cartography
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Top Related Projects
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Multi-Cloud Security Auditing Tool
Cloud Security Posture Management (CSPM)
Quick Overview
Cartography is an open-source tool developed by Lyft for security engineers, DevOps teams, and cloud administrators. It consolidates infrastructure assets and the relationships between them in an intuitive graph view, leveraging popular cloud providers' APIs to gather and analyze data about an organization's assets and their relationships.
Pros
- Provides a comprehensive view of cloud infrastructure across multiple providers (AWS, GCP, Azure)
- Helps identify security risks and misconfigurations in cloud environments
- Supports custom data ingestion and analysis through a flexible plugin system
- Offers powerful querying capabilities using Cypher query language
Cons
- Requires significant setup and configuration for optimal use
- Learning curve for users unfamiliar with graph databases and Cypher query language
- Limited out-of-the-box dashboards and visualizations
- Resource-intensive for large-scale environments
Getting Started
To get started with Cartography:
- Install Cartography:
pip install cartography
- Set up your cloud provider credentials (e.g., AWS):
export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
- Run Cartography:
cartography --neo4j-uri bolt://localhost:7687 --neo4j-user neo4j --neo4j-password password
- Query the graph using Neo4j Browser or Cypher shell:
MATCH (n:AWSAccount) RETURN n LIMIT 10
For more detailed instructions and advanced usage, refer to the official documentation on the GitHub repository.
Competitor Comparisons
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Pros of CloudMapper
- Focused specifically on AWS, providing deep insights into AWS environments
- Generates interactive web-based network diagrams for easy visualization
- Includes security auditing features for identifying potential vulnerabilities
Cons of CloudMapper
- Limited to AWS, while Cartography supports multiple cloud providers and systems
- Less extensible compared to Cartography's graph-based approach
- Requires more manual configuration and setup for data collection
Code Comparison
CloudMapper (Python):
account = Account(None, args.account, args.config, args.config_file)
for region_json in get_regions(account):
region = Region(account, region_json)
# ... (processing for each region)
Cartography (Python):
def start_neo4j_import(neo4j_import_directory, neo4j_database):
cmd = [
NEO4J_ADMIN_CMD, "import",
"--database", neo4j_database,
"--nodes", f"{neo4j_import_directory}/nodes.csv",
"--relationships", f"{neo4j_import_directory}/relationships.csv",
]
# ... (execution of import command)
Both projects use Python, but CloudMapper focuses on AWS-specific data collection and processing, while Cartography demonstrates a more generic approach to importing data into a graph database for analysis across multiple platforms.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Pros of Cloud Custodian
- More comprehensive cloud management capabilities, covering a wider range of cloud services and providers
- Extensive policy-based automation for security, compliance, and cost optimization
- Large and active community with frequent updates and contributions
Cons of Cloud Custodian
- Steeper learning curve due to its extensive feature set and domain-specific language
- May be overkill for organizations primarily focused on asset visualization and relationship mapping
Code Comparison
Cartography (Python):
session = driver.session()
query = """
MERGE (a:AWSAccount{id: $AWS_ID})
ON CREATE SET a.firstseen = timestamp()
SET a.lastupdated = $UPDATE_TAG
"""
session.run(query, AWS_ID=account_id, UPDATE_TAG=update_tag)
Cloud Custodian (YAML):
policies:
- name: ec2-tag-compliance
resource: ec2
filters:
- "tag:Environment": absent
actions:
- type: tag
key: Environment
value: Unknown
Key Differences
- Cartography focuses on visualizing cloud infrastructure relationships, while Cloud Custodian emphasizes policy-based management and automation
- Cartography uses a graph database for storing and querying relationships, whereas Cloud Custodian relies on YAML-based policies for defining rules and actions
- Cloud Custodian offers more extensive cloud management features, while Cartography excels in providing a clear visual representation of cloud assets and their connections
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Pros of Security Monkey
- More mature project with longer development history
- Broader cloud provider support (AWS, GCP, OpenStack)
- Includes a web UI for easier visualization and management
Cons of Security Monkey
- No longer actively maintained (last commit in 2020)
- More complex setup and configuration process
- Limited extensibility compared to Cartography's graph-based approach
Code Comparison
Security Monkey (Python):
def audit_rds(self):
for region in self.regions:
self.rds_instances = self.get_rds_instances(region)
for instance in self.rds_instances:
self.check_rds_encryption(instance)
Cartography (Python):
def sync_rds_instances(
neo4j_session: neo4j.Session, boto3_session: boto3.Session, region: str,
current_aws_account_id: str, update_tag: int, common_job_parameters: Dict,
) -> None:
instances = get_rds_instances(boto3_session, region)
load_rds_instances(neo4j_session, instances, region, current_aws_account_id, update_tag)
Both projects aim to enhance cloud security, but Cartography offers a more modern, graph-based approach for analyzing relationships between cloud assets. Security Monkey provides a more traditional security monitoring solution with a web interface, but its development has stalled. Cartography's active development and extensible architecture make it a more future-proof choice for organizations looking to implement comprehensive cloud asset management and security analysis.
Multi-Cloud Security Auditing Tool
Pros of ScoutSuite
- Multi-cloud support: Covers AWS, Azure, GCP, and more
- Extensive rule set: Comes with a large number of pre-defined security rules
- User-friendly HTML report: Generates an interactive, easy-to-navigate report
Cons of ScoutSuite
- Limited graph-based analysis: Focuses on individual resource findings rather than relationships
- Less extensible: Not designed for custom data ingestion or complex queries
Code Comparison
ScoutSuite (Python):
from ScoutSuite.core.cli_parser import *
from ScoutSuite.core.console import set_logger_configuration, print_info
from ScoutSuite.core.exceptions import RuleExceptions
from ScoutSuite.core.processingengine import ProcessingEngine
from ScoutSuite.core.ruleset import Ruleset
Cartography (Python):
from cartography.intel.aws import eks
from cartography.intel.aws import iam
from cartography.intel.aws import rds
from cartography.intel.aws import route53
from cartography.intel.aws import s3
Both projects use Python, but ScoutSuite focuses on rule-based scanning, while Cartography emphasizes graph-based analysis and relationships between cloud resources. ScoutSuite's code imports core components for rule processing and report generation, whereas Cartography's imports reflect its modular approach to data ingestion from various AWS services.
Cloud Security Posture Management (CSPM)
Pros of CloudSploit
- Broader cloud coverage, including AWS, Azure, GCP, and Oracle Cloud
- Provides a web-based interface for easier visualization and management
- Offers both open-source and commercial versions with additional features
Cons of CloudSploit
- Less focus on graph-based analysis and relationships between assets
- May require more setup and configuration for complex environments
- Limited customization options compared to Cartography's extensible architecture
Code Comparison
Cartography (Python):
from cartography.intel.aws import ec2
from cartography.util import run_analysis_job
def sync_ec2_instances(neo4j_session, boto3_session, region, aws_account_id):
ec2.sync_ec2_instances(neo4j_session, boto3_session, region, aws_account_id)
run_analysis_job('aws_ec2_asset_exposure.json', neo4j_session, {})
CloudSploit (JavaScript):
const AWS = require('aws-sdk');
const async = require('async');
const helpers = require('../helpers/aws');
module.exports = {
title: 'EC2 Instance Asset Exposure',
category: 'EC2',
run: function(cache, settings, callback) {
// Plugin logic here
}
};
Both projects aim to improve cloud security, but Cartography focuses on graph-based analysis and relationships between assets, while CloudSploit provides a broader range of cloud coverage and a web-based interface. Cartography offers more extensibility, while CloudSploit may be easier to set up and use for basic security checks across multiple cloud providers.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
Why Cartography?
Cartography aims to enable a broad set of exploration and automation scenarios. It is particularly good at exposing otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks.
Service owners can generate asset reports, Red Teamers can discover attack paths, and Blue Teamers can identify areas for security improvement. All can benefit from using the graph for manual exploration through a web frontend interface, or in an automated fashion by calling the APIs.
Cartography is not the only security graph tool out there, but it differentiates itself by being fully-featured yet generic and extensible enough to help make anyone better understand their risk exposure, regardless of what platforms they use. Rather than being focused on one core scenario or attack vector like the other linked tools, Cartography focuses on flexibility and exploration.
You can learn more about the story behind Cartography in our presentation at BSidesSF 2019.
Install and configure
Start here.
Supported platforms
- Amazon Web Services - API Gateway, Config, EC2, ECS, ECR, Elasticsearch, Elastic Kubernetes Service (EKS), DynamoDB, IAM, Inspector, KMS, Lambda, RDS, Redshift, Route53, S3, Secrets Manager, Security Hub, SQS, SSM, STS, Tags
- Google Cloud Platform - Cloud Resource Manager, Compute, DNS, Storage, Google Kubernetes Engine
- Google GSuite - users, groups
- Duo CRXcavator - Chrome extensions, GSuite users
- Oracle Cloud Infrastructure - IAM
- Okta - users, groups, organizations, roles, applications, factors, trusted origins, reply URIs
- Github - repos, branches, users, teams
- DigitalOcean
- Microsoft Azure - CosmosDB, SQL, Storage, Virtual Machine
- Kubernetes - Cluster, Namespace, Service, Pod, Container
- PagerDuty - Users, teams, services, schedules, escalation policies, integrations, vendors
- Crowdstrike Falcon - Hosts, Spotlight vulnerabilites, CVEs
- NIST CVE - Common Vulnerabilities and Exposures (CVE) data from NIST database
- Lastpass - users
- BigFix - Computers
- Duo - Users, Groups, Endpoints
- Kandji - Devices
- SnipeIT - Users, Assets
Usage
Start with our tutorial. Our data schema is a helpful reference when you get stuck.
Community
- Join us on
#cartography
on the Lyft OSS Slack. - Talk to us and see what we're working on at our monthly community meeting.
- Our current project roadmap is here.
Contributing
Thank you for considering contributing to Cartography!
Code of conduct
Legal stuff: This project is governed by Lyft's code of conduct. All contributors and participants agree to abide by its terms.
Bug reports and feature requests and discussions
Submit a GitHub issue to report a bug or request a new feature. If we decide that the issue needs more discussion - usually because the scope is too large or we need to make careful decision - we will convert the issue to a GitHub Discussion.
Developing Cartography
Get started with our developer documentation. Please feel free to submit your own PRs to update documentation if you've found a better way to explain something.
Sign the Contributor License Agreement (CLA)
We require a CLA for code contributions, so before we can accept a pull request we need to have a signed CLA. Please visit our CLA service and follow the instructions to sign the CLA.
Who uses Cartography?
- Lyft
- Thought Machine
- MessageBird
- Cloudanix
- ZeusCloud
- Corelight
- {Your company here} :-)
If your organization uses Cartography, please file a PR and update this list. Say hi on Slack too!
Top Related Projects
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Rules engine for cloud security, cost optimization, and governance, DSL in yaml for policies to query, filter, and take actions on resources
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Multi-Cloud Security Auditing Tool
Cloud Security Posture Management (CSPM)
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot