Hi all,<p>I'm an indie dev and standing up some cloud infrastructure for side projects.<p>I'm wondering what tools/services exist for performing security audits for indie-grade projects.<p>I have a personal budget of 'some hundreds of dollars' versus an enterprise budget of 'some thousands of dollars'.<p>Also, I'm not handling, e.g., PCI data, so I don't expect that I require a particularly extensive security audit.<p>(And, yes, I'm aware 'security' is an ongoing process + multi-layered system. What I'm trying to identify here is a good sanity check before exposing a seemingly hardened host to the open internet.)<p>Thoughts?
Which cloud provider?<p><a href="https://github.com/prowler-cloud/prowler">https://github.com/prowler-cloud/prowler</a> is easy to get going with, and gives decent results. It's much stronger at AWS than GCP or Azure.<p>Steampipe can be a little harder to wrap your head around, but scales really well and has broader support: <a href="https://hub.steampipe.io/mods?objectives=security" rel="nofollow noreferrer">https://hub.steampipe.io/mods?objectives=security</a>