Important: Cloudrail is not GA yet. Please use it with development or small environments to begin with. It only supports Terraform with AWS at the moment.
Cloudrail is a context-aware cloud security tool that will audit your cloud environment and your IaC templates in order to build a security context of the resources being deployed to determine the security risks. The goal of Cloudrail is to be integrated within a CI/CD pipeline to catch violations of your security policy before they make it into the production environment.
Cloudrail's main advantages vs existing tools are:
- The understanding of relationships between resources (for example, a given security group can be problematic or not, depending on how it's used)
- Taking into account the live cloud environment, and its potential impact on the resources in the IaC code
- Support for tfvars, runtime variables and modules (Cloudrail reviews the full plan, instead of specific .tf files)
- Find out if a public instance and a private instance use the same role
- Identify if a Default Security Group is in use AND open
- Take into consideration the account-level Public Access Block for S3 buckets
- Calculate if a VPC endpoint should be used, and whether it's used correctly
- Do not alert about a resource being public if it isn't
Cloudrail currently supports Terraform files used with the AWS cloud provider.
- Container execution environment (such as Docker Desktop)
- Terraform >= 0.12
Cloudrail is a cloud-hosted service (SaaS) that receives a filtered version of your Terraform plan, merges it (in memory) with your cloud account's current snapshot, and runs context-aware rules on the merged model. To do this, the Cloudrail CLI container will receive your Terraform plan, reduce it to a minimal version we need for analysis (what we call "Terraform context"), and then upload that minimal version to our service.
This ensures no highly-sensitive content from the plan ever leaves your network.
The CLI portion of Cloudrail is delivered as a container: https://hub.docker.com/r/indeni/cloudrail-cli
You can start by pulling the container:
docker pull indeni/cloudrail-cli
Then, you can run the container:
docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli --version
IMPORTANT: Currently you must always run the "latest" container version, as the contract between the container and the Cloudrail Service expands almost daily. This means it's important to pull ":latest" before every run. To help with this, you can add the function below to your shell's .rc file (~/.bashrc, ~/.zshrc, etc.):
cloudrail () {
printf 'Checking for an updated cloudrail image (may take a few minutes if a new one is downloaded)...'
docker pull indeni/cloudrail-cli > /dev/null
printf '\r \n'
docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli $@
}This will also allow you to simply run cloudrail instead of the full docker command. Note that in
all of the examples below, we write cloudrail. If you haven't included the above function in your
shell's .rc file, you will need to use docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli instead.
Next step is to register with the Cloudrail service.
~ # cloudrail register
Please enter the email address you would like to register with: [email protected]
The password you would like to use:
Repeat for confirmation:
Successfully register
Registration completed successfully. You can now begin to use the Cloudrail CLI tool.
You will need to provide a valid email address and a password. Password should include at least one upper case letter, one lower case letter, a number, a special character, and be 6 characters long.
The registration will store a configuration file on the cloudrail docker volume. This volume will be accessible in future executions.
The file contains your API key, Customer ID and Username. You may choose to remove this file and supply the API key in all of the
future Cloudrail CLI executions you make (via the argument --api-key).
If you have already registered and want to regenerate the configuration file on the cloudrail docker volume, use the login function:
~ # cloudrail login
Your username [[email protected]]: [email protected]
Password:
Successfully login
You are now logged in and can begin to use the Cloudrail CLI tool.
Please, follow the instructions here in order to create the AWS IAM Role for Cloudrail.
You can also list your cloud accounts that have been added to Cloudrail service:
~ # cloudrail list-cloud-accounts
If you want to remove your cloud account from Cloudrail service:
~ # cloudrail remove-cloud-account
Inside the "test" folder you will find several examples you can use to try Cloudrail with. Some of these examples will set up vulnerable resources that are detected by Cloudrail as such. A few of these examples are not vulnerable, and are there to show Cloudrail's context awareness.
Now it's time for you to try Cloudrail with your own scenarios. Simply follow the same process - "terraform init", "terraform plan -out=plan.out" and "cloudrail run".
If you encounter any error, please let us know in the Indeni Slack channel #cloudrail-user-support. An invite can be received by filling out the form here: https://indeni.com/cloudrail-user-support/