Continuous Auditing With CloudMapper
In early 2018, Duo open-sourced CloudMapper for visualizing AWS network environments. The tool collected a large amount of metadata from accounts to accomplish this, and made it easy to both collect additional metadata and work with the data that had been collected. Having that local copy of metadata turned out to be very useful, because multiple use cases could benefit from it without having to worry about each one being rate-limited or experiencing other problems in collection.
Within a few months, CloudMapper became more than a single purpose tool, and instead became a platform. It became a swiss-army knife for all sorts of needs security teams had when auditing or understanding AWS environments. New commands were added to it to give counts of the number of resources in an account; provide a listing of the publicly accessible EC2s and other network resources; generate a diagram of the trust relationships between accounts; identify the IAM users and roles with admin privileges in the account; and more.
One of the commands added to CloudMapper was the ability to perform a one-time audit for security concerns of multiple AWS accounts based on the data that had been collected. This included things like public S3 buckets, IAM roles with admin privileges that could be granted to EC2 instances, and more. There were existing tools like Prowler and ScoutSuite already available, but again, having this functionality built into CloudMapper meant it could leverage the local copy of the metadata that CloudMapper had already collected. This capability expanded over time, with over 50 types of checks currently performed, and the ability to generate an HTML report from this audit was eventually added.
See a demo report here.
The Need for Making CloudMapper a Continuous Monitoring Solution
Duo monitors its AWS environment in real-time using CloudWatch Events and CloudTrail logs, but there was some additional detection capabilities in CloudMapper that we wanted to benefit from on a more regular basis than whenever someone took the time to manually run CloudMapper. We also wanted to ensure, through a defense-in-depth strategy, that if the real-time monitoring system experienced any issues, we could ensure another solution was alerting us to problems as well. There were already other open-source solutions, and a multitude of vendors, that focused on this problem, but after considering the options, it was decided that making CloudMapper run regularly would best fulfill our interests.
One primary consideration was the barrier to entry for many of these tools. Although Duo has a strong team of developers to setup any tool and the security budget to run them, one of our goals is to democratize security, and we knew we could convert CloudMapper to be a tool that is easy to install and extremely affordable to run, giving everyone the ability to regularly scan their environments and receive alerts.
We also needed a solution that was both being actively maintained with new detections (which CloudMapper has kept up with) and was using a different set of techniques than our real-time monitoring. There are reasons to avoid polling AWS environments like CloudMapper does (namely that in large environments it can be very slow), but for our use case, and for our need to have a separate defense-in-depth strategy, this was actually preferred.
How It Works
The deployment of CloudMapper as a continuous monitoring solution begins as a CDK (Cloud Development Kit) app. The CDK is an abstraction layer over AWS CloudFormation, allowing you to define your infrastructure through programming languages such as javascript or Python, instead of YAML or specialized languages.
You create an S3 bucket and then edit and copy some configuration files into it. When the CDK app is deployed, it will create a Docker container that will run CloudMapper nightly via Fargate. CloudMapper will collect data from all of the accounts you configured it for, then perform an audit over that data. Any issues found will be sent to a Slack channel. A report will then be generated and saved to the S3 bucket along with all of the metadata that was collected. You'll want to be careful in ensuring that you secure access to this S3 bucket, as it contains not only the report of security issues with the accounts, but also the metadata and config files.
A sample screenshot of the issues sent to a Slack channel is shown below.
By running nightly via Fargate for only as long as it takes to collect account data and audit it, the solution should cost less than $1 per month for most environments.
If any errors are encountered, whether in collection or elsewhere, a message is sent to an SNS, which can then email you.
All these features of the architecture are shown below.
Daily Usage
With any security auditing solution for AWS, you'll quickly find there are issues detected that you don't care about. The finding may only be informational, you may have decided on a different strategy than the tool, or some other reason that causes you to need to make exceptions for either an entire finding category, or for specific resources. This solution makes it possible to define these exceptions.
The ability to define exceptions is important because this solution has no memory of what issues it previously alerted on. This means that when problems are found, this will repeatedly generate alerts every night until the issue is either fixed or an exception is configured.
Conclusion
CloudMapper continues to be actively developed, with contributions from 45 people so far who aren't Duo employees. It has become one of the most popular open-source AWS security projects. We believe having CloudMapper as a continuous monitoring solution can play a role as the initial security auditing solution for individuals and small companies, or act as a second layer of defense for more mature enterprises.
Try it out today at https://github.com/duo-labs/cloudmapper.