Prag-o-matic

A blog.

AWS CIS Audit tool

The Center for Internet Security (CIS) released guidelines for AWS and I thought it’d be interesting to describe these in Gherkin. I could then back the statements with small Python scripts to run the checks through the use of the the Behave package.

As you can see in the example feature below, the Gherkin syntax is reasonably readable:

@kms
Feature: AWS Key Management Services

  @cis @level_2
  Scenario: CIS 2.8 Ensure rotation for customer created CMKs is enabled
    Then all KMS keys must be set to rotate annually

The statements then map to Python functions that do the actual work. Calling behave against the set of tests generates JUnit-based XML output so I then pass them through junit2html for easier reviews.

Overall it’s an interesting approach and gives you a user-friendly description of the tests and output that could be analysed by non-developers. Better yet, failed tests could raise an alarm.

A good chunk of the tests work but it’s definitely not finished. Check out the code.