Skip to content

Releases: duo-labs/cloudmapper

2.10.0

04 Nov 19:36
04bd2bf
Compare
Choose a tag to compare

The main improvement is to update the packages and hopefully fix some of the package issues on install. As a result of updating botocore, CloudMapper now recognizes that ap-northeast-3 is a valid region to collect from.

Since the last release, some of the biggest changes are:

Lot's of smaller bug fixes and improvements by a number of folks.

2.9.1

19 Jun 22:54
399bb87
Compare
Choose a tag to compare

Major features:

Bug fixes and other:

  • #723 Fixes a bug where node data was not being included in the network visualization
  • Fixes a bug introduced this morning where pip wouldn't work.
  • #721 Vendors added: Lucidchart, Emnify, Tenable, Stitch

2.9.0

19 Jun 16:55
b3908b1
Compare
Choose a tag to compare

Major changes:

  • #696 Switch from using pipenv to pip with requirements.txt by me
  • #704 Add missing dependencies from that switch by @jaywon
  • #669 Bug fix for identifying resources that are open on all ports. I wasn't finding those previously. That is a bad bug. Fixed by me.
  • #698 Region filter added by @tgrushka so if you have an SCP restricting you to certain regions (or if you just don't want to waste time collecting from all regions), it'll only collect from the ones you specify.

Other changes

2.8.2

15 Dec 15:35
7e0baa5
Compare
Choose a tag to compare

Upgrades the CDK to avoid AWS warnings about using an old Lambda run-time, which was being used by the CDK helper functions.

Upgrades Parliament.

2.8.1

27 Nov 04:08
5d3653d
Compare
Choose a tag to compare

Adds access_check command, a proof-of-concept feature that I don't have time to work much more on right now. The concept is that given a resource (such as an S3 bucket), identify all of the IAM users and roles that have access to that resource. This can use wildcards for the ARN. This takes both IAM policies and IAM boundaries into consideration of the principals. It does not consider resource policies or SCPs. You can further scope this to a specific IAM privilege. It also takes the principal tags into consideration in IAM conditions.

This ends up not doing exactly the type of things you might want, because if you specify an S3 bucket, it identifies only those privileges that act on S3 buckets, not S3 objects. Further, if you specify an EC2, it doesn't consider the Security Groups, VPCs, etc. that are also very relevant to the question of who can impact that EC2.

The concepts around IAM conditions are also fairly incomplete, especially because it doesn't consider the resource tags or any resource specific variables.

2.8.0

18 Nov 21:17
c84742e
Compare
Choose a tag to compare

Adds parliament (https://github.com/duo-labs/parliament) for linting.

Also minor updates for the following:

  • Thanks to @nimrodkor for adding Cloudyn to the vendors shown in the weboftrust
  • Thanks to @DanielRDias for corrections to the README
  • Updated the CDK to a more recent version for the nightly auditor (I had hoped this would fix the CDK helper functions that use a soon to be EOL'd run-time, but the CDK hasn't fixed that yet. Hopefully they'll fix it soon and I'll update this project then).

2.7.2

07 Oct 18:23
ec78ffe
Compare
Choose a tag to compare

Minor version bump to fix issue that showed essentially the same findings twice when an EC2 role had admin privileges, it was also being listed as an S3 exfiller. Also white-listed macie to avoid being listed as an s3 exfiller.

2.7.1

04 Oct 22:41
bf3c3bc
Compare
Choose a tag to compare

When an admin is identified that can be assumed by an a service, such as EC2, this is now it's own finding (High severity).
Similarly, if a principal can list the S3 buckets in the account and exfil data from them, and this is an EC2, this is now it's own finding (High severity). This could create high severity alerts more often than I think it should.
It is checking for s3:ListAllMyBuckets and s3:GetObject. Please let me know if it does flag things you have legit reasons for and what the situation is where this is ok.
There is also now an ability to filter findings by severity, so if you only wanted to send High severity alerts to Slack, but still have your nightly auditor generate a report with any Medium, Low, or Info level alerts, you can do that now.

2.7.0

30 Sep 22:39
10be349
Compare
Choose a tag to compare

Ability to run as a nightly auditor added in #562.
Blog post: https://duo.com/blog/continuous-auditing-with-cloudmapper
Description of how to use at https://github.com/duo-labs/cloudmapper/blob/master/auditor/README.md

2.6.6

26 Sep 19:47
15e7246
Compare
Choose a tag to compare

New features

  • Ability to have custom auditors and use code to mute/filter audit findings (#559)
  • @DanielRDias added the ability to find unused ELBs to find_unused (#558)
  • More descriptive audit findings to get the name of the EC2 instance and associated tags for the EC2_OLD and EC2_SOURCE_DEST_CHECK_OFF findings (#555)
  • Audit report now includes a table of contents at the top with the headers linked (#554)
  • Vendor list now includes Rapid7 (thanks to @nimrodkor in #551) and ThreatStack (thanks to @koenrh in #548)

Bug fixes

  • @divergentdave fixed exceptions from sg_ips command (#530)
  • No longer creates finding of unexpected action when sts:AssumeRoleWithWebIdentity is seen (#553)
  • Identifies the default region to hopefully work better with GovCloud or AWS China (#515)