Monitor the internet attack surface of various public cloud environments. Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
Currently supports AWS, GCP, Azure, DigitalOcean and Oracle Cloud.
Contents
- Setting up
- Cloud accounts
- Analyzer services
- Deployment dependencies
- Deployment
- Using a local environment
- Using Docker
- Supported resources and services
- AWS
- GCP
- Azure
- DigitalOcean
- Oracle Cloud
- Components
- Screenshots
- Roadmap
- Contributors
- Contributing
- License
Setting up
The project is built using multiple serverless services which are to be deployed to AWS using the Serverless framework. For this, you’ll need to configure the credentials of the AWS account to which you want to deploy to.
Once you’ve done that, you can start setting up the cloud accounts you want to scan.
Cloud accounts
Templates for the credentials are available in the credentials
directory and have the suffix .example
. To create the actual environment/credential file, you can simply create a copy of the template and remove .example
from its name.
AWS
Upload the CloudFormation template CloudFrontierAWS.yml
to the account whose assets you want to collect. The output of this stack will be an IAM role’s ARN that Cloud Frontier will use to collect the assets. Copy the ARN and paste it in credentials/aws.env
.
GCP
To collect assets from your GCP account, you’ll need to create a service account key.
Once you’ve created the key, add it to credentials/gcp.json
, and also add the GCP project ID to credentials/gcp.env
.
Azure
Obtain or generate the following IDs and secrets from your Azure account and add them to credentials/azure.env
.
- Create application in Azure Active Directory
- Select Azure Active directory in the left sidebar
- Click on App registrations
- Click on Add
- Enter the application name, select application type (web app/api) and sign-on URL
- Click the create button
- Get Tenant ID
- Select Azure Active directory in the left sidebar
- Click properties
- Copy the directory ID
- Get Client ID
- Select Azure Active directory in the left sidebar
- Click Enterprise applications
- Click All applications
- Select the application which you have created
- Click Properties
- Copy the Application ID
- Get Client secret
- Select Azure Active directory in the left sidebar
- Click App registrations
- Select the application which you have created
- Click on All settings
- Click on Keys
- Type Key description and select the Duration
- Click save
- Copy and store the key value. You won’t be able to retrieve it after you leave this page
- Get Subscription ID
- Select Subscriptions in the left sidebar
- Select whichever subscription is needed
- Click on overview
- Copy the Subscription ID
DigitalOcean
To collect assets from your DigitalOcean account, you’ll have to create a personal access token and an access key for Spaces.
When you’re creating the access token you only need to select the read
scope since that’s all that we require.
Paste the personal access token and the Spaces access key and secret in the credentials/digitalocean.env
file.
Oracle Cloud
To access your Oracle Cloud resources and services you need to create a key and get the Orale Cloud Identifiers Required Keys and OCIDs. Paste this API key in credentials/analyzers.env
.
Analyzer services
Shodan
To be able to get port scan results for IP addresses from Shodan you’ll need to have an API key, which you can get for free by registering on Shodan. Once you generate the API key, paste it in credentials/analyzers.env
.
VirusTotal
In order to get the reputation of an IP address or domain, you must have a VirusTotal account, which can be created for free by registering to VirusTotal Community. Once you generate the API key, paste it in credentials/analyzers.env
.
Deployment dependencies
You can setup the deployment environment either locally or using Docker.
Using a local environment
For this you’ll need to have the following installed:
- Python 3.8
- Node.js 10.x or later
- Go 1.x (only if you want to modify and/or rebuild the binaries before deployment)
pipenv
npm
Once you have these installed, you can run:
npm install --save-dev
You are now ready for deployment!
Using Docker
You just need to build the Docker image from the project’s root directory:
docker build -t cloud-frontier .
You are now ready for deployment!
Deployment
As mentioned in the previous section, Cloud Frontier will be deployed to an AWS account that you have configured, and whose profile name you can pass to the deployment script using the --profile
option (the default value for which is default
).
Using a local environment
To deploy all the stacks, simply run the deployment script:
./deploy.sh
You can pass the same options to this script as you would to the serverless deploy
command, such as --profile
, --stage
, --region
etc. For example:
./deploy.sh --profile default --stage dev --region us-east-1
Using Docker
Run the following command to deploy the stacks using the Docker image you built:
docker run -v ~/.aws:/root/.aws cloud-frontier
You can pass the same options here as you would to the serverless deploy
command, such as --profile
, --stage
, --region
etc. For example:
docker run -v ~/.aws:/root/.aws cloud-frontier --profile default --stage dev --region us-east-1
Note: the ~/.aws
directory is mounted inside the container so that your AWS account profiles can be easily made available to the deployment script that’s running inside the container.
Supported resources and services
AWS
- API Gateway
- EC2
- Elastic Beanstalk
- Elastic Load Balancers
- Elasticsearch Service
- Elasticache
- RDS
- S3
GCP
- Domain Name Service
- Public IP Address
- Storage Buckets
- Forwarding Rules
Azure
- Content Delivery Network
- Public IP Addresses
- Blob
DigitalOcean
- Domains
- Floating IPs
- Spaces
- Load Balancers
Oracle Cloud
- DNS Zones
- Public IP Addresses
- Storage Buckets
Components
Screenshots
Landing page
Dashboard
Asset inventory
Dark mode
Roadmap
- Add authentication using Cognito
- Perform port scanning of IPs using nmap?
Contributing
We are happy to receive issues and review pull requests. Please make sure to write tests for the code you are introducing and make sure it doesn’t break already passing tests.
License
This project is licensed under the terms of the Apache license.
Leave a Reply