Subscribe to the Blog

Get articles sent directly to your inbox.

TL;DR

  • Cloudrail built dragoneye – first python tool for multi-cloud data collection.
  • dragoneye is now available as open-source.
  • dragoneye is extendible to other python applications or as a standalone CLI tool
  • AWS Supported, Azure underway, GCP is on roadmap.
  • You can access the github repo here

Background

Cloudrail is on a mission to build the largest graph database for IaC security. As the first tool to introduce context-aware rules for IaC security, the graph database is used to advance cloud security beyond simple key-value pair analysis. 

For example, when you want to do network exposure analysis, you can’t simply analyze the security groups. You want to consider security group attachments to workloads, workload-subnet association, subnet-ACL association, and several other resource relationships to determine how security violations affect your live environment. 

In our architecture, dragoneye is used as part of our Dynamic Analysis. It enriches our context with a snapshot of the users’ live infrastructure. That is then merged in-memory with the context and we then run graph queries against the context to find IaC security issues.

dragoneye’s objective

There are very well known open source tools like Prowler and Cloudmapper that help users audit their AWS environment. They are primarily designed for analyzing security concerns and are valuable for regularly auditing a deployed infrastructure.

dragoneye provides a general-purpose infrastructure scanning platform to support cases outside of AWS and will include Azure and GCP. Applications of this tool encompass use cases beyond security auditing (e.g. building multi-cloud visualizations). The tool abstracts cloud infrastructure data collection, dealing with API quotas, and general scaling challenges that come with scraping cloud infrastructure metadata.

Related Article  Comparing SAST Tools for IaC Security

You can reference dragoneye’s data collection in your own python application or you can leverage dragoneyes CLI

dragoneye aws [options]
dragoneye azure [options]

At the moment, we have support for AWS, partial support for Azure and soon we will be adding support for GCP. Contributions are always welcome!

Conclusion

Instructions for running dragoneye can be found in our github.

The Cloudrail team is committed to fostering the growth and development of dragoneye and want to share its functionality with others who might find diverse applications for its use. We’re excited to make this contribution today and we look forward to helping this large community who want cloud management to be easier.

We just launched a dragoneye slack workspace and you can join the community here. See you on Slack!