User Tools
Sidebar
linux:cloudmapper
Table of Contents
CloudMapper
https://github.com/duo-labs/cloudmapper
https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool
Overview
Prerequisites
- Create IAM Policy
- Create IAM Role
- Create Security Group
- Instantiate instance with IAM role and Security Group
Install
- Clone git repo
- Install software requirements
- Install pipenv
- Install python requirements with pipenv
- Create configuration file
Run
- Enter virtualenv subshell with pipenv
- collect data
- prepare network visualization
- Launch web server to view data
Extras
- Host visualization data with apache
- Create script that could be used in crontab
Prerequisites
IAM Policy
Use IAM to create an IAM policy for CloudMapper with the following permissions.
- cloudmapper.json
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "acm:DescribeCertificate", "apigateway:GET", "ec2:DescribeLaunchTemplates", "eks:DescribeCluster", "eks:ListClusters", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeSecurityConfiguration", "events:DescribeRule", "fms:ListComplianceStatus", "fms:ListPolicies", "guardduty:ListDetectors", "guardduty:ListFindings", "guardduty:ListIPSets", "guardduty:ListInvitations", "guardduty:ListMembers", "guardduty:ListThreatIntelSets", "iam:GetSSHPublicKey", "inspector:DescribeAssessmentRuns", "inspector:DescribeAssessmentTargets", "inspector:DescribeAssessmentTemplates", "inspector:DescribeCrossAccountAccessRole", "inspector:DescribeFindings", "inspector:DescribeResourceGroups", "inspector:DescribeRulesPackages", "iot:DescribeAuthorizer", "iot:DescribeCACertificate", "iot:DescribeCertificate", "iot:DescribeDefaultAuthorizer", "iot:GetPolicy", "iot:GetPolicyVersion", "lambda:GetFunctionConfiguration", "lightsail:GetInstances", "lightsail:GetLoadBalancers", "opsworks:DescribeStacks", "organizations:DescribeAccount", "organizations:DescribeCreateAccountStatus", "organizations:DescribeHandshake", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:DescribePolicy", "organizations:ListAWSServiceAccessForOrganization", "shield:DescribeAttack", "shield:DescribeProtection", "shield:DescribeSubscription", "sso:DescribePermissionsPolicies", "sso:ListApplicationInstanceCertificates", "sso:ListApplicationInstances", "sso:ListApplicationTemplates", "sso:ListApplications", "sso:ListDirectoryAssociations", "sso:ListPermissionSets", "sso:ListProfileAssociations", "sso:ListProfiles" ], "Resource": "*", "Effect": "Allow" } ] }
IAM Role
Use IAM to create an IAM role for AWS service EC2. Attach the following permissions;
- CloudMapper policy that you created
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
Security Group
Create a Security Group that allows the following ports for the following functions.
| Protocol | Port | Function |
|---|---|---|
| TCP | 22 | SSH remote administration |
| TCP | 8000 | Web server |
Instantiate Instance
Launch an instance and assign the IAM role that you created earlier. I tested with t3.micro instances running Amazon Linux 2 and Ubuntu 18.04 LTS.
Install
- SSH to instance that you launched.
- Install git if using Amazon Linux 2
$ sudo yum -y install git
- clone the git repo.
$ git clone https://github.com/duo-labs/cloudmapper.git
- Update apt-get if using Ubuntu
$ sudo apt-get update
- Install package dependencies
$ sudo yum install autoconf automake libtool python3-devel python3-tkinter jq awscli # Amazon Linux 2 $ sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli python3-pip # Ubuntu 18.04 LTS
- Install pip env
$ sudo pip3.7 install pipenv --user # Amazon Linux 2 $ pip3 install pipenv # Ubuntu 18.04 LTS
- Install CloudMapper python requirements via pipenv
$ pipenv install --skip-lock
- Enter virtualenv subshell
$ pipenv shell
- Create config file
$ python3.7 cloudmapper.py configure add-account --config-file youracct-config.json --name youracct --id 123456789012 --default true $ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.1.0.0/16 --name youracct $ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.2.0.0/16 --name yourprod
Run
- If you exited, re-enter virtualenv subshell
$ cd cloudmapper
$ pipenv shell
- Collect data on your account
$ python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
- Prepare your collected data for network view
$ python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
- Start web server to view prepared network data
$ python3.7 cloudmapper.py webserver --public
Extras
Apache
- Install apache, configure to start on boot, and start. This is for Amazon Linux 2.
$ sudo yum -y install httpd $ sudo systemctl enable httpd $ sudo systemctl start httpd
- Copy web data to apache hosting. This is for Amazon Linux 2.
$ cd ~/cloudmapper $ sudo cp -r web /var/www/html/youracct
- Now you can view your visualization data at any time and refresh it by running; collect, prepare, and copy again.
Crontab
- Script that could be used in crontab to automate. This has not been tested yet.
- cloudmapper.sh
#!/bin/bash PATH=~/.local/bin/pipenv:$PATH cd ~/cloudmapper rm -rf account-data/youracct # Data doesn't seem to update and you have to clear old data pipenv run python3.7 cloudmapper.py collect --config youracct-config.json --account youracct pipenv run python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct sudo rm -rf /var/www/html/youracct/ # Data doesn't seem to update and you have to clear old data sudo cp -r web /var/www/html/youracct # You will have to have sudo without passwords or chown the directory
linux/cloudmapper.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
