Stave is a powerful cloud configuration analysis engine designed to identify insecure setups using local snapshots, eliminating the need for cloud credentials, network access, or runtime agents. It stands out in the realm of cloud security tools, bridging the gap between conventional CSPM (Cloud Security Posture Management) tools that require live API access and IaC (Infrastructure as Code) policy analysis tools that only inspect templates prior to deployment.

Key Features

• Comprehensive Control Coverage: Includes 185 built-in controls spanning 26 domains, such as S3, IAM, VPC, EC2, RDS, ELB, Kubernetes, CloudTrail, CloudWatch, KMS, and more.
• Regulatory Compliance Profiles: Supports 10 compliance profiles, including HIPAA, CIS AWS v3.0, SOC 2, PCI-DSS v4.0, NIST 800-53, FedRAMP, GDPR, FFIEC, ISO 27001, and NIST CSF 2.0, allowing users to align with industry standards.
• Unsafe Duration Tracking: Monitors how long assets remain misconfigured across snapshots to enhance security posture.
• Custom Control Definition: Users can define custom controls easily in YAML format, utilizing unsafe_predicate for any asset type without requiring code changes.
• CI/CD Integration: Equipped with exit codes, SARIF output, and baseline tracking, Stave is designed to integrate seamlessly into CI/CD pipelines for automated security checks.
• Extensibility: Users can effortlessly add new detection capabilities without altering the engine, as new properties and controls are additive and backward-compatible.

Workflow

Stave operates on a straightforward workflow:

Extract → Validate → Apply → Act

1. Extract: Capture asset configurations as obs.v0.1 JSON (extraction is managed by external programs).
2. Validate: Ensure inputs are well-formed and complete.
3. Apply: Evaluate the snapshots against defined safety controls and generate findings.
4. Act: Review the findings, make necessary changes, and re-evaluate the configurations.

Usage Example

For standard evaluation, use the following command:

stave apply --format json > evaluation.json

To utilize compliance profiles, multiple commands can be issued as follows:

stave apply --profile hipaa --input observations.json --include-all --format json
stave apply --profile cis-aws-v3.0 --input observations.json --include-all --format json

Built-in Controls Overview

Stave covers a wide range of controls across various domains, ensuring robust security checks:

• AWS S3: 55 controls including public access issues and encryption checks.
• AWS IAM: 21 controls focusing on credential management and account security.
• GCP Cloud Storage: 7 controls addressing public access and data completeness.
• DNS: Detection for dangling references that can lead to potential attacks, relevant across different DNS providers.

For any organization interested in cloud security, Stave offers a reliable toolset to measure and maintain a strong security posture, empowering teams to identify and remediate misconfigurations efficiently.