How many times have you woken up in sweaty at night by wondering if this trainee a little too “enthusiastic” (Teubé what) had not left a S3 body in public access with the dumps of your customer base in it?
Eh ?
So if you live this kind of recurring nightmare of the infra under pressure, I may have found the remedy for your night anxieties!
This is called Fix Inventory And it is an open source tool that will scan your cloud infrastructure and tell you exactly where the corpses are. And the best in all of this is that it’s 100% free and it works on all your favorite clouds, where solutions like WIZ or Prisma Cloud will easily ask you 6 digits per year. Yeah yeah & mldr;
Let’s be honest, modern cloud infras is really the brothel. Between the CI/CD pipelines which deploy 50 times a day for nothing, the devs which have access that they should not have, and the resources that multiply like Gremlins that we would have watered after midnight, how to keep a clear vision of its safety ?? Impossible !
The problem with traditional cloud safety tools is that they analyze each resource as an isolated entity. They take you out a nice list of “non-conformities” without really understanding the context. For example, a Public Bucket S3 is not necessarily a problem & mldr; Unless it contains the data from your customers or if it is accessible from a compromise service.
And what is sorely lacking in classic tools is precisely this understanding of relationships between resources.
A bit like Neo in Matrix who can see the code behind reality (I am also seeing Matrix 4 again after the Reco de Bruce and it is phew & mldr;), Fix Inventory allows you to see the invisible connections between your cloud resources, these access paths that SMITH agents of the proprietary solutions will charge you a fortune to identify.
In short, this tool promises to do what the proprietary solutions do for sums at five or six digits. His approach is to scan your cloud infrastructure (AWS, GCP, Azure, Digitalocean, Hetzner, Kubernetes, GitHub) without agent (via their APIS) and normalize all this disparate data in a unified model.
Concretely, Fix Inventory works in three phases:
1. Data collection : He questions the APIs of your cloud suppliers to recover the metadata of your resources.
2. Normalization : It transforms this heterogeneous data into a unified graph scheme, where each resource (instance, volume, bucket, user & mldr;) has common properties such as ID, Name, Kind, Tags.
3. Risk analysis : He scans the data collected with predefined or personalized compliance frameworks to identify problems.
The dev behind Fix Inventory has developed a model with more than 40 “Kinds base“Who describes common resources like ‘Database’ or ‘ip_address’, which makes it possible to implement a unique set of policies (for example,” no non -encrypted storage volumes “) which works on all clouds. Like that, no need to learn and maintain specific rules for each supplier.
And performance level, it’s pretty good since the collection is done in parallel, while respecting the API quotas of each supplier. No risk therefore, to make you blacklister because the tool has sent too many queries.
In short, to give you an idea of the potential economy, as I told you in intro, a solution like WIZ generally starts around € 100,000 per year for a medium -sized infrastructure. Fix inventory will cost you & mldr; The price of accommodation if you deploy it yourself. It leaves room for a few beers.
And where Fix Inventory really stands out from the other tools, it is with its outbuilding and access graph. He is not content to collect information on isolated resources, he also captures the relationships between them.
This approach allows this to answer crucial questions like:
- “What is the radius of impact of this public resource?”
- “Is there a path between this resource and a privileged role?”
- “What users have indirect access to this sensitive database?”
To explore these relationships, Fix Inventory also offers a query language as powerful as it is intuitive. For example, to find all S3 buckets to which a specific user has access to writing, you can simply type:
search --with-edges is(aws_iam_user) and name=matthias -iam[0:]{permissions[*].level==write}-> is(aws_iam_user, aws_s3_bucket) | format --dot
This request will not only identify the drinks directly accessible, but also those indirectly accessible via roles or policies. The result can be exported in dowry format to graphically visualize these relationships. It’s perfect for showing your boss why you have to strengthen access controls.
Another strong point, Fix Inventory takes on instantaneous schedules from your infrastructure, which allows you to Follow the configuration changes over time. You can see when and by whom a resource has been changed, and go back to analyze the evolution of your security posture.
Here is & mldr; This tool thus covers a wide range of use cases:
- Cloud Security Posture Management (CSPM) : to monitor and apply security policies.
- AI SECURITY Posture Management (AI-SPM) : To automatically discover the AI services used and their data sources.
- Cloud Infrastructure Entitlement Management (CIEM) : to discover human and non -human identities with risk access.
- Cloud asset inventory : for complete visibility on your multi-cloud environments.
Here are some useful requests to start:
Find all non -encrypted volumes: search is(volume) and volume_encrypted=false
Identify instances with public IPS: search is(instance) and public_ip_address!=null
Identify public buckets: search is(bucket) and public_access=true
The tool also offers preconfigured compliance frameworks such as Cis benchmarks,, ISO-27001 Or NIS-2. You can launch a CIS report on AWS as this example:
fix report benchmark run cis_aws
You can also define your own policies by transforming any request as a rule of compliance, and set up alerts when these rules are raped. For example, if you want to be alerted each time a new public bucket is created, you can transform the request search is(bucket) and public_access=true in politics and configure a notification to Slack or by email.
Deployment level, you have several options: install it on your laptop, deploy it in your own cloud, or use Fix Security, Their SaaS version (which adds some features such as ready -to -use visualizations).
If you want to test quickly, here is how to start:
1. Installation via Docker:
docker run -it ghcr.io/someengineering/fixinventory
2. Configuration for AWS:
3. Data collection:
4. And there you go, you can start looking for vulnerabilities!
The fact that this tool is open source and extensible makes it all the more interesting for tech teams who want to keep control over their safety without breaking the bank.
In short, to be discovered without delay! And a big thank you to Letsar for sharing!
Source link
Subscribe to our email newsletter to get the latest posts delivered right to your email.
Comments