One of the unique advantages of CloudHealth Secure State is that it maintains an inventory of your cloud assets, together with all their settings, tags and relationships. This is not only the foundation for being able to evaluate any security rules and detect misconfigurations, but by itself it is a valuable source of centralized and up-to-date information about your cloud assets. By using the CloudHealth Secure State inventory views and a simple click-through query builder, you can extract valuable information to get a holistic and deep understanding of your dynamic cloud environment.
Let’s take a look at some of the most common questions that can be answered by leveraging our unique Interconnected Cloud Security Model.
Get a list of services in use
Whether you took over the accounts from another team without proper documentation and knowledge transfer or you are trying to analyze how to migrate to IaC (Infrastructure as code) or you are simply new to the team – you most likely need to know the following:
- Which public cloud services are in use?
- How many assets are there in each service?
- Which cloud accounts are using each service?
The good news is CloudHealth Secure State has all this information and it is easily accessible by running a simple query in Explore, which is a real-time search and investigation engine that enables you to find resources and understand relationships between cloud assets:
provider = aws count(service)
This query will find all assets that you have in AWS and will count the results by service, giving you a full list of services you are using together with the number of assets in each service.
You can also click on a service to expand the list of accounts using it. In our example we can see that the 1805 assets from EC2 are distributed across 2 cloud accounts.
Find EC2 Instances Running a Specific Package Version
When collecting the information about your cloud inventory, we also read the data from Amazon Systems Manager. This makes it possible to run various types of queries based on the packages running in the EC2 Instances.
For example, let’s try to find out if we have any instances running docker version 19 in our inventory. We should first search for the docker application with the relevant version, by using the following query in Explore Search:
AWS.SSM.Application HAS Name = docker AND Version = 19.*
This query will give us all SSM Application entities named docker and having a version starting with 19. As there might be several different versions of docker 19, I have used the wildcard symbol to get all 19.x.x versions. The query returns two results for my account:
This confirms that I have two old versions of docker in my environment, but so far this is not enough to see which are the EC2 Instances running them. To see this, we need to enrich our query to show the relationships of the SSM Application to other asset types. When we append the traversal operator ->, we can see that the only possible relationship is with
AWS.SSM.ManagedInstanceInventory.
Clicking it will add it to the query and then we can see that it is related to
AWS.EC2.Instance.
Here is the final query we need and the outcome it returns:
AWS.SSM.Application HAS Name = docker AND Version = 19.* -> AWS.SSM.ManagedInstanceInventory -> AWS.EC2.Instance
Note that the query results are displayed as graph of related objects rather than a list. This is how the results of relationship queries are presented, so that you can better understand how the resulting assets are related together. Each asset is shown with a different icon, so that we can easily distinguish between them. In our case, the EC2 instances are orange and presented only with their IDs but clicking on them will give us additional details we may need such as.
Find Unattached (Unused) EBS Volumes
In the previous example, we leveraged the relationship query to find chains of related resources in the same context. In many cases, however, we would look for unrelated assets because lack of that relationship is an indication of an undesirable state. A typical example is the case with unattached EBS Volumes, which in most cases are just sitting there and generating costs. Luckily, Explore Search offers a query for that:
AWS.EC2.Volume !-> AWS.EC2.Instance
What this query does is to look into all Volumes and check which of them are not related to an EC2 Instance. The resulting set of objects are the unattached ones you can consider for deletion.
You can use a similar inverse relationship search query to check for other types of orphaned objects such as, users without an access key, security groups without any rules, Internet gateways not attached to a VPC.
Next Steps
The Explore functionality in CloudHealth Secure State not only gives you deep visibility into your cloud infrastructure but also supports security investigations which become easier especially through visualization of misconfigured resource and the cloud objects connected to it. As we can see in the examples above, different search types within the Explore functionality support various operational activities related to infrastructure inspection and maintenance. If you want to get a first-hand experience of this feature sign-up for your free account now.
