env:$name" -Value $value })

Run

To perform baseline checks with tag test in the file of baseline.tmpl.conf:

./main -t test -c ./template/baseline.tmpl.conf

The result will be outputed to a file named "test.csv".

Quick start with Docker

Download

1. Download a baseline configuration file of your interest from the template directory, e.g. "baseline.tmpl.conf".

Prepare cloud auth config

To conform to file of "baseline.tmpl.conf", authorization information should be stored in environment variables. Create a file named "env.txt" to be used as the environment file for Docker similar to this:

TENCENTCLOUD_SECRET_ID=xxx
TENCENTCLOUD_SECRET_KEY=xxx
TENCENTCLOUD_REGION=xxx
ALIBABA_CLOUD_ACCESS_KEY_ID=xxx
ALIBABA_CLOUD_ACCESS_KEY_SECRET=xxx
ALIBABA_CLOUD_REGION=xxx
AZURE_CLIENT_ID=xxx
AZURE_TENANT_ID=xxx
AZURE_CLIENT_SECRET=xxx
AZURE_SUBSCRIPTION_ID=xxx

Run

1. (Optional) Create an "output" directory to bypass the permission limit if Docker needs be launched with sudo.
2. To perform baseline checks with tag test in the file of baseline.tmpl.conf:

docker run --rm --env-file ./env.txt -v ./baseline.tmpl.conf:/app/config.conf -v ./output:/app/output ghcr.io/s3studio/cloud-bench-checker:latest -t test

The result will be outputed to a file named "output/output.csv".

Further guide

Please see documentation.

Roadmap

• Framework
  • listor
  • checker
  • baseline
  • auth controller
  • constraint checker
• Connector
  • cloud connector
    • tencent cloud
      • tencent cos
    • aliyun cloud
      • aliyun oss
    • k8s
      • version constraint
    • aws
    • azure ( ⚠️ beta version)
    • maybe openstack?
    • support of multiple region
  • cross platform connector
    • api connector
• Versioning and compatibility for config file
• Interaction
  • command tool
  • api
  • webui
• Tool
  • baseline config manager: project
  • building support
  • dockerize support: package
• Doc
  • usage
    • auth file format
  • baseline config format
  • api