duo-labs/cloudmapper duo-labs/cloudmapper

  • Stars
    star
    5,990
  • Rank 6,734 (Top 0.2 %)
  • Language
    JavaScript
  • License
    BSD 3-Clause "New...
  • Created almost 7 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
duo-labs/cloudmapper
github

duo-labs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

CloudMapper

Note the Network Visualization functionality (command prepare) is no longer maintained.

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser (functionality no longer maintained). It now contains much more functionality, including auditing for security issues.

Commands

  • audit: Check for potential misconfigurations.
  • collect: Collect metadata about an account. More details here.
  • find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges. More details here.
  • find_unused: Look for unused resources in the account. Finds unused Security Groups, Elastic IPs, network interfaces, volumes and elastic load balancers.
  • prepare/webserver: See Network Visualizations
  • public: Find public hosts and port ranges. More details here.
  • sg_ips: Get geoip info on CIDRs trusted in Security Groups. More details here.
  • stats: Show counts of resources for accounts. More details here.
  • weboftrust: Show Web Of Trust. More details here.
  • report: Generate HTML report. Includes summary of the accounts and audit findings. More details here.
  • iam_report: Generate HTML report for the IAM information of an account. More details here.

If you want to add your own private commands, you can create a private_commands directory and add them there.

Screenshots

Ideal layout

Report screenshot Findings summary
Findings IAM report
Command-line audit Command-line public command

Installation

Requirements:

On macOS:

# clone the repo
git clone https://github.com/duo-labs/cloudmapper.git
# Install pre-reqs for pyjq
brew install autoconf automake awscli freetype jq libtool python3
cd cloudmapper/
python3 -m venv ./venv && source venv/bin/activate
pip install --prefer-binary -r requirements.txt

On Linux:

# clone the repo
git clone https://github.com/duo-labs/cloudmapper.git
# (AWS Linux, Centos, Fedora, RedHat etc.):
# sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
# (Debian, Ubuntu etc.):
# You may additionally need "build-essential"
sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli
cd cloudmapper/
python3 -m venv ./venv && source venv/bin/activate
pip install -r requirements.txt

Run with demo data

A small set of demo data is provided. This will display the same environment as the demo site https://duo-labs.github.io/cloudmapper/

# Generate the data for the network map
python cloudmapper.py prepare --config config.json.demo --account demo
# Generate a report
python cloudmapper.py report --config config.json.demo --account demo
python cloudmapper.py webserver

This will run a local webserver at http://127.0.0.1:8000/ View the network map from that link, or view the report at http://127.0.0.1:8000/account-data/report.html

Setup

  1. Configure information about your account.
  2. Collect information about an AWS account.

1. Configure your account

Copy the config.json.demo to config.json and edit it to include your account ID and name (ex. "prod"), along with any external CIDR names. A CIDR is an IP range such as 1.2.3.4/32 which means only the IP 1.2.3.4.

2. Collect data about the account

This step uses the CLI to make describe and list calls and records the json in the folder specified by the account name under account-data.

AWS Privileges required

You must have AWS credentials configured that can be used by the CLI with read permissions for the different metadata to collect. I recommend using aws-vault. CloudMapper will collect IAM information, which means you MUST use MFA. Only the collect step requires AWS access.

You must have the following privileges (these grant various read access of metadata):

  • arn:aws:iam::aws:policy/SecurityAudit
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Collect the data

Collecting the data is done as follows:

python cloudmapper.py collect --account my_account

Analyze the data

From here, try running the different commands, such as:

python cloudmapper.py report --account my_account
python cloudmapper.py webserver

Then view the report in your browser at 127.0.0.1:8000/account-data/report.html

Further configuration

Generating a config file

Instead of modifying config.json directly, there is a command to configure the data there, in case that is needed:

python cloudmapper.py configure {add-account|remove-account} --config-file CONFIG_FILE --name NAME --id ID [--default DEFAULT]
python cloudmapper.py configure {add-cidr|remove-cidr} --config-file CONFIG_FILE --cidr CIDR --name NAME

This will allow you to define the different AWS accounts you use in your environment and the known CIDR IPs.

If you use AWS Organizations, you can also automatically add organization member accounts to config.json using:

python cloudmapper.py configure discover-organization-accounts

You need to be authenticated to the AWS CLI and have the permission organization:ListAccounts prior to running this command.

Using audit config overrides

You may find that you don't care about some of audit items. You may want to ignore the check entirely, or just specific resources. Copy config/audit_config_override.yaml.example to config/audit_config_override.yaml and edit the file based on the comments in there.

Using a Docker container

The docker container that is created is meant to be used interactively.

docker build -t cloudmapper .

Cloudmapper needs to make IAM calls and cannot use session credentials for collection, so you cannot use the aws-vault server if you want to collect data, and must pass role credentials in directly or configure aws credentials manually inside the container. The following code exposes your raw credentials inside the container.

(                                                              
    export $(aws-vault exec YOUR_PROFILE --no-session -- env | grep ^AWS | xargs) && \ 
    docker run -ti \
        -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
        -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
        -p 8000:8000 \
        cloudmapper /bin/bash
)

This will drop you into the container. Run aws sts get-caller-identity to confirm this was setup correctly. Cloudmapper demo data is not copied into the docker container so you will need to collect live data from your system. Note docker defaults may limit the memory available to your container. For example on Mac OS the default is 2GB which may not be enough to generate the report on a medium sized account.

python cloudmapper.py configure add-account --config-file config.json --name YOUR_ACCOUNT --id YOUR_ACCOUNT_NUMBER
python cloudmapper.py collect --account YOUR_ACCOUNT
python cloudmapper.py report --account YOUR_ACCOUNT
python cloudmapper.py prepare --account YOUR_ACCOUNT
python cloudmapper.py webserver --public

You should then be able to view the report by visiting http://127.0.0.1:8000/account-data/report.html

Running CloudMapper regularly to audit your environment

A CDK app for deploying CloudMapper via Fargate so that it runs nightly, sends audit findings as alerts to a Slack channel, and generating a report that is saved on S3, is described here.

Alternatives

For network diagrams, you may want to try https://github.com/lyft/cartography or https://github.com/anaynayak/aws-security-viz

For auditing and other AWS security tools see https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Licenses

More Repositories

1

parliament

AWS IAM linting library
Python
1,044
star
2

webauthn

WebAuthn (FIDO2) server library written in Go
Go
1,028
star
3

cloudtracker

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
Python
885
star
4

py_webauthn

Pythonic WebAuthn 🐍
Python
863
star
5

webauthn.io

The source code for webauthn.io, a demonstration of WebAuthn.
Python
654
star
6

EFIgy

A small client application that uses the Duo Labs EFIgy API to inform you about the state of your Mac EFI firmware
Python
512
star
7

dlint

Dlint is a tool for encouraging best coding practices and helping ensure we're writing secure Python code.
Python
331
star
8

markdown-to-confluence

Syncs Markdown files to Confluence
Python
307
star
9

isthislegit

Dashboard to collect, analyze, and respond to reported phishing emails.
Python
286
star
10

idapython

A collection of IDAPython modules made with 💚 by Duo Labs
Python
285
star
11

chrome-extension-boilerplate

Boilerplate code for a Chrome extension using TypeScript, React, and Webpack.
TypeScript
209
star
12

secret-bridge

Monitors Github for leaked secrets
Python
189
star
13

apple-t2-xpc

Tools to explore the XPC interface of Apple's T2 chip
Python
160
star
14

twitterbots

The code used in the "Don't @ Me: Hunting Twitter Bots at Scale" Black Hat presentation
Python
151
star
15

cloudtrail-partitioner

Python
150
star
16

phish-collect

Python script to hunt phishing kits
Python
137
star
17

phinn

A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network.
JavaScript
130
star
18

xray

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.
Java
121
star
19

android-webauthn-authenticator

A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.
Java
110
star
20

appsec-education

Presentations, training modules, and other education materials from Duo Security's Application Security team.
JavaScript
71
star
21

mysslstrip

CVE-2015-3152 PoC
Python
43
star
22

EFIgy-GUI

A Mac app that uses the Duo Labs EFIgy API to inform you about the state of your EFI firmware.
Objective-C
40
star
23

lookalike-domains

generate lookalike domains using a few simple techniques (homoglyphs, alt TLDs, prefix/suffix)
Python
31
star
24

apk2java

Automatically decompile APK's using Docker
Dockerfile
23
star
25

journal

The boilerplate for a new Journal site
21
star
26

srtgen

Automatic '.srt' subtitle generator
Python
21
star
27

markflow

Make your Markdown sparkle!
Python
20
star
28

neustar2mmdb

Tool to convert Neustar's GeoPoint data to Maxmind's GeoIP database format for ease of use.
Python
19
star
29

narrow

Low-effort reachability analysis for third-party code vulnerabilities.
Python
19
star
30

datasci-ctf

A capture-the-flag exercise based on data analysis challenges
Jupyter Notebook
16
star
31

duo-blog-going-passwordless-with-py-webauthn

Python
15
star
32

tutorials

Python
15
star
33

sharedsignals

Python tools for using OpenID's Shared Signals Framework (including CAEP)
15
star
34

chain-of-fools

A set of tools that allow researchers to experiment with certificate chain validation issues
Python
13
star
35

journal-cli

The command-line client for Journal
Jupyter Notebook
12
star
36

unmasking_data_leaks

The code from the talk "Unmasking Data Leaks: A Guide to Finding, Fixing, and Prevention" given at BSides SATX 2019.
Python
7
star
37

journal-theme

The Hugo theme that powers Journal
HTML
7
star
38

golang-workshop

Source files for a Golang Workshop
Go
5
star
39

vimes

A local DNS proxy based on CoreDNS.
Python
3
star
40

journal-docs

The documentation for Journal
2
star
41

dlint-plugin-example

An example plugin for dlint
Python
2
star
42

twitterbots-wallpapers

Wallpapers created from the crawlers in our "Don't @ Me" technical research paper
1
star
43

holidayhack-2019

Scripts and artifacts used to solve the 2019 SANS Holiday Hack Challenge
Python
1
star