Discovering Relationships in an AWS VPC using Ansible

A blog post describing our open source Ansible module for discovering relationships in an AWS Virtual Private Cloud. -By Dave Hirko   Launching in the Cloud? At B23 we build, implement, and configure distributed processing applications for Fortune 500 customers with sensitive data stored in The Cloud. This Fall, and in the run up to Amazon Web Services (AWS) Re:Invent marketing conference, we observed many companies, from many industries claiming that they could Launch in the Cloud. To us, Launching in the Cloud is about as ambiguous as the term Cloud itself. Having spent many years working with AWS technologies, we were curious… Yet Another Security Cloud Blog (YASCB) We started to observe that most of these applications were critically flawed in addressing basic security principles once they were Launched in the Cloud. It wasn’t that AWS was insecure, but that these applications were not using basic AWS services made available to them to enable basic security features. For example, most of the application EC2 hosts were assigned Public Internet Protocol (IP) addresses which made them accessible to anyone on the Internet. Unlike traditional networks that exhibit some form of defense-in-depth, they did not take advantage of AWS’ powerful software-defined networking (SDN) subnet and routing capabilities existing within a Virtual Private Cloud (VPC). In one egregious case, an application configured a Hadoop cluster where every node in the cluster was allocated a public Elastic IP address. For us, that’s either negligent or lazy, or both. Amazon’s Simple Storage Service, or S3, was another major security challenge for most of these Launched in the Cloud applications. S3 has a very robust policy engine that allows for almost any conceivable way to securing its data contents, yet we still continued to find improperly configured S3 buckets. Most of these applications using S3 relied upon manual implementation of security policies, making it one button-click away from having their contents exposed to the world. Not to mention that no...