CSPM for AWS, Azure, and Google Cloud with GraphQL

NOTE: This article is the second in a series of articles about CloudGraph, the GraphQL API for AWS, Azure, Google Cloud, and K8s. Click here to read the first article in the series.

‍

The current CSPM landscape

‍

Security on AWS is hard. How many of us can honestly say that we’ve never had an S3 bucket accidentally become public on our watch or remembered to encrypt every EBS volume we’ve ever used? I’m sure we’ve also never pushed code straight to master before… 

‍

By-the-book AWS developers will be quick to point out that you should be using AWS Security HUB and AWS Config to centralize and enforce cloud security posture management (CSPM). While there is no arguing that these services are incredibly useful, they do assume a high level of domain expertise and require a manual setup process. Plus, they can get pretty expensive.

‍

If your organization is multi-cloud, as over 90% of enterprises today are, it means that in addition to AWS tools, you likely have multiple cloud-native security tools to set up and maintain like Azure Security Center and Google Security Command Center.

‍

These tools require multiple APIs to programmatically access data. Different cloud providers often have different paradigms for structuring data, and you as the developer are usually stuck figuring out how to synthesize and interpret this information.

‍

Wouldn’t it be great if instead of having to go to different places for all of your CSPM data, you could use a single API that standardized queries across providers? In this short article, we’ll explore how to use CloudGraph to query CSPM data for CIS, PCI, and NIST compliance benchmarks across AWS, Azure, and Google Cloud.

‍

‍

How does CloudGraph help?

‍

CloudGraph connects to any AWS, Azure, or Google Cloud environment and pulls out all the resource data it finds. It then takes this data, processes it, applies security and compliance checks, and stores it locally on your machine for you to query using GraphQL. To learn more about how CloudGraph works, click here.

‍

It’s important to also mention that CloudGraph is 100% typesafe. This means that if you use one of the built-in query tools that CloudGraph ships with like Altair or GraphQL Playground, all of your queries will autocomplete as you type, and you’ll have access to automatically generated documentation. Not only will you be able to quickly see all the possible queries you can write, but you’ll also know if your query is valid before you even trigger an HTTP request!

‍

‍

CSPM Queries with CloudGraph

‍

NOTE: We’re skipping CloudGraph setup and installation here, but instructions for that can be found on GitHub.

‍

Let's take a look at a few compliance queries you can run in just a few lines of code using CloudGraph.

‍

1. Get back a list of all CIS findings for AWS (1.2, 1.3, 1.4), Azure (1.3.1), and Google Cloud (1.2) for all accounts, subscriptions, and projects in your org at once:

{% c-block language="JSON" %}
query getAllCISData {
  queryawsCISFindings {
    id
    result
    rule {
      id
      severity
      title
      description
      audit
      rationale
      remediation
      references
    }
  }
  queryazureCISFindings {
    id
    result
    rule {
      id
      severity
      title
      description
      audit
      rationale
      remediation
      references
    }
  }
  queryGoogle CloudCISFindings {
    id
    result
    rule {
      id
      severity
      title
      description
      audit
      rationale
      remediation
      references
    }
  }
}
{% c-block-end %}

‍

‍

2. Get back compliance data for a specific resource type (e.g. IAM Users) across all your AWS Accounts:

{% c-block language="JSON" %}
query {
  queryawsIamUser {
    CISFindings {
      id
      result
      rule {
        id
        severity
        title
        description
        audit
        rationale
        remediation
        references
      }
    }
  }
}
{% c-block-end %}

‍

‍

3. Or, your can scope this to a particular AWS account:

{% c-block language="JSON" %}
query {
  queryawsIamUser(filter: {accountId: {eq: "12345"}}) {
    CISFindings {
      id
      result
      rule {
        id
        severity
        title
        description
        audit
        rationale
        remediation
        references
      }
    }
  }
}
{% c-block-end %}

‍

‍

4. Or even a specific IAM User!

{% c-block language="JSON" %}
query {
  queryawsIamUser(filter: {arn: {eq: "12345"}}) {
    CISFindings {
      id
      result
      rule {
        id
        severity
        title
        description
        audit
        rationale
        remediation
        references
      }
    }
  }
}
{% c-block-end %}

‍

‍

5. You can also do this using `queryawsFindings` as we did in the first example.

{% c-block language="JSON" %}
query {
  queryawsCISFindings {
    id
    result
    rule {
      id
      severity
      title
      description
      audit
      rationale
      remediation
      references
    }
    iamUser(filter: {arn: {eq: "12345"}}) {
      id
      arn
      name
      tags {
        key
        value
      }
    }
  }
}
{% c-block-end %}

‍

Want to query other compliance standards? You can view the list of currently available installable compliance plugins including NIST (queryawsNISTFindings) and PCI (queryawsPCIFindings) here. Over the next few months we will be adding SOC, ISO, and more.

‍

‍

Querying Assets for CSPM data with CloudGraph

‍

Beyond pre-made security and compliance checks such as CIS, we can also write plain GraphQL queries to get back interesting security-related data. I’ll focus on AWS for these examples but the same can be done with Google Cloud and Azure. 

‍

1. Find all the unencrypted EBS Volumes:

{% c-block language="JSON" %}
query {
  queryawsEbs(filter: { encrypted: false }) {
    id
    arn
    availabilityZone
    encrypted
  }
}
{% c-block-end %}

‍

‍

2. Find all the public S3 Buckets:

{% c-block language="JSON" %}
query {
  queryawsS3(filter: { access: { eq: "Public" } }) {
    id
    arn
    access
  }
}
{% c-block-end %}

‍

‍

3. Find all the KMS keys in "us-east-1":

{% c-block language="JSON" %}
query {
  queryawsKms(filter: { arn: { regexp: "/.*us-east-1.*/" } }) {
    id
    arn
    description
    keyRotationEnabled
    tags {
      key
      value
    }
  }
}
{% c-block-end %}

‍

‍

4. Find the public ALBs:

{% c-block language="JSON" %}
query {
  queryawsAlb(filter: { scheme: { eq: "internet-facing" } }) {
    id
    arn
    dnsName
    createdAt
    tags {
      key
      value
    }
  }
}
{% c-block-end %}

‍

‍

5. Query various security data for EC2 Instances, Lambdas, and VPCs that have a Tag of "Environment: Production":

{% c-block language="JSON" %}
query {
  queryawsTag(
    filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
  ) {
    key
    value
    ec2Instance(filter: { accountId: { eq: "production account id" } }) {
      id
      arn
      ebs(filter: { encrypted: false, isBootDisk: true }) {
        id
      }
    }
    lambda(filter: { runtime: { eq: "old-node-version" } }) {
      id
      arn
    }
    vpc(filter: { defaultVpc: true }) {
      id
      arn
    }
  }
}
{% c-block-end %}

‍

And there you have it! As you’ve seen, CloudGraph developers can easily query anything about their single or multi-cloud footprint in just a few minutes. Install CloudGraph today and try these queries for yourself. It’s totally free! 

‍

Plenty more query examples can be found in our documentation.

‍

If you have any questions or comments I’d love to hear from you. Just email me at tyson [at] autocloud.dev

‍

Tyson Kunovsky

CEO @ AutoCloud

‍