{"id":13445070,"url":"https://github.com/duo-labs/cloudmapper","last_synced_at":"2025-05-14T03:09:49.692Z","repository":{"id":37933574,"uuid":"118159195","full_name":"duo-labs/cloudmapper","owner":"duo-labs","description":" CloudMapper helps you analyze your Amazon Web Services (AWS) environments.","archived":false,"fork":false,"pushed_at":"2024-07-15T08:42:49.000Z","size":10950,"stargazers_count":6113,"open_issues_count":211,"forks_count":827,"subscribers_count":130,"default_branch":"main","last_synced_at":"2025-04-09T02:13:13.906Z","etag":null,"topics":["aws","cytoscape","diagram","security"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/duo-labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":"audit_config.yaml","citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-01-19T17:55:17.000Z","updated_at":"2025-04-09T01:53:18.000Z","dependencies_parsed_at":"2024-12-24T03:06:19.535Z","dependency_job_id":"d101b4ba-3c81-453b-88c1-898331b98db0","html_url":"https://github.com/duo-labs/cloudmapper","commit_stats":{"total_commits":639,"total_committers":99,"mean_commits":6.454545454545454,"dds":"0.37871674491392804","last_synced_commit":"ec8fbf201b8b43e66720cd3ee9079a801e49c61c"},"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duo-labs%2Fcloudmapper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duo-labs%2Fcloudmapper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duo-labs%2Fcloudmapper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/duo-labs%2Fcloudmapper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/duo-labs","download_url":"https://codeload.github.com/duo-labs/cloudmapper/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254059510,"owners_count":22007769,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cytoscape","diagram","security"],"created_at":"2024-07-31T04:00:53.286Z","updated_at":"2025-05-14T03:09:49.637Z","avatar_url":"https://github.com/duo-labs.png","language":"JavaScript","readme":"CloudMapper\n========\n\n**Note** the Network Visualization functionality (command `prepare`) is no longer maintained.\n\nCloudMapper helps you analyze your Amazon Web Services (AWS) environments. \nThe original purpose was to generate network diagrams and display them in your browser (functionality no longer maintained). \nIt now contains much more functionality, including auditing for security issues.\n\n- [Network mapping demo](https://duo-labs.github.io/cloudmapper/)\n- [Report demo](https://duo-labs.github.io/cloudmapper/account-data/report.html)\n- [Intro post](https://duo.com/blog/introducing-cloudmapper-an-aws-visualization-tool)\n- [Post to show spotting misconfigurations in networks](https://duo.com/blog/spotting-misconfigurations-with-cloudmapper)\n- [Post on performing continuous auditing](https://duo.com/blog/continuous-auditing-with-cloudmapper)\n\n# Commands\n\n- `audit`: Check for potential misconfigurations.\n- `collect`: Collect metadata about an account. More details [here](https://summitroute.com/blog/2018/06/05/cloudmapper_collect/).\n- `find_admins`: Look at IAM policies to identify admin users and roles, or principals with specific privileges. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_find_admins/).\n- `find_unused`: Look for unused resources in the account.  Finds unused Security Groups, Elastic IPs, network interfaces, volumes and elastic load balancers.\n- `prepare`/`webserver`: See [Network Visualizations](docs/network_visualizations.md)\n- `public`: Find public hosts and port ranges. More details [here](https://summitroute.com/blog/2018/06/13/cloudmapper_public/).\n- `sg_ips`: Get geoip info on CIDRs trusted in Security Groups. More details [here](https://summitroute.com/blog/2018/06/12/cloudmapper_sg_ips/).\n- `stats`: Show counts of resources for accounts. More details [here](https://summitroute.com/blog/2018/06/06/cloudmapper_stats/).\n- `weboftrust`: Show Web Of Trust. More details [here](https://summitroute.com/blog/2018/06/13/cloudmapper_wot/).\n- `report`: Generate HTML report. Includes summary of the accounts and audit findings. More details [here](https://summitroute.com/blog/2019/03/04/cloudmapper_report_generation/).\n- `iam_report`: Generate HTML report for the IAM information of an account. More details [here](https://summitroute.com/blog/2019/03/11/cloudmapper_iam_report_command/).\n\n\nIf you want to add your own private commands, you can create a `private_commands` directory and add them there.\n\n# Screenshots\n\n\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/ideal_layout.png\" width=100% alt=\"Ideal layout\"\u003e\n\u003ctable border=0\u003e\n\u003ctr\u003e\u003ctd\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/report_resources.png\" alt=\"Report screenshot\"\u003e\n\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/report_findings_summary.png\" alt=\"Findings summary\"\u003e\n\u003ctr\u003e\u003ctd\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/report_findings.png\" alt=\"Findings\"\u003e\n\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/iam_report-inactive_and_detail.png\" alt=\"IAM report\"\u003e\n\u003ctr\u003e\u003ctd\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/command_line_audit.png\" alt=\"Command-line audit\"\u003e\n\u003ctd\u003e\u003cimg src=\"https://raw.githubusercontent.com/duo-labs/cloudmapper/main/docs/images/command_line_public.png\" alt=\"Command-line public command\"\u003e\n\u003c/table\u003e\n\n\n## Installation\n\nRequirements:\n- python 3 (3.7.0rc1 is known to work), `pip`, and `virtualenv`\n- You will also need `jq` (https://stedolan.github.io/jq/) and the library `pyjq` (https://github.com/doloopwhile/pyjq), which require some additional tools installed that will be shown.\n\nOn macOS:\n\n```\n# clone the repo\ngit clone https://github.com/duo-labs/cloudmapper.git\n# Install pre-reqs for pyjq\nbrew install autoconf automake awscli freetype jq libtool python3\ncd cloudmapper/\npython3 -m venv ./venv \u0026\u0026 source venv/bin/activate\npip install --prefer-binary -r requirements.txt\n```\n\nOn Linux:\n```\n# clone the repo\ngit clone https://github.com/duo-labs/cloudmapper.git\n# (AWS Linux, Centos, Fedora, RedHat etc.):\n# sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli\n# (Debian, Ubuntu etc.):\n# You may additionally need \"build-essential\"\nsudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli\ncd cloudmapper/\npython3 -m venv ./venv \u0026\u0026 source venv/bin/activate\npip install -r requirements.txt\n```\n\n\n## Run with demo data\n\nA small set of demo data is provided.  This will display the same environment as the demo site https://duo-labs.github.io/cloudmapper/ \n\n```\n# Generate the data for the network map\npython cloudmapper.py prepare --config config.json.demo --account demo\n# Generate a report\npython cloudmapper.py report --config config.json.demo --account demo\npython cloudmapper.py webserver\n```\n\nThis will run a local webserver at http://127.0.0.1:8000/\nView the network map from that link, or view the report at http://127.0.0.1:8000/account-data/report.html\n\n\n# Setup\n\n1. Configure information about your account.\n2. Collect information about an AWS account.\n\n## 1. Configure your account\n\nCopy the `config.json.demo` to `config.json` and edit it to include your account ID and name (ex. \"prod\"), along with any external CIDR names. A CIDR is an IP range such as `1.2.3.4/32` which means only the IP `1.2.3.4`.\n\n## 2. Collect data about the account\n\nThis step uses the CLI to make `describe` and `list` calls and records the json in the folder specified by the account name under `account-data`.\n\n### AWS Privileges required\nYou must have AWS credentials configured that can be used by the CLI with read permissions for the different metadata to collect.  I recommend using [aws-vault](https://github.com/99designs/aws-vault).  CloudMapper will collect IAM information, which means you MUST use MFA.  Only the `collect` step requires AWS access.\n\nYou must have the following privileges (these grant various read access of metadata):\n\n- `arn:aws:iam::aws:policy/SecurityAudit`\n- `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess`\n\n\n### Collect the data\n\nCollecting the data is done as follows:\n\n```\npython cloudmapper.py collect --account my_account\n```\n\n## Analyze the data\nFrom here, try running the different commands, such as:\n\n```\npython cloudmapper.py report --account my_account\npython cloudmapper.py webserver\n```\n\nThen view the report in your browser at 127.0.0.1:8000/account-data/report.html\n\n\n\n## Further configuration\n\n### Generating a config file\nInstead of modifying `config.json` directly, there is a command to configure the data there, in case that is needed:\n\n```\npython cloudmapper.py configure {add-account|remove-account} --config-file CONFIG_FILE --name NAME --id ID [--default DEFAULT]\npython cloudmapper.py configure {add-cidr|remove-cidr} --config-file CONFIG_FILE --cidr CIDR --name NAME\n```\n\nThis will allow you to define the different AWS accounts you use in your environment and the known CIDR IPs.\n\nIf you use [AWS Organizations](https://aws.amazon.com/organizations/), you can also automatically add organization member accounts to `config.json` using:\n\n```\npython cloudmapper.py configure discover-organization-accounts\n```\n\nYou need to be authenticated to the AWS CLI and have the permission `organization:ListAccounts` prior to running this command.\n\n\n### Using audit config overrides\nYou may find that you don't care about some of audit items. You may want to ignore the check entirely, or just specific resources.  Copy `config/audit_config_override.yaml.example` to `config/audit_config_override.yaml` and edit the file based on the comments in there.\n\n\n# Using a Docker container\nThe docker container that is created is meant to be used interactively. \n\n```\ndocker build -t cloudmapper .\n```\n\nCloudmapper needs to make IAM calls and cannot use session credentials for collection, so you cannot use the aws-vault server if you want to collect data, and must pass role credentials in directly or configure aws credentials manually inside the container. *The following code exposes your raw credentials inside the container.* \n\n```\n(                                                              \n    export $(aws-vault exec YOUR_PROFILE --no-session -- env | grep ^AWS | xargs) \u0026\u0026 \\ \n    docker run -ti \\\n        -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \\\n        -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \\\n        -p 8000:8000 \\\n        cloudmapper /bin/bash\n)\n```\n\nThis will drop you into the container. Run `aws sts get-caller-identity` to confirm this was setup correctly. Cloudmapper demo data is not copied into the docker container so you will need to collect live data from your system. Note docker defaults may limit the memory available to your container. For example on Mac OS the default is 2GB which may not be enough to generate the report on a medium sized account.\n\n```\npython cloudmapper.py configure add-account --config-file config.json --name YOUR_ACCOUNT --id YOUR_ACCOUNT_NUMBER\npython cloudmapper.py collect --account YOUR_ACCOUNT\npython cloudmapper.py report --account YOUR_ACCOUNT\npython cloudmapper.py prepare --account YOUR_ACCOUNT\npython cloudmapper.py webserver --public\n```\n\nYou should then be able to view the report by visiting http://127.0.0.1:8000/account-data/report.html\n\n# Running CloudMapper regularly to audit your environment\nA CDK app for deploying CloudMapper via Fargate so that it runs nightly, sends audit findings as alerts to a Slack channel, and generating a report that is saved on S3, is described [here](auditor/README.md).\n\n\n# Alternatives\nFor network diagrams, you may want to try https://github.com/lyft/cartography or https://github.com/anaynayak/aws-security-viz\n\nFor auditing and other AWS security tools see https://github.com/toniblyx/my-arsenal-of-aws-security-tools\n\nLicenses\n--------\n- cytoscape.js: MIT\n  https://github.com/cytoscape/cytoscape.js/blob/master/LICENSE\n- cytoscape.js-qtip: MIT\n  https://github.com/cytoscape/cytoscape.js-qtip/blob/master/LICENSE\n- cytoscape.js-grid-guide: MIT\n  https://github.com/iVis-at-Bilkent/cytoscape.js-grid-guide\n- cytoscape.js-panzoom: MIT\n  https://github.com/cytoscape/cytoscape.js-panzoom/blob/master/LICENSE\n- jquery: JS Foundation\n  https://github.com/jquery/jquery/blob/master/LICENSE.txt\n- jquery.qtip: MIT\n  https://github.com/qTip2/qTip2/blob/master/LICENSE\n- cytoscape-navigator: MIT\n  https://github.com/cytoscape/cytoscape.js-navigator/blob/c249bd1551c8948613573b470b30a471def401c5/bower.json#L24\n- cytoscape.js-autopan-on-drag: MIT\n  https://github.com/iVis-at-Bilkent/cytoscape.js-autopan-on-drag\n- font-awesome: MIT\n  http://fontawesome.io/\n- FileSave.js: MIT\n  https://github.com/eligrey/FileSaver.js/blob/master/LICENSE.md\n- circular-json: MIT\n  https://github.com/WebReflection/circular-json/blob/master/LICENSE.txt\n- rstacruz/nprogress: MIT\n  https://github.com/rstacruz/nprogress/blob/master/License.md\n- mousetrap: Apache\n  https://github.com/ccampbell/mousetrap/blob/master/LICENSE\n- akkordion MIT\n  https://github.com/TrySound/akkordion/blob/master/LICENSE\n","funding_links":[],"categories":["Verifiers","Tools of Trade","JavaScript","AWS","Projects","Infrastructure","Security Audit and Mapping Tools","Other Awesome Lists","Cloud Resources Inventory","Cloud asset inventory","\u003ca id=\"c71ad1932bbf9c908af83917fe1fd5da\"\u003e\u003c/a\u003eAWS","0x02 工具 :hammer_and_wrench:","aws","Cloud","Mobile","Attack Path Analysis"],"sub_categories":["Automated Security Assessment","Visual Resource Graphing","Threat modelling","\u003ca id=\"0476f6b97e87176da0a0d7328f8747e7\"\u003e\u003c/a\u003eblog","1 云服务工具","AWS"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduo-labs%2Fcloudmapper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fduo-labs%2Fcloudmapper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fduo-labs%2Fcloudmapper/lists"}