The ability to enumerate cloud resources is fundamental to securing your environment and managing the risks surrounding your data and applications. Knowing which resources exist is the first step in identifying where you may have potential risk. Risk in this context should be thought of as broader in scope than just security vulnerabilities and include a range of financial risks. Unknown or forgotten resources can incur unexpected costs, over deployed software posed licensing risks, so being able to effectively enumerate your data and infrastructure resources is crucial.
OpsCompass is a platform that helps organizations gain deeper visibility and risk analysis across multi-cloud infrastructure and enterprise databases. One of the things customers use our platform for is to seamlessly enumerate resources of different types, across their different clouds, and based on various criteria.
This saves them the time of writing code to interface with each cloud separately, and then constructing coherent inventories of resources that include context like relationships and change history. This type of capability is available in the OpsCompass web app as well as the API and CLI. I’m going to show a few examples of resource enumeration using the OpsCompass CLI.
Installing the CLI
Setting up the CLI is incredibly simple as it’s a Node app you can install via NPM. Check out the KB article for more details about getting started with OpsCompass CLI.
npm i @opscompass/opscompass-cli
For login, there are two different flows: One is an authorization code with PKCE for clients with interactive browsers
and the other is a device authorization flow for clients without interactive browsers
opscompass login --use-device-code
Understanding the OpsCompass CLI ‘resources’ module
The OpsCompass CLI has several different modules that leverage different OpsCompass API’s, such as login, resources, and accounts, just to name a few. The resources module is where I’ll focus here as it provides access to the resources data. Below is an example of how you form an ‘opscompass resources’ command:
opscompass resources get --company [your_company_id] --resource-id [cloud_resource_id]
Within the resources module I can leverage several available actions such as get, get-compliance, list, scan, and others.
Below you can see a screenshot of the output from running ‘opscompass resources help’ to provide more information about the available actions.
Enumerate resources based off on criteria
Using the list action, you can filter lists of resources in your environment based off specific parameters. Here are a few examples but there are more you should try for yourself.
List all resources in an entire AWS account
opscompass resources list --company opscompassdemo --account 406219038857
List resources in all AWS accounts including multiple Organizations
opscompass resources list --company [your_company_id] --cloud-providers aws
List all resources across AWS, GCP, Azure, and Microsoft 365
[show me how I can list all my resources from the following cloud providers using opscompass cli: AWS, Azure, GCP, Microsoft365]
opscompass resources list --company [your_company_id] --cloud-providers aws azure gcp microsoft365
List resources with unacknowledged changes
opscompass resources list --company [your_company_id] --unacknowledged-changes true
List resources that were created over arbitrary periods of time
opscompass resources list --company [your_company_id] --resource-creation-date-beginning 2023-09-01 00:00:00.000 --resource-creation-date-end 2023-09-11 00:00:00.000
List all GCP resources with compliance problems
opscompass resources list –company [your_company_id] --cloud-providers gcp –open-compliance-issues true
Enumerate current configuration and compliance information about a resource
The get-latest-configuration action enumerates the configuration for a specified resource. OpsCompass assembles in-depth configuration information about each resource. So, for example, enumerating the configuration of an AWS IAM user with OpsCompass returns information about the IAM user resource, its group, attached policies and keys, and its MFA device all in a single resource call.
Show a resource’s current configuration state
opscompass resources get-latest-configuration –company [your_company_id] --resource-id [cloud_resource_id]
The get-compliance action retrieves information about how a specified resource is performing against security and other compliance controls. This information includes the status, the severity, and then details about each control that applies to the resource.
Get a compliance status for a resource
opscompass resources get-compliance –company [your_company_id] --resource-id [cloud_resource_id]
Always maintaining the ability to understand the resources you have as well as their state (configuration, compliance, and otherwise) is a critical function for security, compliance, and asset management. OpsCompass CLI makes it easy to automate this sort of visibility and make it part of your operational process. Whether you’re in cloud security and need quick ways to enumerate an environment and assess it for potential vulnerability, or you’re enterprise managing applications and you need to understand a wide variety of risks from configuration and architecture to security and costs, tools like this save people time and reduce your organizations overall cloud and data risk.