Cloud Security Posture Management with CloudGraph Api
Nearly all successful attacks on cloud services are the result of misconfiguration, mismanagement, and mistakes. This has lead to the rise of Cloud Security Posture Management programs.
In this article we will investigate how CloudGraph can be used to enable effortless compliance checks, cloud inventories in a single multi cloud environment.
Why use it? — use cases
Challenge 1:- Maintaining a multi-cloud inventory
Maintaining an inventory of assets for visibility, security & compliance, and billing is a task many of us struggle with. Over the last decade, migration to the cloud and serverless has fundamentally changed how we think about computing, storage, and databasing.
Managing a mixed environment on AWS, Azure, and GCP can feel overwhelming quickly even to seasoned cloud architects. While each platform are developing their own native security and compliance tools these often fall short.
Solution: CSPM with GraphQL api
Cloud Security Posture Manager (CSPM) with CloudGraph api provides a simpler way to get our data out of AWS, Azure, GCP and others. It creates a single source of truth that reflected our need to easily query any data about any service in any account without having to spend hours trawling logs and formatting data.
Being open and scalable, CloudGraph api allows your teams to use their favourite add on to view, explore, and monitor cloud platforms.
For example, need to know which EC2 deployment, cost, and performance stats, run the following query:
query {
queryawsEc2 {
id
arn
# Billing data
dailyCost {
cost
currency
formattedCost
}
# Utilization
cloudWatchMetricData {
lastMonth {
networkInAverage
# Other attributes
}
lastWeek {
networkInAverage
# Other attributes
}
last24Hours {
networkInAverage
# Other attributes
}
last6Hours {
networkInAverage
# Other attributes
}
}
}
}
Which will present results like this:
Challenge 2:- Security compliance and governance
Knowing current infrastructure deployment map and configurations is installed at any time is critical for security. From leaky S3 buckets, to misconfigured user permissions the risks, and penalties, of misconfigurations are heavy.
Solution: CIS policy packs for CloudGraph api
The CloudGraph api provides CIS policy packs based on benchmarks used to guarantee compliance across the existing infrastructure of your cloud provider.
Providing pass or fail results for CIS benchmarks provides actionable improvements to the environment that can be quickly reported, alerted on, and tracked over time.
For example to monitor CIS benchmarks in an AWS environment, run the following query:
query {
queryawsCISFindings {
id
resourceId
result
rule {
id
severity
title
description
audit
rationale
remediation
references
}
}
}
Will result in a list of findings with actionable results to improve security:
Getting Started
To get started follow our simple deployment click here
Quickstart deployment guide available under documentation here
Who are we?
cloud-refactor are dedicated to deploying industry leading open source software to help clients, read more here
We offer support via our public/private forum and documentation.