Securing Clouds with Open Source
There are many commercial solutions tackling different cloud-related problems, but there are also high quality open source alternatives with similar use cases and feature sets. As always, there are tradeoffs to consider (support, polish, customization, flexibility, operability, ownership), but open source may be the right solution for you.
There are a wide range of open source tools that bring different approaches and abstractions to cloud management.
Focusing on the more broadly used options:
|Terraform allows cross-provider cloud infrastructure to be defined as code (see infrastructure-as-code), and is essentially the broadly-accepted solution of choice at this point. One alternative is CloudFormation, which takes quite a different approach and is AWS-specific. See awesome-terraform for a collection of relevant resources.|
|Packer can be used for the creation of machine images. It allows the automation/scripting of image creation, which can then be published and deployed into cloud environments. See Introduction to Packer to get started.|
|The AWS SDK for Python, boto3, makes it easy to integrate your Python application, library, or script with AWS services including Amazon S3, Amazon EC2, Amazon DynamoDB, and more. See Abridge's AWS APIs and Python for one perspective on getting started.|
There are many different security-oriented tools available, providing different levels of value.
Some of the more useful options to consider include:
|Originally intended to generate network diagrams, CloudMapper was extended to collect AWS environment data, perform security audit, and more. It has a wide range of visualization and report formats that summarize a cloud deployment.|
|Parliament is a linter for AWS IAM policies that can be used to identify known problematic patterns. It can also be used as a library in other projects, one of which is CloudMapper.|
|Cloud Custodian, a CNCF Sandbox project, is a rules engine for managing public cloud (AWS, Azure, and GCP) accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure that's both secure and cost optimized.|
|Cloud Inquisitor can be used to improve the security posture of your AWS footprint by monitoring AWS resources for tags, detecting domain hijacking, verifying secruity services, and managing IAM policies. It's currently undergoing a refresh / realignment.|
|Policy Sentry helps generate, audit, and analyze AWS IAM policies for least-privilege. See Policy Sentry documentation and the introductory blog post for more.|
|Cloudsplaining https://github.com/salesforce/cloudsplaining||Cloudsplaining is an AWS IAM security assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. For more information, see the GitHub repo, the documentation, and an example report.|
|Prowler https://github.com/toniblyx/prowler||Prowler is a CLI tool for AWS security best practices assessment, auditing, hardening and forensics readiness. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.|
|CloudTracker https://github.com/duo-labs/cloudtracker||CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. See Introducing CloudMapper for details.|
|Cartography https://github.com/lyft/cartography||Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database. It supports a number of providers including AWS, GCP, Gsuite, Okta, and GitHub.|
|Scout Suite https://github.com/nccgroup/ScoutSuite||Scout Suite is an open source multi-cloud (AWS, Azure, GCP, and others) security auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas.|
|s3audit https://github.com/scalefactory/s3audit||s3audit is a CLI tool to audit S3 buckets within an account and report on common configuration issues, including checking for public access. See Securing S3 buckets with s3audit for more information.|
|Reach https://github.com/luhring/reach||Reach is a tool for analyzing the network traffic allowed to flow in AWS. It queries configuration data from AWS APIs and reports on reachability between cloud resources.|
|awspx https://github.com/fsecurelabs/awspx||awspx is a graph-based tool for visualizing access and resource relationships within AWS. It resolves policy information to determine what actions affect which resources, while taking into account how these actions may be combined to produce attack paths.|
|AWSets https://github.com/trek10inc/awsets||AWSets is a utility for crawling an AWS account and exporting data on its resources. See the introductory blog post for more information.|
|Diagrams https://github.com/mingrammer/diagrams||Diagrams lets you draw cloud architecture in Python code. Cloudiscovery extracts AWS infrastructure data and uses Diagrams to generate associated diagrams.|
|tfsec https://github.com/liamg/tfsec||tfsec performs static analysis of Terraform configurations to identify potential security issues. It can be integrated into CI and used to prevent insecure configurations from being deployed.|
Open source is great but not a panacea, and there are other options.
Interested in learning more about Abridge?
Check out the web site, or get started now!