Architecture diagrams are an essential component of a successful security program. Diagrams enable communication, provide a baseline for system validation, and are an indispensable tool for risk assessments.
Diagrams must be updated at minimum once year and at every architectural change. Equally important, you should verify that your system matches your architecture design. Today, I will complete this task with CloudMapper. CloudMapper is an open source tool from the team at Duo Labs that maps and analyzes AWS configurations.
I built a simple application in AWS using Terraform for this demo. The app includes an application load balancer, an autoscaling group of web servers behind a load balancer, and worker servers behind the scenes. There is also a Jump host that provides access from the corporate VPN. Our architecture diagram specifies the layout.
Once I built the environment in AWS, I ran the CloudMapper network tool to analyze my build. Fear not, we have all of the CloudMapper specifics at the end of the article!
Loading the CloudMapper network map, see Figure 2, it became clear that there were a few issues when we compared it to Figure 1.
The issues we found:
The web servers were directly accessible from the internet. These were meant to only be available via the load balancers.
SSH is directly accessible via the VPN for all servers. SSH needs to be accessible via the Jump host only per our security policy.
To fix the web server access, I adjusted Terraform to include a separate Security Group for the load balancers and web servers.
To repair SSH access, I edited the Terraform config to ensure each security group only provides port 22 access from the jump host's security group. One the config changes are coded, terraform apply was run to update the environment.
It was time to re-run the CloudMapper and generate a new network map as seen in Figure 3.
A review of the updated network map shows that the architecture matches our initial diagram and instills confidence that our system is built to spec!
Do you want to get started with CloudMapper? It's easy. Follow our steps below.
1. I installed a fresh copy of Ubuntu 18.04 Desktop on a VM for this demo.
2. Install all of the latest security updates.
sudo apt update
sudo apt upgrade
3. Create a read-only AWS IAM account for use by CloudMapper. The IAM user will require two AWS policies.
4. Generate user access keys for the IAM user.
5. On the Ubuntu box, create the .aws folder.
6. Place the credentials in an AWS credentials file.
7. Install all the packages that we will need for this project.
sudo apt install git autoconf automake libtool python3.7-dev python3-tk jq awscli python3-pip
8. Grab the latest version of CloudMapper from git.
9. Install pipenv
pip3 install --user pipenv
10. For this demo, I was not using a login shell. As a result, I needed to add the local bin to the path in .bashrc. I did this by appending the config below to ~/.bashrc
# set PATH so it includes user's private bin if it exists if [ -d "$HOME/.local/bin" ] ; then PATH="$HOME/.local/bin:$PATH" fi
11. We're now read to install the CloudMapper Python requirements.
cd cloudmapper/; pipenv install --skip-lock
12. Lets load the shell.
13. Copy the config file and edit as required. For our demo we added our VPN IP.
cp config.json.demo config.json
14. It is time to let CloudMapper loose to grab your data from AWS. Note that this will take a while. Once you kick off the command, you can go grab some coffee or take some time reviewing our services :)
python cloudmapper.py collect --account msj_demo
14. It's now time to build the map!
python cloudmapper.py prepare --account msj_demo
15. I also recommend generating the audit report.
python cloudmapper.py report --account msj_demo
16. Fire up the web server.
python cloudmapper.py webserver
17. View the map in your web browser by visiting http://127.0.0.1:8000.
18. View the audit report by visiting http://127.0.0.1:8000/account-data/report.
Thanks for following along! What tools do you love for auditing your AWS account?