Table of Contents

CloudMapper


https://github.com/duo-labs/cloudmapper
https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool

Overview

Prerequisites
Install
Run
Extras

Prerequisites

IAM Policy

Use IAM to create an IAM policy for CloudMapper with the following permissions.

cloudmapper.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "acm:DescribeCertificate",
                "apigateway:GET",
                "ec2:DescribeLaunchTemplates",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "elasticfilesystem:DescribeMountTargetSecurityGroups",
                "elasticfilesystem:DescribeMountTargets",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:DescribeSecurityConfiguration",
                "events:DescribeRule",
                "fms:ListComplianceStatus",
                "fms:ListPolicies",
                "guardduty:ListDetectors",
                "guardduty:ListFindings",
                "guardduty:ListIPSets",
                "guardduty:ListInvitations",
                "guardduty:ListMembers",
                "guardduty:ListThreatIntelSets",
                "iam:GetSSHPublicKey",
                "inspector:DescribeAssessmentRuns",
                "inspector:DescribeAssessmentTargets",
                "inspector:DescribeAssessmentTemplates",
                "inspector:DescribeCrossAccountAccessRole",
                "inspector:DescribeFindings",
                "inspector:DescribeResourceGroups",
                "inspector:DescribeRulesPackages",
                "iot:DescribeAuthorizer",
                "iot:DescribeCACertificate",
                "iot:DescribeCertificate",
                "iot:DescribeDefaultAuthorizer",
                "iot:GetPolicy",
                "iot:GetPolicyVersion",
                "lambda:GetFunctionConfiguration",
                "lightsail:GetInstances",
                "lightsail:GetLoadBalancers",
                "opsworks:DescribeStacks",
                "organizations:DescribeAccount",
                "organizations:DescribeCreateAccountStatus",
                "organizations:DescribeHandshake",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "organizations:DescribePolicy",
                "organizations:ListAWSServiceAccessForOrganization",
                "shield:DescribeAttack",
                "shield:DescribeProtection",
                "shield:DescribeSubscription",
                "sso:DescribePermissionsPolicies",
                "sso:ListApplicationInstanceCertificates",
                "sso:ListApplicationInstances",
                "sso:ListApplicationTemplates",
                "sso:ListApplications",
                "sso:ListDirectoryAssociations",
                "sso:ListPermissionSets",
                "sso:ListProfileAssociations",
                "sso:ListProfiles"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
IAM Role

Use IAM to create an IAM role for AWS service EC2. Attach the following permissions;

Security Group

Create a Security Group that allows the following ports for the following functions.

ProtocolPortFunction
TCP 22 SSH remote administration
TCP 8000 Web server
Instantiate Instance

Launch an instance and assign the IAM role that you created earlier. I tested with t3.micro instances running Amazon Linux 2 and Ubuntu 18.04 LTS.


Install

$ sudo yum -y install git
$ git clone https://github.com/duo-labs/cloudmapper.git
$ sudo apt-get update
$ sudo yum install autoconf automake libtool python3-devel python3-tkinter jq awscli # Amazon Linux 2
$ sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli python3-pip # Ubuntu 18.04 LTS
$ sudo pip3.7 install pipenv --user # Amazon Linux 2
$ pip3 install pipenv # Ubuntu 18.04 LTS
$ pipenv install --skip-lock
$ pipenv shell
$ python3.7 cloudmapper.py configure add-account --config-file youracct-config.json --name youracct --id 123456789012 --default true
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.1.0.0/16 --name youracct
$ python3.7 cloudmapper.py configure add-cidr --config-file youracct-config.json --cidr 10.2.0.0/16 --name yourprod

Run

$ cd cloudmapper
$ pipenv shell
$ python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
$ python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
$ python3.7 cloudmapper.py webserver --public

Extras

Apache
$ sudo yum -y install httpd
$ sudo systemctl enable httpd
$ sudo systemctl start httpd
$ cd ~/cloudmapper
$ sudo cp -r web /var/www/html/youracct
Crontab
cloudmapper.sh
#!/bin/bash
PATH=~/.local/bin/pipenv:$PATH
cd ~/cloudmapper
rm -rf account-data/youracct # Data doesn't seem to update and you have to clear old data
pipenv run python3.7 cloudmapper.py collect --config youracct-config.json --account youracct
pipenv run python3.7 cloudmapper.py prepare --config youracct-config.json --account youracct
sudo rm -rf /var/www/html/youracct/ # Data doesn't seem to update and you have to clear old data
sudo cp -r web /var/www/html/youracct # You will have to have sudo without passwords or chown the directory