GithubHelp home page GithubHelp logo

paulpc / cloudmapper Goto Github PK

View Code? Open in Web Editor NEW

This project forked from duo-labs/cloudmapper

0.0 1.0 0.0 4.57 MB

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

License: BSD 3-Clause "New" or "Revised" License

Makefile 0.01% Python 11.61% Shell 0.38% CSS 14.89% HTML 0.41% JavaScript 72.69%

cloudmapper's Introduction

CloudMapper

Build Status

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser. It now contains much more functionality.

Demo: https://duo-labs.github.io/cloudmapper/

Intro post: https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool

Post to show usage in spotting misconfigurations: https://duo.com/blog/spotting-misconfigurations-with-cloudmapper

Demo screenshot

Installation

Requirements:

On macOS:

# clone the repo
git clone [email protected]:duo-labs/cloudmapper.git
# Install pre-reqs for pyjq
brew install autoconf automake libtool jq awscli python3
cd cloudmapper/
pipenv install --skip-lock
pipenv shell

On Linux:

# clone the repo
git clone [email protected]:duo-labs/cloudmapper.git
# (AWS Linux, Centos, Fedora, RedHat etc.):
# sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter jq awscli
# (Debian, Ubuntu etc.):
# You may additionally need "build-essential"
sudo apt-get install autoconf automake libtool python3-dev python3-tk jq awscli
cd cloudmapper/
pipenv install --skip-lock
pipenv shell

Run with demo data

A small set of demo data is provided. This will display the same environment as the demo site https://duo-labs.github.io/cloudmapper/

python cloudmapper.py prepare --config config.json.demo --account demo
python cloudmapper.py webserver

This will run a local webserver at http://127.0.0.1:8000/

Setup

  1. Configure information about your account.
  2. Collect information about an AWS account.

1. Configure your account

Option 1: Edit config file manually

Copy the config.json.demo to config.json and edit it to include your account ID and name (ex. "prod"), along with any external CIDR names. A CIDR is an IP range such as 1.2.3.4/32 which means only the IP 1.2.3.4.

Option 2: Generate config file

CloudMapper has commands to configure your account:

python cloudmapper.py configure {add-account|remove-account} --config-file CONFIG_FILE --name NAME --id ID [--default DEFAULT]
python cloudmapper.py configure {add-cidr|remove-cidr} --config-file CONFIG_FILE --cidr CIDR --name NAME

This will allow you to define the different AWS accounts you use in your environment and the known CIDR IPs.

2. Collect data about the account

This step uses the CLI to make describe and list calls and records the json in the folder specified by the account name under account-data.

AWS Privileges required

You must have AWS credentials configured that can be used by the CLI with read permissions for the different metadata to collect. I recommend using aws-vault. CloudMapper will collect IAM information, which means you MUST use MFA. Only the collect step requires AWS access.

You must have the following privileges (these grant various read access of metadata):

  • arn:aws:iam::aws:policy/SecurityAudit
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

And also:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "acm:DescribeCertificate",
                "apigateway:GET",
                "ec2:DescribeLaunchTemplates",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "events:DescribeRule",
                "fms:ListComplianceStatus",
                "fms:ListPolicies",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListIPSets",
                "guardduty:ListInvitations",
                "guardduty:ListMembers",
                "guardduty:ListThreatIntelSets",
                "iam:GetSSHPublicKey",
                "inspector:DescribeAssessmentRuns",
                "inspector:DescribeAssessmentTargets",
                "inspector:DescribeAssessmentTemplates",
                "inspector:DescribeCrossAccountAccessRole",
                "inspector:DescribeFindings",
                "inspector:DescribeResourceGroups",
                "inspector:DescribeRulesPackages",
                "iot:DescribeAuthorizer",
                "iot:DescribeCACertificate",
                "iot:DescribeCertificate",
                "iot:DescribeDefaultAuthorizer",
                "iot:GetPolicy",
                "iot:GetPolicyVersion",
                "lambda:GetFunctionConfiguration",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "opsworks:DescribeStacks",
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeHandshake",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListAWSServiceAccessForOrganization",
                "shield:DescribeAttack",
                "shield:DescribeProtection",
                "shield:DescribeSubscription",
                "sso:DescribePermissionsPolicies",
                "sso:ListApplicationInstanceCertificates",
                "sso:ListApplicationInstances",
                "sso:ListApplicationTemplates",
                "sso:ListApplications",
                "sso:ListDirectoryAssociations",
                "sso:ListPermissionSets",
                "sso:ListProfileAssociations",
                "sso:ListProfiles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Collect the data

Collecting the data is done as follows:

python cloudmapper.py collect --account my_account

Commands

  • api_endpoints: List the URLs that can be called via API Gateway.
  • audit: Check for potential misconfigurations.
  • collect: Collect metadata about an account. More details here.
  • find_admins: Look at IAM policies to identify admin users and roles and spot potential IAM issues. More details here.
  • prepare/webserver: See Network Visualizations
  • public: Find public hosts and port ranges. More details here.
  • sg_ips: Get geoip info on CIDRs trusted in Security Groups. More details here.
  • stats: Show counts of resources for accounts. More details here.
  • wot: Show Web Of Trust. More details here.

Licenses

cloudmapper's People

Contributors

0xdabbad00 avatar alanquillin avatar almogcohen avatar asloan7 avatar dimitris-t avatar eraac avatar fernandomiguel avatar heikkivertasc avatar joeykrim avatar julesdt avatar kevingimbel avatar kylelady avatar laurrentt avatar myoung34 avatar paralax avatar paweldefee avatar rderewianko avatar sethmccombs avatar strml avatar takuma-watanabe avatar tsaxon13 avatar williambherman avatar xerebz avatar yannvanhalewyn avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.