Visibility & Enforcement

Visibility¶

Tool	Description
AWS Resource Explorer	Search through the AWS resources in your account across Regions using metadata such as names, tags, and ID
cartography	Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database (AWS/GCP) Additional Blog Posts: Marco Lancini Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography Marco Lancini Tracking Moving Clouds: How to continuously track cloud assets with Cartography Marco Lancini Automating Cartography Deployments on Kubernetes: automated process to get Neo4J and Cartography up and running in a Kubernetes cluster, using HashiCorp Vault as a secrets management engine and Elasticsearch as a SIEM Cartography: using graphs to improve and scale security decision-making
CloudMapper	Analyze AWS environments by creating network diagrams Permissions: `ViewOnlyAccess`, `SecurityAudit` Configuration: copy the `config.json.demo` to `config.json` edit it to include your account ID and name (ex. "prod"), along with any external CIDR names Usage: `// Collect data & show network diagram` `$ python cloudmapper.py collect --account my_account` `$ python cloudmapper.py prepare --account my_account` `$ python cloudmapper.py webserver` `// Find public APIs/hosts/port ranges` `$ python cloudmapper.py api_endpoints` `$ python cloudmapper.py public` `// Audit (check for potential misconfigurations)` `$ python cloudmapper.py audit` `$ python cloudmapper.py find_admins` `// Web Of Trust: identifies the AWS accounts trusted by a set of AWS accounts` `$ python cloudmapper.py wot --account all` `// Show resource usage` `$ python cloudmapper.py report`
starbase	Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by a Neo4j database You can also refer to the companion blog post

Enforcement¶

Tool	Description
Cloud Custodian	Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management
Cloud Inquisitor	Monitor AWS objects for ownership attribution, notifying account owners of unowned objects, and subsequently removing unowned AWS objects if ownership is not resolved Detect domain hijacking Verify security services such as Cloudtrail and VPC Flowlogs Managing IAM policies across multiple accounts
Dow Jones Hammer	Multi-account cloud security tool for AWS Identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts It has near real-time reporting capabilities (e.g. JIRA, Slack) Can perform auto-remediation of some misconfigurations
AWS Auto Remediate	Instantly remediate common security issues through the use of AWS Config
Cloudkeeper	Standalone CLI tool that periodically collects a list of resources in cloud accounts (AWS, GCP, Azure), provides metrics about them, and can clean them up
metabadger	A tool to help prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2)