How to visualize your aws security
Security is paramount in any IT infrastructure, and is even more critical where the public cloud is concerned.
As the transition from private servers and data centres to cloud solutions gains momentum, the complexity of cloud infrastructure continues to intensify. Typically hosting multiple applications, distributed over different availability zones most cloud configurations present a number of security challenges.
A good security team is a key requirement to any DevOps or engineering organisation and they generally have their work cut out, especially if you have multiple teams working on disparate projects that are continually pushing changes live and altering the configurations of your production environments.
Trolling through configurations and console settings to establish all your security groups, then determining what resources belong to the group is a major undertaking.
Then you have to establish how traffic flows through your network. What ports are open, what are the ingress & egress points and IP addresses.
It doesn’t take much to open up a vulnerability by mistake, like opening up a port for team members to access or test something temporarily, then forgetting to close it again. The vulnerability will sit there, un-noticed, waiting to be exploited.
When we built Hava for use in our cloud consulting practice, not only were we looking for an easier way to document new client infrastructure with the AWS diagram generator, we were also looking for a much easier way to visualize network traffic from a security perspective without having to spend days or sometimes weeks lost in console settings manually building a picture of what was going on.
The security view in hava.io lays out the security groups in an easy to understand visualized diagram with the open ports overlaid so you can see where traffic enters and routes to once in the network.
As with all Hava diagrams, the security view is fully interactive.
Selecting a security group on the diagram will display the attributes for that group in the Attributes pane to the right of the diagram.
There you can see the Security Group name, Ingress & Egress ports and all the Connected resources.
All the resources in any security group are documented including:
- Lambda Functions
- Autoscaling Groups
- Elastic Load Balancers
- EC2 Instances
- Network Interfaces
- RDS Instances
- Launch Configurations
- etc etc
You can select any resource on the attribute list and view more details about that resource. So everything is in one spot for your security team to do their work assessing whether the config meets your security policies or not.
Complex environments are also visualized without a problem, so you can take a take a helicopter view of the whole network, then zoom in to individual security groups to see the port details and connections if something doesn’t look right.
The ingress and egress TCP ports are detailed on the diagram as well as in the Attribute pane, so you have all the critical traffic data to secure your network.
If you want to see your AWS cloud security visualized, you can grab a Hava Pro or Business Free Trial any time you like, connect your AWS account and see for yourself how powerful the security view is in Hava. You will be surprised how much time your security team will save getting to grips with your infrastructure security.
Of course, once you’re connected you can also take advantage of the beautifully crafted infrastructure diagrams that logically lay out your VPC’s by availability zones and subnets, which allow you to easily spot unused or misconfigured resources needlessly costing you money every month.
You will also have Hava polling your config continuously, automatically updating your diagrams and making fully interactive archive copies of your old configurations for future comparison, just in case you need to track down a problematic config change or establish why your cloud spend jumped unexpectedly.
You can grab a free trial here any time you like: https://www.hava.io
Originally published at https://www.hava.io.
