Updated in 2024 for accuracy and relevance
The ability to enumerate cloud resources is fundamental to securing your environment and managing the risks surrounding your data and applications. Knowing which resources exist is the first step in identifying where you may have potential risk. Risk in this context should be thought of as broader in scope than just security vulnerabilities and include a range of financial risks. Unknown or forgotten resources can incur unexpected costs, over deployed software posed licensing risks, so being able to effectively enumerate your data and infrastructure resources is crucial.
Opscompass is a platform that helps organizations gain deeper cloud visibility and risk analysis across multi-cloud infrastructure and enterprise databases. One of the things customers use our platform for is to seamlessly enumerate resources of different types, across their different clouds, and based on various criteria.
This saves them the time of writing code to interface with each cloud separately, and then constructing coherent inventories of resources that include context like relationships and change history. This type of capability is available in the Opscompass web app as well as the API and CLI. I’m going to show a few examples of resource enumeration using the Opscompass CLI.
Installing the Opscompass CLI
Setting up the CLI is incredibly simple as it’s a Node app you can install via NPM. Check out the KB article for more details about getting started with Opscompass CLI.
npm i @opscompass/opscompass-cli
Authentication Methods for Enhanced Cloud Visibility
The CLI supports two authentication flows, ensuring secure access to your cloud resources:
Authorization Code with PKCE
Suitable for clients with interactive browsers.
opscompass loginDevice Authorization Flow
Ideal for clients without interactive browsers.
opscompass login --use-device-code Understanding the ‘Resources’ Module
The Opscompass CLI has several different modules that leverage different Opscompass API’s, such as login, resources, and accounts, just to name a few. The resources module is where I’ll focus here as it provides access to the resources data. Below is an example of how you form an ‘opscompass resources’ command:
opscompass resources get --company [your_company_id] --resource-id [cloud_resource_id] Within the resources module I can leverage several available actions such as get, get-compliance, list, scan, and others.
Below you can see a screenshot of the output from running ‘opscompass resources help’ to provide more information about the available actions.
Enumerating Resources Based on Specific Criteria
Using the list action, you can filter lists of resources in your environment based off specific parameters. Here are a few examples but there are more you should try for yourself.
opscompass resources list --company opscompassdemo --account 406219038857 List all resources in an entire AWS account
opscompass resources list --company [your_company_id] --cloud-providers aws List Resources Across Multiple Cloud Providers
opscompass resources list --company [your_company_id] --cloud-providers aws azure gcp microsoft365 Filter by Unacknowledged Changes or Creation Date
opscompass resources list --company [your_company_id] --unacknowledged-changes true List resources that were created over arbitrary periods of time
opscompass resources list --company [your_company_id] --resource-creation-date-beginning 2023-09-01 00:00:00.000 --resource-creation-date-end 2023-09-11 00:00:00.000List all GCP resources with compliance problems
opscompass resources list –company [your_company_id] --cloud-providers gcp –open-compliance-issues true Retrieving Resource Configuration and Compliance Information
The get-latest-configuration action enumerates the configuration for a specified resource. Opscompass assembles in-depth configuration information about each resource. So, for example, enumerating the configuration of an AWS IAM user with Opscompass returns information about the IAM user resource, its group, attached policies and keys, and its MFA device all in a single resource call.
Get the Latest Configuration of a Resource
opscompass resources get-latest-configuration –company [your_company_id] --resource-id [cloud_resource_id]
The get-compliance action retrieves information about how a specified resource is performing against security and other compliance controls. This information includes the status, the severity, and then details about each control that applies to the resource.
Get a compliance status for a resource
opscompass resources get-compliance –company [your_company_id] --resource-id [cloud_resource_id]
Always maintaining the ability to understand the resources you have as well as their state (configuration, compliance, and otherwise) is a critical function for security, compliance, and asset management. Opscompass CLI makes it easy to automate this sort of visibility and make it part of your operational process. Whether you’re in cloud security and need quick ways to enumerate an environment and assess it for potential vulnerability, or you’re enterprise managing applications and you need to understand a wide variety of risks from configuration and architecture to security and costs, tools like this save people time and reduce your organizations overall cloud and data risk.
