Skip to content

Visibility & Enforcement

Visibility

Tool Description
cartography
  • Python tool that consolidates infrastructure assets and the relationships between them in a graph view powered by a Neo4j database (AWS/GCP)
CloudMapper
  • Analyze AWS environments by creating network diagrams
  • Permissions: ReadOnlyAccess, SecurityAudit
  • Configuration:
    • copy the config.json.demo to config.json
    • edit it to include your account ID and name (ex. "prod"), along with any external CIDR names
  • Usage:
    • // Collect data & show network diagram
      $ python cloudmapper.py collect --account my_account
      $ python cloudmapper.py prepare --account my_account
      $ python cloudmapper.py webserver
    • // Find public APIs/hosts/port ranges
      $ python cloudmapper.py api_endpoints
      $ python cloudmapper.py public
    • // Audit (check for potential misconfigurations)
      $ python cloudmapper.py audit
      $ python cloudmapper.py find_admins
    • // Web Of Trust: identifies the AWS accounts trusted by a set of AWS accounts
      $ python cloudmapper.py wot --account all
    • // Show resource usage
      $ python cloudmapper.py report

Enforcement

Tool Description
Cloud Custodian
  • Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
  • Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management
  • Usage examples
Cloud Inquisitor
  • Monitor AWS objects for ownership attribution, notifying account owners of unowned objects, and subsequently removing unowned AWS objects if ownership is not resolved
  • Detect domain hijacking
  • Verify security services such as Cloudtrail and VPC Flowlogs
  • Managing IAM policies across multiple accounts
Dow Jones Hammer
  • Multi-account cloud security tool for AWS
  • Identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts
  • It has near real-time reporting capabilities (e.g. JIRA, Slack)
  • Can perform auto-remediation of some misconfigurations
AWS Auto Remediate Instantly remediate common security issues through the use of AWS Config
Cloudkeeper Standalone CLI tool that periodically collects a list of resources in cloud accounts (AWS, GCP, Azure), provides metrics about them, and can clean them up