Last time I remembered about a tool that allows you to create a big map of current resources present in your AWS account, and based on it make a report of potential vulnerabilities, threats, unused resources and much more. I can thank a colleague at work for finding it - such explorers are a real treasure!
The duolabs/cloudmapper repository is responsible for scanning and mapping resources on the current user account. It is a great tool to see our mistakes when releasing the environment or purging the client account of unused, often manually created resources. Using the program is best done with building and using a docker image.
git clone https://github.com/duo-labs/cloudmapper.git
docker build -t cloudmapper .
AWS_PROFILE=default
docker run -it \
-e AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile ${AWS_PROFILE}) \
-e AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile ${AWS_PROFILE}) \
-p 8000:8000 \
cloudmapper /bin/bashThen run this command inside docker shell aws sts get-caller-identity to get data about your running account.
{
"UserId": "JNSNATUSNPWEBAA8HNAPE",
"Account": "830572105813",
"Arn": "arn:aws:iam::830572105813:user/project-env"
}After confirming right data, pass your UserId into YOUR_ACCOUNT_NUMBER field in first command below
(check also additional report commands for unused resources or IAM data)
python cloudmapper.py configure add-account --config-file config.json --name YOUR_ACCOUNT --id YOUR_ACCOUNT_NUMBER
python cloudmapper.py collect --account YOUR_ACCOUNT
python cloudmapper.py report --account YOUR_ACCOUNT
python cloudmapper.py prepare --account YOUR_ACCOUNT
python cloudmapper.py webserver --publicAfter successful data fetch, you can find your results on those links:
You can find examples of fetched AWS accounts under those links: