Keeping track of a complex AWS environment is no trivial task. At the same time, however, it is a very important task, not only for security reasons: especially with growing systems, it may happen that a problematic dependency is overlooked or a port is open for unauthorized access.
Graphic visualizations of the entire environment can be very helpful at this point. The initial manual creation of such graphics already requires some effort. And when the graphic has been created in the first version, the work does not end: updates have to be carried out and after each update the responsible persons have to look for new weak points at the changed graphic. With such a manual procedure, differences between the graphic and the real system can have two reasons: either the system was not configured exactly according to the specifications from the graphic or errors occurred when the graphic was created later.
We often choose CloudMapper – an open-source tool – to start analyzing complex AWS environments. How can it support you in getting an overview of what’s happening in an account (structure)?
Tool support can be very helpful at this point: CloudMapper is an open source tool for analyzing and visualizing AWS environments.
It was provided in 2018 by Duo Security, which in the meantime is part of Cisco.
CloudMapper Network Map
With CloudMapper, interactive network diagrams of AWS accounts can be created, which – among other things – visualize the following aspects:
- Which resources communicate with each other?
- Which resources can be reached from outside?
- How is the distribution of resources across different regions?
The generated diagrams can be edited interactively in order to solve problems that often occur when visualizing large networks. An interactive demo version can be tested at https://duo-labs.github.io/cloudmapper/.
Audit Report and Commands
CloudMapper also offers features to create an audit report. A demo version is available at https://duo-labs.github.io/cloudmapper/account-data/report.html:
If you want to create your own reports, you can do this using some commands included in the CloudMapper-package. They enable you to execute various security-related queries via command line.
The first example shows the use of the audit command, which lists the findings as text output:
The result of the following call of the public command is a list of all IP addresses including ports, where a public access to the AWS environment is possible:
Using the collect command, you can collect a large amount of metadata about the account. You can use this metadata for example as a backup of your setup or to keep track of changes:
python cloudmapper.py collect --account
https://github.com/duo-labs/cloudmapper#commands shows a complete list of all CloudMapper-commands.
How does A&B use it?
CloudMapper is for sure no replacement for a professional CSPM (Cloud Security Posture Management) solution. Therefore, we clearly recommend clients to go with leading commercial products, i.e. Aqua Security. We wrote an article about our Partnership here.
Nonetheless, there is room for a tool like CloudMapper. It helps to quickly get sight into existing deployments. We often use it regularly for audit purposes. Sometimes, we trigger nightly runs of CloudMapper to get aware of changes. If desired, we send audit findings directly into a slack channel to ease security communication:
Nonetheless, having the reports is only half of the game, maybe less. You need to establish a culture of security consciousness. Processes need to be built, implemented as well as continuously maintained and verified, to find and tackle those findings: sustainable and automated!
If you want to discuss or book a managed service, just get in contact with us!
Image Sources: https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images