Provide option to Prepare data only for the Tags as it might get too complicated for an enterprise to run it on there infrastructure

• 0 nodes built in region eu-west-3
• 0 nodes built in region eu-west-2
• 6 nodes built in region eu-west-1
• 0 nodes built in region ap-northeast-2
• 0 nodes built in region ap-northeast-1
• 0 nodes built in region sa-east-1
• 0 nodes built in region ca-central-1
• 0 nodes built in region ap-southeast-1
• 0 nodes built in region ap-southeast-2
• 0 nodes built in region eu-central-1
• 999 nodes built in region us-east-1
• 0 nodes built in region us-east-2
• 0 nodes built in region us-west-1
• 0 nodes built in region us-west-2
• 507426 connections built
  WARNING: There are 1120 total nodes and 507426 total edges.
  This will be difficult to display and may be too complex to make sense of.
  Consider reducing the number of items in the diagram by viewing a single
  region, ignoring internal edges, or other filtering.

After successful prepare step I ran:

python cloudmapper.py serve --public

When I go to the web page I can see the toolbar at the top and there is a blue progress bar that goes left to right, but it never makes it all the way to the right.

Here are the messages in the console during the page view (notice the code 404 message File not found) :

173.23.49.44 - - [20/Feb/2018 18:57:30] "GET / HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/nprogress.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/jquery.qtip.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/cytoscape.js-panzoom.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/cytoscape.js-navigator.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/font-awesome-4.7.0/css/font-awesome.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/akkordion.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/cloudmap.css HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/nprogress.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape.min.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/jquery.qtip.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/jquery.min.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-cose-bilkent.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-grid-guide.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /css/font-awesome-4.7.0/fonts/fontawesome-webfont.woff2?v=4.7.0 HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-qtip.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-panzoom.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-undo-redo.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-view-utilities.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-expand-collapse.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:30] "GET /js/cytoscape-navigator.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/cytoscape-autopan-on-drag.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/FileSaver.min.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/circular-json.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/mousetrap.min.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/akkordion.min.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/nodeInfo.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /js/cloudmap.js HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] code 404, message File not found
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /data.json HTTP/1.1" 404 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /favicon.ico HTTP/1.1" 200 -
173.23.49.44 - - [20/Feb/2018 18:57:31] "GET /style.json HTTP/1.1" 200 -

I always get the "Default" VPC along with the VPC of interest in a region.

It might be useful to create a Docker image for the project.

instead of the config.json file maybe it would be nice to declare these values inline.
makes it easier when running a docker

I didn't have "jq" on my mac, which broke collect_data.sh. Recommend adding that to your installation instructions.

In the web browser, if data.json is not found, show an error. Otherwise the user just gets a blank screen (with toolbar and text box).

This is a feature request more than anything.

It would be great if there was an option to append security group IP descriptions next to their IP address.

It would help when we visually look at a map and say hey what is this IP?

I suppose this would basically be automating the IP definitions in the config.json. (Assuming descriptions exist for those IPs in EC2)

Anyways, wouldn't make sense to enable this by default by an option such as --include-descriptions would be a nice add.

Dies very quickly:
cloudmapper$ ./collect_data.sh --account 2267e1

• Startup checks
  jq - commandline JSON processor [version 1.3]
  Usage: jq [options] [file...]

Collecting the data in collect_data.sh is pretty simple, but I don't stand a snowball's chance of being able to produce a PR for the python bits :)

Thanks!

Using cloudmapper to help unpick a rats nest of systems:

Would like the option of a connectionless view, with instances vaguely grouped near each other inside subnets by name or a tag, etc. e.g.

(Achieved connection removal locally by leaving source and target empty in nodes.py cytoscape_data.

Code is very readable.

redhat 7.3
firefox 59.0b10

some of our accounts have 1000's of EC2 instances. the combined JSON is 1000MB+.
The UI is not loading or taking forever to display this information.
Any guidance on how to handle the large number of nodes/json in the UI ?

Thank you for the support..

I received an email:

You already have an option to “redraw with randomized layout” (this is layout from scratch). I suggest you add (next to it?) another button for “redraw with adjusted layout” or something similar and apply incremental layout (randomize: false). Since layout algorithms are not meant to give optimal results, often times a user will like to adjust the drawing partially manually. After which, an incremental layout “tidies up” the drawing.

error.log

I had some install pains on a plain, fresh built centOS7 on AWS:

normal instructions:

clone the repo

git clone [email protected]:duo-labs/cloudmapper.git

(Centos, Fedora, RedHat etc.):

sudo yum install autoconf automake libtool python-dev jq
cd cloudmapper/

at this point I had to run:
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
pip install virtualenv

then I could continue
virtualenv venv
source venv/bin/activate
pip install -r requirements.txt

then it bombed out with a python error, so I had to run
yum install python-devel

In summary, I had to run the additional commands at any time before the command "virtualenv venv"
curl "https://bootstrap.pypa.io/get-pip.py" -o "get-pip.py"
pip install virtualenv
yum install python-devel

When rendering RDS databases, I am seeing non-multiAZ DBs located in just 1 availability zone, being shown in all AZs.

Eg: here, this DB is only in one subnet, in 1 AZ, but shows up three times in 3 subnets.

could this use

import boto3
print(boto3.client('sts').get_caller_identity()['Account'])

to determine the account id it is running ?

When expanding and collapsing I can set randomize: false with the cose-bilkent as the layout so the user doesn't lose their mental map of where things were and so the whole layout is not redrawn.

SecurityAuditor is sufficient for CloudMapper, but that still provides a lot of unused privileges. Provide guidance on the absolute minimum set of privileges needed.

Instead of editing config.json, have a command like python cloudmapper.py configure.

I received a bug report on Slack https://awssecurityforum.slack.com/files/U7K04K073/F9BNUTJ03/-.txt

Traceback (most recent call last):
  File "cloudmapper.py", line 121, in <module>
    main()
  File "cloudmapper.py", line 111, in main
    run_prepare(arguments)
  File "cloudmapper.py", line 90, in run_prepare
    prepare(account, config, outputfilter)
  File ".../Scrap/cloudmapper/cloudmapper/prepare.py", line 339, in prepare
    cytoscape_json = build_data_structure(account, config, outputfilter)
  File ".../cloudmapper/cloudmapper/prepare.py", line 300, in build_data_structure
    for c, reasons in get_connections(cidrs, vpc, outputfilter).iteritems():
  File ".../cloudmapper/cloudmapper/prepare.py", line 199, in get_connections
    add_connection(connections, source, target, sg)
  File ".../cloudmapper/cloudmapper/prepare.py", line 129, in add_connection
    reasons = connections.get(Connection(source, target), [])
TypeError: __eq__() takes exactly 3 arguments (2 given)%

If I have a /30 as a named range in my config.json, but a security group references just a /32 in that range, it would be nice to have an option to have the connection terminate at the /30 rather than having a separate node for the /32.

What would be the recommended config or steps to display a very large environment?

I am not able to display what we have currently, using the built-in web server mentioned or another web server like IIS. Willing to use something else, just not sure what was suggested.

aws cli output for the profile being used has to be set to json

Maybe an addition to the instructions

This is an awesome project. Bravo.
We have AWS accounts with many projects and huge number of resources in each of them. Current filters do not allow to ignore 99% resources and we have crowd of resources mixed from different projects. Web server getting overloaded very slow. It takes couple of minutes to generate web page in browser and result is not informative.
Is it possible do add filter like "--stack-names" that will filter resources only from one/two/three... CloudFormation stacks. Stacks usually have 5-25 resources and visualisation will be much better.
In this case we can start many web servers on different ports and see each project on personal port.
Thank you for you fantastic work.

In order to better collect information about an account in the gather phase for the python version, I should use https://github.com/Netflix-Skunkworks/cloudaux

That will improve gathering data from large accounts where rate limiting may occur.

This is an awesome project. Liked the way visualization is organized and the details provided. I am looking forward for an enhancement which scans all the resources with AWS including but not limited to API Gateways, Lambda, SES, SNS, SQS and so on.....

Hi, i just caught this error when i tried to prepare data, i'm running on MacOS Sierra and Python 2.7.10

python cloudmapper.py prepare --account Dev
Building data for account Dev (0000123456)
- 0 nodes built in region ap-south-1
- 0 nodes built in region eu-west-3
- 0 nodes built in region eu-west-2
- 0 nodes built in region eu-west-1
- 0 nodes built in region ap-northeast-2
- 0 nodes built in region ap-northeast-1
- 0 nodes built in region sa-east-1
- 0 nodes built in region ca-central-1
- 0 nodes built in region ap-southeast-1
- 0 nodes built in region ap-southeast-2
- 0 nodes built in region eu-central-1
- 90 nodes built in region us-east-1
- 0 nodes built in region us-east-2
- 0 nodes built in region us-west-1
- 0 nodes built in region us-west-2
Traceback (most recent call last):
  File "cloudmapper.py", line 121, in <module>
    main()
  File "cloudmapper.py", line 111, in main
    run_prepare(arguments)
  File "cloudmapper.py", line 90, in run_prepare
    prepare(account, config, outputfilter)
  File "/private/tmp/cloudmapper/cloudmapper/prepare.py", line 339, in prepare
    cytoscape_json = build_data_structure(account, config, outputfilter)
  File "/private/tmp/cloudmapper/cloudmapper/prepare.py", line 292, in build_data_structure
    for cidr in get_external_cidrs(account, config):
  File "/private/tmp/cloudmapper/cloudmapper/prepare.py", line 120, in get_external_cidrs
    external_cidrs.append(Cidr(cidr, get_cidr_name(cidr, config)))
  File "/private/tmp/cloudmapper/cloudmapper/prepare.py", line 125, in get_cidr_name
    return config["cidrs"].get(cidr, {}).get("name", None)
KeyError: 'cidrs'

error: [Errno 2] No such file or directory

Failed building wheel for pyjq
Running setup.py clean for pyjq
Failed to build pyjq
Installing collected packages: six, pyjq, netaddr, jmespath, docutils, python-dateutil, botocore, futures, s3transfer, boto3
Running setup.py install for pyjq ... error

Fixed by installing build-essential (sudo apt-get install build-essential)

Create a Filter "--Public-Connection" (0.0.0.0/0 + PublicIP)

How can i get just public instances ? Web server keep showing instances with no public connection when "--no-internal-edges" is used .

Another great filter to be create is "--instance-name" in "ghaterer.py" script. Sometimes we need specific information about 1 instance and neighbors.

thnks

I know it's pretty obvious it should be already installed but on my brand new install, it was missing :-)

In order to better resolve issues, I should have a --version flag to provide the version.

It doesn't look like this is currently possible.

Instead of running collect_data.sh, have the ability to collect this data via an argument like python cloudmapper.py gather

a default region associated with your profile in your ~/.aws/config file as in:
[default]
region=us-east-1

The summary info is hard-coded to just show the name, id, and type. You could get fancier with this by using jq to show things. https://github.com/fiatjaf/jq-web

On Ubuntu 16.04 Server, ran:

python cloudmapper.py prepare --config config.production.json --account production

The following error was returned:

Traceback (most recent call last):
File "cloudmapper.py", line 32, in
from cloudmapper.webserver import run_webserver
File "/home/juan/cloudmapper/cloudmapper/webserver.py", line 27, in
import six.moves.urllib as urllib
ImportError: No module named six.moves.urllib

Resolved by installing pip:

sudo apt install python-pip

Then installing six package:

pip install --user six

Similar issues with other package import errors:

ImportError: No module named pyjq
ImportError: No module named netaddr

Resolved with pip as well:

pip install --user pyjq
pip install --user netaddr

Suggest to change account id to be string instead of integer, because some account ID may start with 0, already tested, pyjq can process it properly.

I tried running this on one of my VPC,s but... well, apparently I have way too much stuff (reported over 1 million connections). I tried to re-run using tag grouping which got it down to about 40k connections (which was still too high for it to render).

It would be great if I could run the collector against a specific key:value pair filter to reduce the data and connectivity map to a specific subset of resources.

Appending CidrBlocks, and not cropping long names makes the diagram easier to read without having to drill into the details.

VPCs: add the CidrBlock value in parentheses ()

becomes dot1 (10.0.0.0/0)

Subnets: don't crop subnet names, and append CidrBlock in parentheses

becomes dot1_private_eu-west-1 (10.0.0.10/20)

VPC & Subnets

Add option to show tag (key:value) list down left-hand edge of container.

e.g.

--------------someVPC----
| tier: edge
| access: public
---------------------------

Regions and other compound nodes sometimes overlap on top of other structures and there are various other ways in which these look "bad".

For example minimizing regions for some reason often ends up causing one of the worst layouts, where things get spread very far apart vertically.

Some ideas for improvements:

• The bad layouts are largely due to the graphs being too complex, which is due to too many nodes and edges. To resolve this, we could allow more filtering, and make that easier to do. Also compress nodes in the initial layout.
• We are using a compound layout to allow nodes (ex. EC2's) to have parent nodes (ex. EC2's are in subnets, which are in AZ's, etc.). We could allow for non-compound layouts, which would allow us to use algorithms other than cose-bilkent, which may look better.
• Improve cose-bilkent to score and hill climb. cose-bilkent works by randomly laying out the diagram and then applying spring and gravity forces over iterations to bring things to a state that matches those forces. This could be improved by making multiple layout attempts and choosing the "best" where a scoring algorithm would need to be created to decide on the "best" layout. This would need to do things like counting the number of over-lapping edges and nodes, and find the area of the layout (ex. to avoid the layout being too spread out). Ideally, this scoring would be incorporated into the forces that are applied to bring them toward better states. Additionally, I think the "final" states are sometimes local maxima and could benefit from some hill climbing techniques to "shake" the state a little on each iteration.

Must have ~/.aws/credentials file containing:
[default]
aws_access_key_id=XXXXXXXXXXXXXX
aws_secret_access_key=YYYYYYYYYYYYYYYYYYYYYYYYYYY

The end result would be the ability to run:

pip install cloudmapper
cloudmapper configure
cloudmapper gather
cloudmapper prepare
cloudmapper serve

The most difficult issue I see with creating a setup.py file is how I handle the web directory. Right now, when you run prepare it is hardcoded to write web/data.json then the web server code is hard-coded to read this data.json file.

I also need to:

• Convert the collect_data.sh script into something runnable from python.
• Add a configure command so you don't have to edit the config.json file.
• Allow for default settings, such as setting an account to be the default account.

For the webserver files, see https://stackoverflow.com/questions/6028000/how-to-read-a-static-file-from-inside-a-python-package/20885799#20885799

With only 2 years left for python 2.7 and with many upstream modules dropping new feature support for 2.7 soon this should support python 3.5+

There is no contributor guide, but I will volunteer for this task if you can provide some style guidelines.

Instead of constantly specifying --account prod be able to just define a default account.

This tool works perfectly up until the "prepare" phase, when I get the following error:

$ python cloudmapper.py prepare --account production
Traceback (most recent call last):
  File "cloudmapper.py", line 146, in <module>
    main()
  File "cloudmapper.py", line 134, in main
    run_prepare(arguments)
  File "cloudmapper.py", line 109, in run_prepare
    account = get_account(args.account_name, config)
  File "cloudmapper.py", line 41, in get_account
    raise Exception("Account named \"{}\" not found".format(account_name))
Exception: Account named "production" not found

I used the same account name in the previous step without issue.

I have configured my config.json to contain all my CIDRs yet the diagram shows my data-vpc as being disconnected from the other 2 VPCs despite there being peering connections and route tables to ensure connectivity between all 3 VPCs.

Am I missing something here?