Need a quick way to visualize your current aws/amazon ec2 security group configuration? aws-security-viz does just that based on the EC2 security group ingress configuration.
- Output to any of the formats that Graphviz supports.
- EC2 classic and VPC security groups
$ gem install aws_security_viz
$ aws_security_viz --help
- graphviz with triangulation
brew install graphviz --with-gts
To generate the graph directly using AWS keys
$ aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg --color=true
To generate the graph using an existing security_groups.json (created using aws-cli)
$ aws_security_viz -o data/security_groups.json -f viz.svg --color
To generate a web view
$ aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer navigator
- Generates two files: aws.json and navigator.html.
- The json file name needs to be passed in as a html fragment identifier.
- The generated graph can be viewed in a webserver e.g. http://localhost:3000/navigator.html#aws.json by using
ruby -run -e httpd -- -p 3000
If you don't want to install the dependencies and ruby libs you can execute aws-security-viz inside a docker container. To do so, follow these steps:
- Clone this repository, open it in a console.
- Build the docker container:
docker build -t sec-viz . - Run the container:
docker run -i --rm -t -p 3000:3000 -v $(pwd)/aws-viz:/aws-security-viz --name sec-viz sec-viz(Description:-iinteractive shell,--rmremove the container after usage,-tattach this terminal to it,-p 3000:3000we expose port 3000 for the HTTP server,-v $(pwd)/aws-viz:aws-security-vizmount tmp directory for generated artifacts,-name sec-vizthe container will have the same name as the image we will start) - Now you can use the tool as described in usage. Make sure that you use the commands with
bundler execas prefix. For example:aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json. - To start the web view, execute
ruby -run -e httpd -- -p 3000in the container. You can open it with your local browser athttp://0.0.0.0:3000/. There you can view the generated images and the graph. UseCtrl+Cto close the HTTP server. - Terminate the docker container by typing
exitin the console.
$ aws_security_viz --help
Options:
-a, --access-key=<s> AWS access key
-s, --secret-key=<s> AWS secret key
-e, --session-token=<s> AWS session token
-r, --region=<s> AWS region to query (default: us-east-1)
-v, --vpc-id=<s> AWS VPC id to show
-o, --source-file=<s> JSON source file containing security groups
-f, --filename=<s> Output file name (default: aws-security-viz.png)
-c, --config=<s> Config file (opts.yml) (default: opts.yml)
-l, --color Colored node edges
-u, --source-filter=<s> Source filter
-t, --target-filter=<s> Target filter
-h, --help Show this message
You can generate a configuration file using the following command:
$ aws_security_viz setup [-c opts.yml]
The opts.yml file lets you define the following options:
- Grouping of CIDR ips
- Define exclusion patterns
- Change graphviz format (neato, dot, sfdp etc)
To generate the graph with debug statements, execute the following command
$ DEBUG=true aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg
If it doesn't indicate the problem, please share the generated json file with me @ whynospam-awsviz@yahoo.co.in
You can send me an obfuscated version using the following command:
$ DEBUG=true OBFUSCATE=true aws_security_viz -a your_aws_key -s your_aws_secret_key -f viz.svg
Execute the following command to generate the json. You will need aws-cli to execute the command
aws ec2 describe-security-groups
Via navigator renderer aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer navigator
Via json renderer aws_security_viz -a your_aws_key -s your_aws_secret_key -f aws.json --renderer json
