====== CloudMapper ======
\\
https://github.com/duo-labs/cloudmapper
\\
https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool
{{tag>Linux CloudMapper AWS}}
==== Overview ====
== Prerequisites ==
* Create IAM Policy
* Create IAM Role
* Create Security Group
* Instantiate instance with IAM role and Security Group
== Install ==
* Clone git repo
* Install software requirements
* Install pipenv
* Install python requirements with pipenv
* Create configuration file
== Run ==
* Enter virtualenv subshell with pipenv
* collect data
* prepare network visualization
* Launch web server to view data
== Extras ==
* Host visualization data with apache
* Create script that could be used in crontab
----
==== Prerequisites ====
== IAM Policy ==
Use IAM to create an IAM policy for CloudMapper with the following permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm:DescribeCertificate",
"apigateway:GET",
"ec2:DescribeLaunchTemplates",
"eks:DescribeCluster",
"eks:ListClusters",
"elasticfilesystem:DescribeMountTargetSecurityGroups",
"elasticfilesystem:DescribeMountTargets",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeSecurityConfiguration",
"events:DescribeRule",
"fms:ListComplianceStatus",
"fms:ListPolicies",
"guardduty:ListDetectors",
"guardduty:ListFindings",
"guardduty:ListIPSets",
"guardduty:ListInvitations",
"guardduty:ListMembers",
"guardduty:ListThreatIntelSets",
"iam:GetSSHPublicKey",
"inspector:DescribeAssessmentRuns",
"inspector:DescribeAssessmentTargets",
"inspector:DescribeAssessmentTemplates",
"inspector:DescribeCrossAccountAccessRole",
"inspector:DescribeFindings",
"inspector:DescribeResourceGroups",
"inspector:DescribeRulesPackages",
"iot:DescribeAuthorizer",
"iot:DescribeCACertificate",
"iot:DescribeCertificate",
"iot:DescribeDefaultAuthorizer",
"iot:GetPolicy",
"iot:GetPolicyVersion",
"lambda:GetFunctionConfiguration",
"lightsail:GetInstances",
"lightsail:GetLoadBalancers",
"opsworks:DescribeStacks",
"organizations:DescribeAccount",
"organizations:DescribeCreateAccountStatus",
"organizations:DescribeHandshake",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListAWSServiceAccessForOrganization",
"shield:DescribeAttack",
"shield:DescribeProtection",
"shield:DescribeSubscription",
"sso:DescribePermissionsPolicies",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListDirectoryAssociations",
"sso:ListPermissionSets",
"sso:ListProfileAssociations",
"sso:ListProfiles"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
== IAM Role ==
Use IAM to create an IAM role for AWS service EC2. Attach the following permissions;
* CloudMapper policy that you created
* arn:aws:iam::aws:policy/SecurityAudit
* arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
== Security Group ==
Create a Security Group that allows the following ports for the following functions.
^Protocol^Port^Function^
| TCP | 22 | SSH remote administration |
| TCP | 8000 | Web server |
== Instantiate Instance ==
Launch an instance and assign the IAM role that you created earlier. I tested with t3.micro instances running Amazon Linux 2 and Ubuntu 18.04 LTS.
----
==== Install ====
* SSH to instance that you launched.
* Install git if using Amazon Linux 2
$ sudo yum -y install git
* clone the git repo.
$ git clone https://github.com/duo-labs/cloudmapper.git
* Update apt-get if using Ubuntu
$ sudo apt-get update
* Install package dependencies
$ sudo yum install autoconf automake libtool python3-devel python3-tkinter jq awscli # Amazon Linux 2
$ sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli python3-pip # Ubuntu 18.04 LTS
* Install pip env
$ sudo pip3.7 install pipenv --user # Amazon Linux 2
$ pip3 install pipenv # Ubuntu 18.04 LTS
* Install CloudMapper python requirements via pipenv
$ pipenv install --skip-lock
* Enter virtualenv subshell
$ pipenv shell
* Create config file
$ python3.7 cloudmapper.py configure add-account --config-file youracct-config.json --name youracct --id 123456789012 --default true
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.1.0.0/16 --name youracct
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.2.0.0/16 --name yourprod
----
==== Run ====
* If you exited, re-enter virtualenv subshell
$ cd cloudmapper
$ pipenv shell
* Collect data on your account
$ python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
* Prepare your collected data for network view
$ python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
* Start web server to view prepared network data
$ python3.7 cloudmapper.py webserver --public
----
==== Extras ====
== Apache ==
* Install apache, configure to start on boot, and start. This is for Amazon Linux 2.
$ sudo yum -y install httpd
$ sudo systemctl enable httpd
$ sudo systemctl start httpd
* Copy web data to apache hosting. This is for Amazon Linux 2.
$ cd ~/cloudmapper
$ sudo cp -r web /var/www/html/youracct
* Now you can view your visualization data at any time and refresh it by running; collect, prepare, and copy again.
== Crontab ==
* Script that could be used in crontab to automate. This has not been tested yet.
#!/bin/bash
PATH=~/.local/bin/pipenv:$PATH
cd ~/cloudmapper
rm -rf account-data/youracct # Data doesn't seem to update and you have to clear old data
pipenv run python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
pipenv run python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
sudo rm -rf /var/www/html/youracct/ # Data doesn't seem to update and you have to clear old data
sudo cp -r web /var/www/html/youracct # You will have to have sudo without passwords or chown the directory