Clarity for AWS Accounts

In this topic:

    this topic explains the Clarity views for AWS cloud accounts. For AWS, there are two views, the Security Group view, and the Effective Policy view.

    In addition, you can also visualize AWS CFT files, for cloud environments in the design phase.

    View an environment with the Security Group view

    In this step, an environment will be visualized with the Security Group view. This view shows all the Security Groups.

    1. In Clarity, select a cloud environment in one of your accounts (in the previous section), and then select Security Groups from the list in the menu bar on the upper right.

      This will show the Security Group view of the environment.

      This view shows the following:

      • Each Security Group is shown as a block. The number in the upper right corner (if present) is the number of assets the Security Group affects, and the icon indicates the type of asset.

      • The view is divided into logical zones, indicating the level of exposure to the outside world, from the External Zone (red, at left), the most exposed, to the Internal Zone (green, at right), the least exposed. Security Group blocks are located in the view according to their level of exposure.

      • Sources are indicated as yellow blocks, with an IP address. These are typically in the External Zone (external sources) and in the Internal Zone (instances).

      • Lines between sources and Security Groups indicate that the address is controlled by the Security Group, that is, that a rule in the Security Group affects the address.

    2. Click on a Security Group. The Sources affected by the Security Group are highlighted and the connecting lines highlighted in orange. These are the permitted traffic flows.

      The pane on the right shows details for the Security Group. The top of the pane shows the zone in which the Security Group is grouped is shown. In the example above, this is the DMZ. Below this are details for the Security Group (they can each be expanded). Below this, the cloud assets affected by the Security Group are shown (instances, Lambas, etc, according to the entity types for the specific cloud provider). These are color-coded according to the level of exposure. Expand them to show more detail, or click the link symbol to open detail for the asset in the Protected Assets page of the Dome9 console.

      Below this, are the Inbound and Outbound rules for the Security Group. Expand to show the IP addresses for the rule. For Inbound rules, click to highlight the Source block

    3. Click on a Source block. The source block is highlighted in the view, and the Security Groups that affect this source are highlighted.

     

    View an environment in the Effective Policy view

    The Effective Policy view groups Security Groups that affect a common asset, and hides those that do not affect any assets.

    1. Select Effective Policy in the list in the menu bar at the upper right.

      This shows the VPC in the Effective Policy view

      This view also shows the Security Groups and Sources, organized by zone. In this view, however, the Security Groups that affect the same asset are grouped together. Security Groups that affect a number of assets may appear several times in the view. Security Groups that do not affect any assets are hidden.

    2. The pane on the right shows detail for a selected Security Group block, as in the Security Group view. If the block represents a number of grouped Security Groups, they will all be shown. Below this is the common asset and below this, the Inbound and Outbound rules (aggregated for all the grouped Security Groups).

     

    Other controls

    You can use the following controls in the menu bar to modify the view.

    Button

    Description

     

    Zoom the view.

    Center the view.

    Switch between a Compact display, in which traffic flows are grouped, and a Detailed view, in which traffic flows are individually displayed

    Choose the screen orientation.

    Hide Security Groups that do not affect any assets (AWS and Azure only, for Security Group view)

    (AWS Only) Add VPC peering security group references information to the diagram. Peered Security groups are marked with a VPC label and are shown with 1 peering level (if the peered VPC Security group includes a rule with reference to another security group only the first will show).

    (Azure Only) Add peered VNet security group references information to the diagram.

    (Azure only) Hide instances that are in offline mode.

    (AWS Only) Show VPC Flow Logs - will fetch and show VPC Flow Logs, if they were configured for this VPC. To view the logs, also click on a security group element. See VPC Flow Logs.

    Note that VPC Flow Logs are not shown for peered Security Groups even if VPC Flow Logs are enabled for the peered VPC.

    Print the displayed view

    Search for elements by name. While entering text in the text box, the elements with name that match the text will appear in the list below the text box. In addition, same elements will become highlighted in the visualization map. Selecting element in the search list will select it in the map.

    (AWS, Azure only) Filter the displayed elements by tag name and value. The filter allows to focus on specific set of elements, for example: only elements that include tags that represent "production environment".

    There are several tags filter modes: (1) Strict: show only elements that match the tags; (2) First Level: show only elements that match the tags and directly connected elements; (3) Highlight: add highlight indication of elements that match the tags.

    To add tag, enter tag key and value, and click "submit filter".

    Click the Legend button to show what each icon represents.

     

    View AWS Peered VPCs

    In AWS, VPCs can be connected, and share traffic. These VPCs are Peered (see AWS VPC Peering). The Clarity view shows Peered Security Groups as an external source, with links to the Security Group in your VPC that it can access.

    • In the Clarity view, select PEERED VPCS. The Peered Security Group will be marked.

     

    Visualize an AWS CloudFormation Template (CFT)

    You can visualize AWS CFT files, to assess the security configuration of a proposed cloud environment while still in design. In this way you can detect and resolve gaps in security upstream in the design process, before the environment is live.

    1. In the Clarity view, select Cloud Formation in the navigation pane

    2. Select one of the listed CFT files, or browse for one on your computer. The CFT will be displayed in the Clarity view.

    3. If the CFT is parametrized, a pop-up window will open, to select values for the parameters. In this way, you can evaluate the CFT for different conditions. Fill in the parameters and then click Done.

    4. In the Clarity display, select the CFT object.

    5. The CFT will be shown in the Security Group view.

    Note: when working with parameterized CFT, use the Dome9'CFT Simulator to convert the parameterized CFT to an actual CFT for visualization.