Back

Cloud Security Posture Scanning

Platform
Cloud
Security

TL;DR:

A user interface that brings together multiple pipelines to deliver full-stack visibility across cloud environments, exposing and correlating security risks at both the platform and operating system layers.

tldr

Overview

So far, Agentless Vulnerability Scanning, Discovery and Compliance Scanning, and Application Vending Pipeline have been explored individually.

This section introduces the final piece that brings them together into a cohesive CSPM application: the frontend and the orchestration glue.

The project

cspm-pipeline

Backend

1. Website hosting

The platform user interface is written in NextJS and is hosted as a static website on S3. The build and deploy process is covered in Account Vending Pipeline.

Cloudfront fronts the S3 origin, using a custom domain managed through Route53 and an SSL certificate issued by Amazon Certificate Manager.

2. Authentication

Cognito provides user management for the platform. The Cognito Identity JavaScript SDK is used for user registration and authentication through the signUp and authenticateUser flows, removing the need to manage a separate database and user model.

3. Actions

API Gateway acts as the bridge between the frontend and backend. It validates Cognito-issued tokens before authorizing reqests to backend services.

For each module (compliance, discovery, vulnerability), three core requests are available:

Scan now
- Invokes a Lambda function that initiates Agentless Vulnerability Scanning or Discovery & Compliance Scanning
Add
Remove

The Add and Remove requests invoke an integration Lambda responsible for creating or deleting an account’s schedule and S3 namespace.

A Query request is also available and covered below.

4. Data fetching

Two components are used to query the Neo4j database:

Neo4j GraphQL Library enables GraphQL access to Neo4j by generating an executable schema from statically supplied type definitions. These definitions are stored in S3.

Apollo Server runs on a VPC Lambda as the GraphQL API. It receives GQL queries and executes the resolvers generated by the library mentioned above. These resolvers transform GQL into Cypher, Neo4j’s native querying language, and execute it against the database.

Frontend

1. Dashboard

cspm-overview

2. Discovery

cspm-discovery

2. Vulnerabilities

cspm-vulnerabilities

3. Compliance

Platform level
OS level

4. Query Builder

cspm-query