Overview of CodeShield’s Policy Evaluation Engine.
CodeShield’s solution is based on a sophisticated cloud model that has been developed by CodeShield. Using the cloud provider’s API, CodeShield analyzes your entire AWS environment and infers a graphical representations of the connectivity within the cloud environment. The graph model is the output of an IAM permissions analysis that resolves roles, policies, and actions to infer which cloud resources can inter-communicate. This also includes networks, subnet configurations and VPCs, to which each resource belongs to.
Based on the cloud model model, the user can understand
- Initial Cloud Access: From which resource can an attacker enter the cloud environment.
- Lateral Movement: How can the attacker move within the cloud infrastructure.
- Connectivity: Which resources can communicate with each other and how is your infrastructure interwined.
For a scan, the cloud model is accessible using the left navigation bar by navigating to
Technically, CodeShield’s cloud model is a graph data structure. The nodes represent cloud resources (like Lambdas, S3 Buckets, Sns Queues, EC2 instances, and many more) and edges represent different forms of relationships. The relationship depend on the node types.
For instance, for edges between database and compute resources, the edge encodes potential data-flow and access. In the case of edges between users and groups, the edge encodes a belongs-to relationship.
Another example are the
PolicyReferences which model access between two resources as defined by an IAM policy. Last but not least,
TrustRelationships model trust of policies as defined by the
principal of resource-based policies. E.g., if a role’s trust-policy allows a User to assume that role, a
TrustRelationship exists between the user and the role.
Overview of all nodes (i.e., cloud resources) of CodeShield’s cloud model.
Overview of all edge types that are generated.