CloudMapper
- - Overview
  - Prerequisites
  - Install
  - Run
  - Extras

CloudMapper

https://github.com/duo-labs/cloudmapper
https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool

Linux, CloudMapper, AWS

Overview

Prerequisites

Create IAM Policy
Create IAM Role
Create Security Group
Instantiate instance with IAM role and Security Group

Install

Clone git repo
Install software requirements
Install pipenv
Install python requirements with pipenv
Create configuration file

Run

Enter virtualenv subshell with pipenv
collect data
prepare network visualization
Launch web server to view data

Extras

Host visualization data with apache
Create script that could be used in crontab

Prerequisites

IAM Policy

Use IAM to create an IAM policy for CloudMapper with the following permissions.

cloudmapper.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "acm:DescribeCertificate",
                "apigateway:GET",
                "ec2:DescribeLaunchTemplates",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "events:DescribeRule",
                "fms:ListComplianceStatus",
                "fms:ListPolicies",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListIPSets",
                "guardduty:ListInvitations",
                "guardduty:ListMembers",
                "guardduty:ListThreatIntelSets",
                "iam:GetSSHPublicKey",
                "inspector:DescribeAssessmentRuns",
                "inspector:DescribeAssessmentTargets",
                "inspector:DescribeAssessmentTemplates",
                "inspector:DescribeCrossAccountAccessRole",
                "inspector:DescribeFindings",
                "inspector:DescribeResourceGroups",
                "inspector:DescribeRulesPackages",
                "iot:DescribeAuthorizer",
                "iot:DescribeCACertificate",
                "iot:DescribeCertificate",
                "iot:DescribeDefaultAuthorizer",
                "iot:GetPolicy",
                "iot:GetPolicyVersion",
                "lambda:GetFunctionConfiguration",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "opsworks:DescribeStacks",
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeHandshake",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListAWSServiceAccessForOrganization",
                "shield:DescribeAttack",
                "shield:DescribeProtection",
                "shield:DescribeSubscription",
                "sso:DescribePermissionsPolicies",
                "sso:ListApplicationInstanceCertificates",
                "sso:ListApplicationInstances",
                "sso:ListApplicationTemplates",
                "sso:ListApplications",
                "sso:ListDirectoryAssociations",
                "sso:ListPermissionSets",
                "sso:ListProfileAssociations",
                "sso:ListProfiles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

IAM Role

Use IAM to create an IAM role for AWS service EC2. Attach the following permissions;

CloudMapper policy that you created
```
arn:aws:iam::aws:policy/SecurityAudit
```

arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Security Group

Create a Security Group that allows the following ports for the following functions.

Protocol	Port	Function
TCP	22	SSH remote administration
TCP	8000	Web server

Instantiate Instance

Launch an instance and assign the IAM role that you created earlier. I tested with t3.micro instances running Amazon Linux 2 and Ubuntu 18.04 LTS.

Install

SSH to instance that you launched.
Install git if using Amazon Linux 2

$ sudo yum -y install git

clone the git repo.

$ git clone https://github.com/duo-labs/cloudmapper.git

Update apt-get if using Ubuntu

$ sudo apt-get update

Install package dependencies

$ sudo yum install autoconf automake libtool python3-devel python3-tkinter jq awscli # Amazon Linux 2
$ sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli python3-pip # Ubuntu 18.04 LTS

Install pip env

$ sudo pip3.7 install pipenv --user # Amazon Linux 2
$ pip3 install pipenv # Ubuntu 18.04 LTS

Install CloudMapper python requirements via pipenv

$ pipenv install --skip-lock

Enter virtualenv subshell

$ pipenv shell

Create config file

$ python3.7 cloudmapper.py configure add-account --config-file youracct-config.json --name youracct --id 123456789012 --default true
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.1.0.0/16 --name youracct
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.2.0.0/16 --name yourprod

Run

If you exited, re-enter virtualenv subshell

$ cd cloudmapper
$ pipenv shell

Collect data on your account

$ python3.7 cloudmapper.py collect --config youracct-config.json --account youracct

Prepare your collected data for network view

$ python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct

Start web server to view prepared network data

$ python3.7 cloudmapper.py webserver --public

Extras

Apache

Install apache, configure to start on boot, and start. This is for Amazon Linux 2.

$ sudo yum -y install httpd
$ sudo systemctl enable httpd
$ sudo systemctl start httpd

Copy web data to apache hosting. This is for Amazon Linux 2.

$ cd ~/cloudmapper
$ sudo cp -r web /var/www/html/youracct

Now you can view your visualization data at any time and refresh it by running; collect, prepare, and copy again.

Crontab

Script that could be used in crontab to automate. This has not been tested yet.

cloudmapper.sh

#!/bin/bash
PATH=~/.local/bin/pipenv:$PATH
cd ~/cloudmapper
rm -rf account-data/youracct # Data doesn't seem to update and you have to clear old data
pipenv run python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
pipenv run python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
sudo rm -rf /var/www/html/youracct/ # Data doesn't seem to update and you have to clear old data
sudo cp -r web /var/www/html/youracct # You will have to have sudo without passwords or chown the directory

Table of Contents

CloudMapper

Overview

Prerequisites

Install

Run

Extras

Prerequisites

IAM Policy

IAM Role

Security Group

Instantiate Instance

Install

Run

Extras

Apache

Crontab