Recently I came across an amazing cloud vulnerabilities detection tool to secure my account before its exploit by bad guys. CodeShieldis the best platform to detect the risk of over-privileged IAM permissions, its impact and possible security loopholes. This tool helps in early identification of most relevant attack vectors whenever you perform scan.
Its a easy to use and self setup. One can easily discover critical privilege escalations and early risk assessments which gives you the view of your cloud from attackers perspective.
How to scan?
As I mentioned it is just 2 step process
- Connect your AWS account
- Perform a scan
and you can see the resources with all the given privileges in tabular and graphical form.
For opening an account you need to visit https://dashboard.codeshield.io/ and register.
Once you successfully create an account you can find "Connect Account" Option on top right corner to connect your AWS account.
You will be redirected to the AWS console to prepare your account for scan. Follow the instruction for running the cloud Formation template and grant access to your account.
The template has been implemented carefully following least privilege. Connecting the account does only provide read access to meta-data within the account. I.e., CodeShield cannot access sensitive data inside data stores like databases or S3 buckets.
Now you can switch back to CodeShield and perform your scan by scan. There are two scans bundles available:
- Scanning the whole account
- Scan a region bundle
It takes few minutes to scan and you will find the scan results in left navigation menu like this
I personally found all the 3 tabs useful as I didnโt know about some of our exposures before we started using it.
Privilege Escalations: Here you can find all IAM privileges displayed in a matrix that correlates the scenarios to the attack goals.
Cloud Model: A graphical representation of the scanned account, itโs resources, and their connectivity, including their hierarchical representation.
Resource Inventory: A list of all resources with all their properties and details within the account.
You can learn more about results here: https://docs.codeshield.io/results/
Benefits:
Its very hard to track your cloud resources especially when you are working in a big company and it get harder when you have multiple cloud account. Codeshield lets you to easily see the resources in a visual infrastructure diagram with all relationships and privileges.
Second and most important aspect of this scan is, you can dig down the privilege and see its impact. This is a detailed impact report of any privilege you have given. You can see how an intruder can get your account access and exploit resources.
Third, it recommend fixes according to the privileges when you drill down the privilege escalation.
If you are interested to get in touch with the amazing team behind all this security endeavor, please email to johannes.noll@codeshield.io. He is very kind and generous in making your AWS accounts secure and risk free with CodeShield.
Top comments (0)