Need a quick way to visualize your current aws/amazon ec2 security group configuration? aws-security-viz does just that based on the EC2 security group ingress configuration.
$ gem install aws_security_viz
$ aws_security_viz --help
brew install graphviz
To generate the graph directly using AWS keys
$ aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg --color=true
To generate the graph using an existing security_groups.json (created using aws-cli)
$ aws_security_viz -o data/security_groups.json -f viz.svg --color
To generate a web view
$ aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer navigator
ruby -run -e httpd -- -p 3000
If you don't want to install the dependencies and ruby libs you can execute aws-security-viz inside a docker container. To do so, follow these steps:
docker build -t sec-viz .
3.a With aws-vault (Recommended):
aws-vault exec tldev -- docker run -i -e AWS_REGION -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_SECURITY_TOKEN --rm -t -p 3000:3000 -v (pwd)/aws-viz:/aws-security-viz --name sec-viz sec-viz /usr/local/bundle/bin/aws_security_viz --renderer navigator --serve 3000
.
You can open it with your local browser at http://localhost:3000/navigator.html#aws-security-viz.png
.
3.b With AWS credentials passed as parameters:
docker run -i --rm -t -p 3000:3000 -v (pwd)/aws-viz:/aws-security-viz --name sec-viz sec-viz /usr/local/bundle/bin/aws_security_viz -a REPLACE_AWS_ACCESS_KEY_ID -s REPLACE_SECRET --renderer navigator --serve 3000
.
You can open it with your local browser at http://localhost:3000/navigator.html#aws-security-viz.png
.
Parameters passed to the docker command:
-v $(pwd)/aws-viz:aws-security-viz
local directory where output will be generated.-i
interactive shell--rm
remove the container after usage-t
attach this terminal to it-p 3000:3000
we expose port 3000 for the HTTP server-name sec-viz
the container will have the same name as the image we will startYou can also use other parameters as specified in usage
$ aws_security_viz --help
Options:
-a, --access-key=<s> AWS access key
-s, --secret-key=<s> AWS secret key
-e, --session-token=<s> AWS session token
-r, --region=<s> AWS region to query (default: us-east-1)
-v, --vpc-id=<s> AWS VPC id to show
-o, --source-file=<s> JSON source file containing security groups
-f, --filename=<s> Output file name (default: aws-security-viz.png)
-c, --config=<s> Config file (opts.yml) (default: opts.yml)
-l, --color Colored node edges
-u, --source-filter=<s> Source filter
-t, --target-filter=<s> Target filter
--serve=<i> Serve a HTTP server at specified port
-h, --help Show this message
aws-security-viz only uses the ec2:DescribeSecurityGroups
api so a minimal IAM policy which grants only ec2:DescribeSecurityGroups
access should be enough.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeSecurityGroups",
"Resource": "*"
}
]
}
Alternatively you can use aws-vault and run it using short lived temporary credentials.
$ aws-vault exec <profile> -- aws_security_viz -f aws.json --renderer navigator
You can generate a configuration file using the following command:
$ aws_security_viz setup [-c opts.yml]
The opts.yml file lets you define the following options:
To generate the graph with debug statements, execute the following command
$ DEBUG=true aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg
If it doesn't indicate the problem, please share the generated json file with me @ whynospam-awsviz@yahoo.co.in
You can send me an obfuscated version using the following command:
$ DEBUG=true OBFUSCATE=true aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg
Execute the following command to generate the json. You will need aws-cli to execute the command
aws ec2 describe-security-groups
Via navigator renderer aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer navigator
Via json renderer aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer json
aws-security-viz.png
image for us-west-1
region $ aws_security_viz --region us-west-1 -f aws-security-viz.png
us-west-1
with target filter as sec-group-1
. This will display all routes through which we can arrive at sec-group-1
$ aws_security_viz --region us-west-1 --target-filter=sec-group-1
us-west-1
restricted to vpc-id vpc-12345
$ aws_security_viz --region us-west-1 --vpc-id=vpc-12345
us-west-1
restricted to vpc-id vpc-12345
$ aws_security_viz --region us-west-1 --vpc-id=vpc-12345
$ aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer navigator --serve 3000
The browser link to the view is printed on the CLI
AWS Security Workshops Workshop Themes Here you'll find a collection of security workshops and other hands-on content that will guide you through prepared scenarios that represent common use cases and
AWS EC2-VPC Security Group Terraform module Terraform module which creates EC2 security group within VPC on AWS. Features This module aims to implement ALL combinations of arguments supported by AWS a
我正在处理一个在现有环境中工作得很好的现有代码。该应用程序有一个登录表单,将用户带到登陆页面后,他们登录。 应用程序在单节点环境中运行良好,例如用户登录时的日志跟踪: 1:[http-bio-8080-exec-1 DEBUG defaultreDirectStrategy-sendredirect-重定向到'/myapp/secure/landing.html' 2:[http-bio-8080
security security_overview In release 0.9.0.0, the Kafka community added a number of features that, used either separately or together, increases security in a Kafka cluster. These features are consid
The security model of WebAssembly has two important goals: (1) protect users from buggy or malicious modules, and (2) provide developers with useful primitives and mitigations for developing safe appl
HTTP用于通过Internet进行通信,因此应用程序开发人员,信息提供者和用户应该了解HTTP/1.1中的安全限制。 此讨论不包括此处提到的问题的最终解决方案,但它确实提出了一些降低安全风险的建议。 个人信息泄漏 HTTP客户端通常知道大量的个人信息,例如用户的姓名,位置,邮件地址,密码,加密密钥等。因此,您应该非常小心地防止通过HTTP协议将此信息无意泄漏到其他来源。 所有机密信息都应以加密形