Hi all,
I'm an indie dev and standing up some cloud infrastructure for side projects.
I'm wondering what tools/services exist for performing security audits for indie-grade projects.
I have a personal budget of 'some hundreds of dollars' versus an enterprise budget of 'some thousands of dollars'.
Also, I'm not handling, e.g., PCI data, so I don't expect that I require a particularly extensive security audit.
(And, yes, I'm aware 'security' is an ongoing process + multi-layered system. What I'm trying to identify here is a good sanity check before exposing a seemingly hardened host to the open internet.)
Thoughts?
Which cloud provider?
https://github.com/prowler-cloud/prowler is easy to get going with, and gives decent results. It's much stronger at AWS than GCP or Azure.
Steampipe can be a little harder to wrap your head around, but scales really well and has broader support: https://hub.steampipe.io/mods?objectives=security