Instant multi-cloud visibility: Utilizing OpsCompass CLI to enumerate resources 

The ability to enumerate cloud resources is fundamental to securing your environment and managing the risks surrounding your data and applications. Knowing which resources exist is the first step in identifying where you may have potential risk. Risk in this context should be thought of as broader in scope than just security vulnerabilities and include a range of financial risks. Unknown or forgotten resources can incur unexpected costs, over deployed software posed licensing risks, so being able to effectively enumerate your data and infrastructure resources is crucial.    

OpsCompass is a platform that helps organizations gain deeper visibility and risk analysis across multi-cloud infrastructure and enterprise databases. One of the things customers use our platform for is to seamlessly enumerate resources of different types, across their different clouds, and based on various criteria.  

This saves them the time of writing code to interface with each cloud separately, and then constructing coherent inventories of resources that include context like relationships and change history. This type of capability is available in the OpsCompass web app as well as the API and CLI. I’m going to show a few examples of resource enumeration using the OpsCompass CLI

Installing the CLI 

Setting up the CLI is incredibly simple as it’s a Node app you can install via NPM. Check out the KB article for more details about getting started with OpsCompass CLI.

npm i @opscompass/opscompass-cli

For login, there are two different flows: One is an authorization code with PKCE for clients with interactive browsers

opscompass login

and the other is a device authorization flow for clients without interactive browsers

opscompass login --use-device-code

Understanding the OpsCompass CLI ‘resources’ module 

The OpsCompass CLI has several different modules that leverage different OpsCompass API’s, such as login, resources, and accounts, just to name a few. The resources module is where I’ll focus here as it provides access to the resources data. Below is an example of how you form an ‘opscompass resources’ command:  

opscompass resources get --company [your_company_id] --resource-id [cloud_resource_id] 

Within the resources module I can leverage several available actions such as get, get-compliance, list, scan, and others.  

Below you can see a screenshot of the output from running ‘opscompass resources help’ to provide more information about the available actions. 

Enumerate resources based off on criteria 

Using the list action, you can filter lists of resources in your environment based off specific parameters. Here are a few examples but there are more you should try for yourself. 

List all resources in an entire AWS account 

opscompass resources list --company opscompassdemo --account 406219038857 

List resources in all AWS accounts including multiple Organizations 

opscompass resources list --company [your_company_id] --cloud-providers aws 

List all resources across AWS, GCP, Azure, and Microsoft 365 

[show me how I can list all my resources from the following cloud providers using opscompass cli: AWS, Azure, GCP, Microsoft365] 

opscompass resources list --company [your_company_id] --cloud-providers aws azure gcp microsoft365 

List resources with unacknowledged changes 

opscompass resources list --company [your_company_id] --unacknowledged-changes true 

List resources that were created over arbitrary periods of time 

opscompass resources list --company [your_company_id] --resource-creation-date-beginning 2023-09-01 00:00:00.000 --resource-creation-date-end 2023-09-11 00:00:00.000

List all GCP resources with compliance problems 

opscompass resources list –company [your_company_id] --cloud-providers gcp –open-compliance-issues true 

Enumerate current configuration and compliance information about a resource 

The get-latest-configuration action enumerates the configuration for a specified resource. OpsCompass assembles in-depth configuration information about each resource. So, for example, enumerating the configuration of an AWS IAM user with OpsCompass returns information about the IAM user resource, its group, attached policies and keys, and its MFA device all in a single resource call.  

Show a resource’s current configuration state 

opscompass resources get-latest-configuration –company [your_company_id] --resource-id [cloud_resource_id] 

The get-compliance action retrieves information about how a specified resource is performing against security and other compliance controls. This information includes the status, the severity, and then details about each control that applies to the resource. 

Get a compliance status for a resource 

opscompass resources get-compliance –company [your_company_id] --resource-id [cloud_resource_id] 

Always maintaining the ability to understand the resources you have as well as their state (configuration, compliance, and otherwise) is a critical function for security, compliance, and asset management. OpsCompass CLI makes it easy to automate this sort of visibility and make it part of your operational process. Whether you’re in cloud security and need quick ways to enumerate an environment and assess it for potential vulnerability, or you’re enterprise managing applications and you need to understand a wide variety of risks from configuration and architecture to security and costs, tools like this save people time and reduce your organizations overall cloud and data risk.

Share the Post: