Cloud Security Posture Management with CloudGraph Api

Screenshots from CloudGraph exploration options; playground, altair, voyager

Nearly all successful attacks on cloud services are the result of misconfiguration, mismanagement, and mistakes. This has lead to the rise of Cloud Security Posture Management programs.

In this article we will investigate how CloudGraph can be used to enable effortless compliance checks, cloud inventories in a single multi cloud environment.

Why use it? — use cases
Getting Started

Why use it? — use cases

Challenge 1:- Maintaining a multi-cloud inventory

Maintaining an inventory of assets for visibility, security & compliance, and billing is a task many of us struggle with. Over the last decade, migration to the cloud and serverless has fundamentally changed how we think about computing, storage, and databasing.

Managing a mixed environment on AWS, Azure, and GCP can feel overwhelming quickly even to seasoned cloud architects. While each platform are developing their own native security and compliance tools these often fall short.

Solution: CSPM with GraphQL api

Cloud Security Posture Manager (CSPM) with CloudGraph api provides a simpler way to get our data out of AWS, Azure, GCP and others. It creates a single source of truth that reflected our need to easily query any data about any service in any account without having to spend hours trawling logs and formatting data.

Being open and scalable, CloudGraph api allows your teams to use their favourite add on to view, explore, and monitor cloud platforms.

For example, need to know which EC2 deployment, cost, and performance stats, run the following query:

query {
queryawsEc2 {
id
arn
# Billing data
dailyCost {
cost
currency
formattedCost
}
# Utilization
cloudWatchMetricData {
lastMonth {
networkInAverage
# Other attributes
}
lastWeek {
networkInAverage
# Other attributes
}
last24Hours {
networkInAverage
# Other attributes
}
last6Hours {
networkInAverage
# Other attributes
}
}
}
}

Which will present results like this:

Challenge 2:- Security compliance and governance

Knowing current infrastructure deployment map and configurations is installed at any time is critical for security. From leaky S3 buckets, to misconfigured user permissions the risks, and penalties, of misconfigurations are heavy.

Solution: CIS policy packs for CloudGraph api

The CloudGraph api provides CIS policy packs based on benchmarks used to guarantee compliance across the existing infrastructure of your cloud provider.

Providing pass or fail results for CIS benchmarks provides actionable improvements to the environment that can be quickly reported, alerted on, and tracked over time.

For example to monitor CIS benchmarks in an AWS environment, run the following query:

query {
queryawsCISFindings {
id
resourceId
result
rule {
id
severity
title
description
audit
rationale
remediation
references
}
}
}

Will result in a list of findings with actionable results to improve security:

In this example port 22 is open in an AWS Security Group triggering a high severity Failure

Getting Started

To get started follow our simple deployment click here

Quickstart deployment guide available under documentation here

Who are we?

cloud-refactor are dedicated to deploying industry leading open source software to help clients, read more here

We offer support via our public/private forum and documentation.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store