CloudMapper — Visualizing and auditing AWS infrastructures for free
When it comes to AWS planning, it’s best to have a clear understanding of the infrastructure we’ll need for our project. But also it is crucial to match the infrastructure we are expecting to have with the infrastructure that we utilize at the moment.
In this case, an open-source tool called CloudMapper by DUO Security can help us to understand, audit, and visualize our AWS infrastructure.
CloudMapper is a quite useful tool because it can collect the metadata from all different services that we are using in each available region on AWS and provide us with a clear representation of the infrastructure that we are utilizing and thus paying for.
Each month we are billed for using these services, so it makes rational and economical sense to audit our AWS environment and remove unwanted or unused services which can reduce the monthly bill.
Besides the monthly bill, CloudMapper can also reduce the security risks on our AWS infrastructure. The audit report that can be generated from the collected data contains a section on security findings and therefore will warn us of possible account configuration errors, and will also make suggestions on how to proceed with them.
Of course, addressing high-risk issues such as publicly exposed S3 buckets containing confidential data is often a smart idea, but don’t be overwhelmed by a potentially large number of security findings.
After successfully auditing our infrastructure and finding our weaknesses we can concentrate on structural improvements that will keep these issues out from arising again in the future.
First things first, we need to set up the Duo CloudMapper and then link it with our AWS environment.
A t2.micro instance that is eligible for free usage under the AWS Free Tire is sufficient to have CloudMapper up and running — doing its job. We’ll need to configure pragmatic access on our instance with AWS CLI. There is a decent number of tutorials that can help you setting up CloudMapper one of them is the infra.engineer tutorial that is written very well in detail.
After the initial setup and data collection through the “collect” command, we need to convert that data into a format usable by the web browser. This is done by using the “prepare” command:python cloudmapper.py prepare --config config.json --account OurAccount
Once the data is converted we can run a webserver to view the collected data in our browser this can be achieved with the following command:python cloudmapper.py webserver --public
Collecting the metadata only requires the privileges to describe and list information about our account. If you followed the infra.engineer tutorial you can see that this is achieved through creating an AWS IAM account with the following permissions:
ViewOnlyAccess
SecurityAudit
Most of the logic is in converting the collected metadata files into something that can be viewed in a web browser. This is where Security Groups are examined to identify the network structure, the parent/child relationships between the nodes, and joint node structures such as subnets, AZs, VPCs, regions, and accounts.
To achieve the diagram design and allow interaction with the resources, the final step of visualizing the data in the browser relies entirely on cytoscape.js.
Once we run the “webserver” command, we can open CloudMapper in our browser and click on nodes to get more information about them, pass them around, erase them, and do other things through using cytoscape.js. Also, there is the option to save a high-definition image of the diagram, zoom in and out, pan, or save the layout after we’ve moved nodes around.
Since this is used just for visualizing results, any change in the web browser will not effect the real AWS environment.
· audit: Check for potential misconfigurations.
· collect: Collect metadata about an account. More details here.
· find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges. More details here.
· find_unused: Look for unused resources in the account. Finds unused Security Groups, Elastic IPs, network interfaces, volumes and elastic load balancers.
· prepare/webserver: See Network Visualizations
· public: Find public hosts and port ranges. More details here.
· sg_ips: Get geoip info on CIDRs trusted in Security Groups. More details here.
· stats: Show counts of resources for accounts. More details here.
· weboftrust: Show Web Of Trust. More details here.
· report: Generate HTML report. Includes summary of the accounts and audit findings. More details here.
· iam_report: Generate HTML report for the IAM information of an account. More details here.
Further CloudMapper documentation:
https://github.com/duo-labs/cloudmapper/blob/master/README.md#installation
Spotting misconfigurations using CloudMapper:
https://duo.com/blog/spotting-misconfigurations-with-cloudmapper
Continuous Auditing with Cloudmapper:
https://duo.com/blog/continuous-auditing-with-cloudmapper
Run CloudMapper’s collection and audit capabilities nightly, across multiple accounts, sending any audit findings to a Slack channel and keeping a copy of the collected metadata in an S3 bucket.
https://github.com/duo-labs/cloudmapper/blob/master/auditor/README.md
