cartography
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Top Related Projects
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Six Degrees of Domain Admin
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Quick Overview
Cartography is an open-source tool developed by Lyft that consolidates infrastructure assets and the relationships between them in an intuitive graph view. It helps security teams and engineers visualize and analyze their infrastructure, making it easier to understand complex systems and identify potential security risks.
Pros
- Provides a comprehensive view of infrastructure assets and their relationships
- Supports multiple cloud providers and services (AWS, GCP, Azure, etc.)
- Easily extensible with custom data ingestion modules
- Helps identify security risks and compliance issues
Cons
- Requires significant setup and configuration for optimal use
- Can be resource-intensive for large infrastructures
- Learning curve for understanding and querying the graph database
- Limited built-in visualization tools (relies on external tools for advanced visualizations)
Code Examples
# Example 1: Connecting to Neo4j database
from neo4j import GraphDatabase
driver = GraphDatabase.driver("bolt://localhost:7687", auth=("neo4j", "password"))
session = driver.session()
# Example 2: Querying AWS EC2 instances
query = """
MATCH (i:EC2Instance)
RETURN i.instanceid, i.publicdnsname, i.privateipaddress
LIMIT 10
"""
result = session.run(query)
for record in result:
print(record)
# Example 3: Finding unencrypted S3 buckets
query = """
MATCH (b:S3Bucket)
WHERE b.encrypted = false
RETURN b.name, b.region
"""
result = session.run(query)
for record in result:
print(f"Unencrypted bucket: {record['b.name']} in {record['b.region']}")
Getting Started
-
Install Cartography:
pip install cartography -
Set up a Neo4j database and configure connection details.
-
Run Cartography with your cloud provider credentials:
cartography --neo4j-uri bolt://localhost:7687 --neo4j-username neo4j --neo4j-password password --aws-sync-all-profiles -
Query the graph database using Neo4j's Cypher query language or integrate with visualization tools like Gephi or Linkurious.
Competitor Comparisons
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Pros of Cartography
- Comprehensive cloud infrastructure visualization and analysis tool
- Supports multiple cloud providers and services
- Active development and regular updates
Cons of Cartography
- Steeper learning curve for new users
- Requires significant setup and configuration
- May have higher resource requirements for large-scale deployments
Code Comparison
Unfortunately, I cannot provide a meaningful code comparison in this case. The repository "cartography-cncf/cartography" does not exist or is not publicly accessible. The only repository that exists is "cartography-cncf/cartography", which is the main Cartography project.
Cartography is an open-source tool for creating a graph database of your cloud infrastructure and analyzing it. It's designed to help security teams and engineers understand their infrastructure better and identify potential security risks.
Here's a sample code snippet from Cartography:
def load_aws_account_data(
neo4j_session: neo4j.Session,
account_id: str,
update_tag: int,
common_job_parameters: Dict,
) -> None:
logger.info("Loading AWS Account %s", account_id)
query = """
MERGE (aa:AWSAccount{id: $AccountId})
ON CREATE SET aa.firstseen = timestamp()
SET aa.lastupdated = $update_tag
"""
neo4j_session.run(
query,
AccountId=account_id,
update_tag=update_tag,
)
This code snippet demonstrates how Cartography interacts with a Neo4j database to store and update AWS account information.
Six Degrees of Domain Admin
Pros of BloodHound-Legacy
- Specialized for Active Directory environments, providing deep insights into AD security
- User-friendly GUI for visualizing attack paths and relationships
- Extensive documentation and community support
Cons of BloodHound-Legacy
- Limited to Windows/Active Directory environments
- Requires more manual setup and data collection compared to Cartography
- Less extensible for custom data sources or cloud environments
Code Comparison
BloodHound-Legacy (PowerShell):
$SearchBase = "DC=contoso,DC=com"
$Computers = Get-ADComputer -Filter * -SearchBase $SearchBase
foreach ($Computer in $Computers) {
# Collect and process data
}
Cartography (Python):
def sync_ec2_instances(neo4j_session, region, account_id):
instances = get_ec2_instances(region)
load_ec2_instances(neo4j_session, instances, region, account_id)
# Additional processing and relationship mapping
BloodHound-Legacy focuses on Active Directory data collection and analysis, while Cartography offers a more flexible approach for various cloud and on-premises assets. BloodHound-Legacy excels in AD environments, providing detailed attack path analysis, while Cartography offers broader infrastructure visibility and easier integration with diverse data sources.
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Pros of CloudMapper
- Focused specifically on AWS environments, providing detailed visualizations of AWS infrastructure
- Includes a web-based user interface for easier exploration of generated maps
- Offers additional security analysis features, such as identifying public-facing assets
Cons of CloudMapper
- Limited to AWS, while Cartography supports multiple cloud providers and other data sources
- Less extensible compared to Cartography's graph-based approach
- Requires more manual configuration and data collection
Code Comparison
CloudMapper (Python):
def parse_arguments():
parser = argparse.ArgumentParser(description="CloudMapper - AWS visualization tool")
parser.add_argument("--config", help="Config file name", default="config.json")
parser.add_argument("--account-name", help="Account name for the graph")
return parser.parse_args()
Cartography (Python):
def parse_args():
parser = argparse.ArgumentParser(description='Cartography CLI')
parser.add_argument('--neo4j-uri', type=str, default='bolt://localhost:7687',
help='Neo4j URI to connect to')
parser.add_argument('--neo4j-user', type=str, default='neo4j', help='Neo4j user to connect with')
return parser.parse_args()
Both projects use argparse for command-line argument parsing, but Cartography's approach is more focused on Neo4j connection details, reflecting its graph-based architecture.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Pros of Cloud Custodian
- Multi-cloud support (AWS, Azure, GCP)
- Extensive policy-as-code capabilities
- Large community and active development
Cons of Cloud Custodian
- Steeper learning curve
- Focused primarily on policy enforcement and remediation
- Less emphasis on visualization and relationship mapping
Code Comparison
Cloud Custodian (YAML policy):
policies:
- name: ec2-tag-compliance
resource: ec2
filters:
- "tag:Environment": absent
actions:
- type: tag
key: Environment
value: Production
Cartography (Python query):
MATCH (n:EC2Instance)
WHERE NOT EXISTS(n.environment)
SET n.environment = 'Production'
RETURN n
Both tools offer ways to manage cloud resources, but Cloud Custodian focuses on policy enforcement through YAML configurations, while Cartography uses graph database queries for analysis and visualization.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Why Cartography?
Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.
Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.
Cartography is not the only security graph tool out there, but it differentiates itself by being fully-featured yet generic and extensible enough to help make anyone better understand their risk exposure, regardless of what platforms they use. Rather than being focused on one core scenario or attack vector like the other linked tools, Cartography focuses on flexibility and exploration.
You can learn more about the story behind Cartography in our presentation at BSidesSF 2019.
Supported platforms
- Amazon Web Services - API Gateway, Config, EC2, ECS, ECR, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager, Security Hub, SQS, SSM, STS, Tags
- Google Cloud Platform - Cloud Resource Manager, Compute, DNS, Storage, Google Kubernetes Engine
- Google GSuite - users, groups
- Oracle Cloud Infrastructure - IAM
- Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs
- GitHub - repos, branches, users, teams
- DigitalOcean
- Microsoft Azure - CosmosDB, SQL, Storage, Virtual Machine
- Kubernetes - Cluster, Namespace, Service, Pod, Container
- PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
- Crowdstrike Falcon - Hosts, Spotlight vulnerabilities, CVEs
- NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database
- Lastpass - users
- BigFix - Computers
- Duo - Users, Groups, Endpoints
- Kandji - Devices
- SnipeIT - Users, Assets
Philosophy
Here are some points that can help you decide if adopting Cartography is a good fit for your problem.
What Cartography is
- A simple Python script that pulls data from multiple providers and writes it to a Neo4j graph database in batches.
- A powerful analysis tool that captures the current snapshot of the environment, building a uniquely useful inventory where you can ask complex questions such as:
- Which identities have access to which datastores?
- What are the cross-tenant permission relationships in the environment?
- What are the network paths in and out of the environment?
- What are the backup policies for my datastores?
- Battle-tested in production by many companies.
- Straightforward to extend with your own custom plugins.
- Provides a useful data-plane that you can build automation and CSPM (Cloud Security Posture Management) applications on top of.
What Cartography is not
- A near-real time capability.
- Cartography is not designed for very fast updates. Cartography writes to the database in a batches (not streamed).
- Cartography is also limited by how most upstream sources only provide APIs to retrieve assets in a batched manner.
- By itself, Cartography does not capture data changes over time.
- Although we do include a drift detection feature.
- It's also possible to implement other processes in your Cartography installation to make this happen.
Install and configure
Trying out Cartography on a test machine
Start here to set up a test graph and get data into it.
Setting up Cartography in production
When you are ready to try it in production, read here for recommendations on getting cartography spun up in your environment.
Usage
Querying the database directly
Now that data is in the graph, you can quickly start with our querying tutorial. Our data schema is a helpful reference when you get stuck.
Building applications around Cartography
Directly querying Neo4j is already very useful as a sort of "swiss army knife" for security data problems, but you can also build applications and data pipelines around Cartography. View this doc on applications.
Community
- Hang out with us on Slack: Join the CNCF Slack workspace here, and then join the
#cartographychannel. - Talk to us and see what we're working on at our monthly community meeting.
License
This project is licensed under the Apache 2.0 License.
Contributing
Thank you for considering contributing to Cartography!
Code of conduct
All contributors and participants of this project must follow the CNCF code of conduct.
Bug reports and feature requests and discussions
Submit a GitHub issue to report a bug or request a new feature. If we decide that the issue needs more discussion - usually because the scope is too large or we need to make careful decision - we will convert the issue to a GitHub Discussion.
Developing Cartography
Get started with our developer documentation. Please feel free to submit your own PRs to update documentation if you've found a better way to explain something.
Who uses Cartography?
- Lyft
- Thought Machine
- MessageBird
- Cloudanix
- Corelight
- {Your company here} :-)
If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!
Cartography is a Cloud Native Computing Foundation sandbox project.
Top Related Projects
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Six Degrees of Domain Admin
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot