I was glancing through some customer feedback today and came across this :
"For me, as a AWS senior cloud-advisor HAVA is theee tool. I was really surprised what can be done with it and in particular how security groups are visualized is stunning. It's so easy. With HAVA it is possible to find the link between ENIs and Instances right away. Do this in the AWS Console. It's a remarkable tool and I try to convince my customers to use it. In particular bigger companies loose sight. In case security compliance is on top of the list, there is no way to do it without visualizing what you got in front of you" - Peter B.
Peter gets it.
Hava is often considered an infrastructure diagramming tool with the automation of cloud infrastructure diagrams for AWS, Azure and GCP as the core primary function.
Which to some extent it is, however the other views and capabilities built into Hava deliver so many more advantages to cloud engineers and managed service providers than just pretty VPC infrastructure pictures.
Peter's observations around security group visualisation is a case in point. What could potentially take you days or weeks to work out in the cloud console is all laid out in crystal clear diagram form on the interactive security view for AWS and Azure deployments.
All you need to do is connect a cloud account to Hava using a read-only or cross account role and within a few minutes or possibly even seconds, you will have a complete set of diagrams generated for every VPC running in the account you connected.
This includes a Security View which is the focus of this article.
How can I see my AWS Security Groups?
The beauty of the Hava Security view is that it clearly lays out what security groups are associated with the resources running in your AWS (or Azure) VPC.
As distinct from the infrastructure view that allows you to click on a resource to view security group details in the resource attribute metadata window, the security view reverses the process, allowing you to click on a security group to see all the resources it controls.
( Hava Infrastructure View Showing SG details for a selected resource instance in the attribute pane )
When you look at the security view for the above environment you see:
The Security View displays all your security groups as horizontal bars on the diagram, so you can see at a glance all of the security groups configured for this particular VPC.
This saves countless hours searching through the AWS console investigating resources and working out the associated security group details.
As with all Hava diagrams, the security view is interactive, which means you can select a security group on the diagram and the pane to the right of the diagram will display the known settings for the selected group.
In this example above, selecting a group shows the group name, ingress and egress ports and protocols.
How do I see what resources a security group controls?
When you select a security group (SG) on the Hava security view diagram all the details related to the SG are displayed in the side panel.
You can scroll through all this metadata to the connected resources section to view all the resources this SG controls.
Other information you can find in the attributes pane when a security group is selected include:
- SG Name and ID
- Description
- Ingress and Egress IP addresses
- TCP Ports / Protocols
- Tags
Can I see resource details without leaving the security view?
Yes: Each of the resources detailed in the attribute pane is selectable. Once clicked the attribute pane details change to display information related to the selected resource.
If we select the fist EC2 instance in the list shown on the above security diagram, the attribute pane changes to:
So you can see all the details related to the selected resource like this EC2 instance shows:
- Instance Name and Id
- AMI
- Instance Type
- Architecture
- Key Name
- Public IP
- Hypervisor
- Status (running or not)
- AZ
- DNS Details
- Private IPs
- Elastic IPs
- Launch Subnet
- Security Groups
- Network Interfaces
- Storage Volumes
- Tags
How can I tell how traffic can enter and exit my VPC?
Knowing how people can enter and access resources in your VPC is a crucial consideration. Knowing once they are in how they can then exit with a big bag of your data is equally important from a cybersecurity standpoint.
As you would expect, Hava has this covered.
On top of the diagrammed security groups, Hava maps out how traffic can traverse your VPC using arrows to show what ports are open and where the traffic is routed.
Here you can see the arrows showing the ports and protocols that are permitted to enter and exit each security group.
How does Hava help enhance cloud security?
So it's probably obvious looking at the above diagrams that you can see at a glance exactly what is going on security wise for a VPC. Which means you can get a grasp of what a newly inherited project of client's security looks like.
You can also assess at a glance what ports are open, especially to the internet which might prove to be an issue from a security perspective.
You can inspect a security group accepting traffic and from which port and you can look at all the connected services to see exactly what your visitors can gain access to.
All without leaving the security view or opening your AWS console.
Hava's security view brings clarity to complex cloud security scenarios and uncovers potentially damaging vulnerabilities in seconds.
How does Hava's Security View help with compliance?
There are a number of ways Hava can help with compliance audits.
This is a complex topic that warrants a post of it's own, but in a nutshell when you can provide diagrams and documentation to demonstrate how your VPC is secured, how people can enter, where your data resides, what they can access and how they can't exit the network with a big bag of data, you are so much further down the path to a compliance audit pass.
Hava also retains superseded infrastructure and security views in version history, so you can easily answer questions like "What has changed since the last audit"
The Hava security view truly is a powerful addition to any cloud team's toolbox.
Try it for yourself today and see exactly what your security looks like.
