Layered Context - User Guide

Layered Context Page

From your InsightCloudSec installation, locate "Security" in the main navigation and select "Layered Context" to open the page. The Layered Context provides access to the visualizations, search functionality, filters, as well as a table/list display of resources. Any resource listed here is associated with one or more Insights.

The Layered Context Page includes:

• Trend and analytics visualizations that provide a snapshot of risk
• Search functionality and filtering that allow you to narrow the list of resources to only the most critical or vulnerable
• A table/list display with a list of resources that are currently associated with one or more InsightCloudSec Insight or Threat Finding

Visualizations (Trend and Analytics)

The Trend and Analytics section of Layered Context provides three high-level visuals to summarize risk associated with your resources. This section of the page can be collapsed using the "Hide" arrow to the right of the heading.

• Visualizations can also be refined by using the "Add Filter" capability at the top of the main page.
• Note: We will be updating these visualizations with interactivity to allow you to act on the data displayed.

• Risky Resources: This section displays the number of high-risk resources that are included in your overall footprint. This count includes resources that are impacted by at least 1 Critical Finding for Insights or Vulnerabilities and are considered to have public exposure - the combination of these two elements have been selected to help you identify resources that should be prioritized for review.

• Insights Summary: This section displays a summary of the number of resources with findings for each of the severity categories available (for example: critical, high, medium). Hovering over the severity will display the total number of resources in each severity category.

• High Risk Resource Types : Displays a visual breakdown of the top 5 high risk resource types with a count and overall percentage (for example: resourceaccesslist includes 138 resources, representing 12.8% of your total resources)

Scoping the Data

Layered Context has searching and filtering functionality to narrow the scope of the resource list. These features can be used together to effectively and quickly navigate. The "Add Filter" button also allows you to select a filter that will be applied to the Trend and Analytics visualizations.

Filtering

Filtering ("Add Filter") allows for narrowing the scope of the resources list using properties like: cloud accounts, clusters, and resource groups. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.

Resource Tags
Layered Context supports searching with a Resource Tag.

• Searching for a tag is case insensitive.
• New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings fore more information).*

Filtering Behavior

• Each selected Filter updates dynamically with options appropriate for the property selected.
• Click “+ Add Filter” to add an additional filter and further narrow the scope.

Search

Type into the search bar and the list of resources will automatically filter to match the criteria. Currently, search is limited to the resource name and type metadata attributes.

Download

To save a copy of the information found in the resource list, click "Download" next to the search bar and select either "CSV" or "JSON". The file will be prepared in the background until it is ready to be downloaded by your web browser.

Note: If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.

Data List Display

Below the new Trend and Analytics data visualizations is the main table/list display of all of the resources analyzed within Layered Context.

The capabilities for this section of the page (above the data display) include: Search, Download (JSON/CSV), and Column Options.

Columns

The default columns that display for Resources are:

• Resource Name: The name of the resource
• Resource Type: The type of resource
• Cloud: The type of Cloud account the resource is associated with
• Account Name: The name of the Cloud account the resource is associated with
• Public Access
  • Public: Reflects resources with public accessibility based on the specified system checks. Click “Public” to navigate directly to the "Context Details → Public Access" tab.
  • Not Public: Reflects resources that are not publicly accessible based on system checks.
• Insights Summary: Displays highest criticality available (for example if the resource is only associated with an Insight (or Insights) with a misconfiguration identified with a Medium severity, that is what will display in the Insights Summary).
  • Critical, High, Medium, Low, Info: The count of the Insights associated with the resource respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the resource.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific resource.
• Vulnerabilities Summary: Displays the badge(s) and count (Critical, High, Medium, Low), for the highest severity vulnerabilities identified for the selected resource.
  • Critical, High, Medium, Low, Info: The count of the Vulnerabilities associated with the resource respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Vulnerabilities for that resource.)
  • Hover on the Vulnerabilities badge for the counts of each Vulnerability severity associated with the resource.
  • Select the Vulnerabilities badge for expanded details on any Vulnerabilities associated with a specific resource.
• Threat Findings Summary: Displays the badge for highest severity Threat Finding for the selected resource
  • High, Medium, Low: Badges are based on the count of Threat Finding occurrences associated with the resource respective to reach individual severity (e.g., Low = 399 indicates 399 Low severity Threat Finding occurrences for that resource.)
  • Select the Threat Findings badge for expanded details on any Thread Findings associated with a specific resource.
• Action (View Context Details/Download Source Data):
  In each row under the Action column are two icons (a file and a download icon)
  • Click the left icon to "View Context Details" or click the right icon "Download Source Data".
  • Refer to the Context Details section for more information on exploring individual resources.

Context (Resource) Details

From the actions menu, you can open the context details panel for an individual resource. This panel displays several tabs depending on the resource and status:

📘

Resource ID

The Resource ID provided at the top of the panel is a unique composite of the InsightCloudSec-specific resource type, resource name, and other attributes that vary depending on the type of resource.

Properties

This tab provides a list of metadata attributes or properties for the selected resource

Public Access

For resources marked as publicly accessible, this tab contains a count of checks and details for each check, including the date it was identified and the results (Public/Not Public).

• Sources include: Harvesting Evaluation, Insights (ICS), and Cloud Service Provider (CSP).
• Expanding an individual source displays details for that source. For example, a specific Insight that identifies Public Access. When expanded, this displays the Overview of the Insight and any recommended remediation (when available).

Insight Findings

Provides a detailed list of the Insights this resource is associated with.

• Clicking on the arrow next to the individual line expands to show details for the selected Insight.
• In the “Packs” column, hover over the count of packs to view a list of Insight Packs that contain the Insight.

• Click on the filtering option to the right of the sort option to expose/select additional filtering for the Insight severities.

Vulnerabilities

This tab will provide a detailed list of the Vulnerabilities associated with this resource. Note: This capability is still in development. See Container Vulnerability Management for more information on vulnerabilities.

Threat Findings

Provides a detailed list of the Threat Findings associated with this resource. Each line includes: Severity, Name, Provider ID, Occurrences (of each finding), First Seen (for each occurrence) and Last Seen (for last or most recent occurrence). Clicking on the arrow next to the individual line expands to show details for the selected Threat Finding.

Source Documents

See the full section below for more information.

Dependencies

Provides a table of resources that are associated or dependent upon the selected resource.

IAM Policy

For supported resources, provides the details around the associated IAM Policy for the selected resource.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789101:root",
          "arn:aws:iam::234567891011:root"
        ],
        "Service": "ec2.amazonaws.com"
      }
    }
  ]
}

Source Documents

For select AWS resource types, there is an additional detail pane, Source Documents, that surfaces raw data about the resource harvested directly from the Cloud Service Provider (CSP). This additional context about your resources can help to further investigate configuration issues or provide deeper analysis. Click into the document viewing area, then use ⌘F (MacOS) or CTRL+F (Windows) to search through the data. This data is also included with the source data download (see below).

• Note: Documents will only be stored if changes are detected for a resource or if new resources have been created, so some supported resources may not have any source documents.

Source Documents Supported Resources

Support for this feature is currently available for a subset of AWS resource types. More resources will be added over time along with coverage for other CSPs, including Azure and GCP. The Source Documents detail pane will inform you if the selected resource is not supported.

AWS

Amazon DocumentDB
Amazon Macie
Amazon MemoryDB for Redis
Amazon MQ
Amazon OpenSearch Serverless
Amazon Redshift (Snapshot)
Amazon Sagemaker (Notebook)
Amazon Timestream
Amazon Transcription
API Gateway (Domain, Key, Stage)
Athena (Workgroup)
AWS AppSync
AWS Auto Scaling (Group, Launch Configurations)
AWS Backup (Vault)
AWS Glue (Data Catalog, Security Configuration)
AWS Outposts
AWS Transfer Family (SFTP Server)
Batch (Compute Environment)
CloudFront
CloudHSM
CloudTrail
CloudWatch (Alarm, EventBridge event bus, Log Group, Rule)
Codebuild Project
Cognito (User Pool)
Container Image (ECR)
DataSync (Task)
Direct Connect
Directory Service
Dynamo DB (Accelerator (DAX))
DMS Replication Instance
EC2 Instance (Amazon EBS Snapshot, Amazon EBS Volume, Launch Template, SSH Key Pair)
EFS
Elastic Container Service/Fargate (Cluster, Container Task, Task Definition)
Elastic Container Registry (Container Image)
Elastic IP
Elastic Kubernetes Service (Cluster, Container Instance, Node Group)
Elastic MapReduce
Elastic Network Interface (ENI)
Elastic Transcoder (Pipeline)
FSx
IAM (IAM/ACM SSL Certificate)
Key Management Service
Kinesis (Data Firehose)
Kinesis Video Stream
Lambda
Managed Apache Airflow (Environment)
MSK (Instance)
NACL/Security Group
NACL/Security Group Rules
Neptune
RDS (Aurora, Aurora global database, Event Subscription, Snapshot)
Route 53 (DNS Zone, Resolver Configuration)
Recycle Bin
Region
S3 (Access Point)
S3 Glacier
Secrets Manager (Secret)
Serverless Application Repository
Shield
Simple Notification Service (Subscription)
Step Function State Machine
Storage Gateway (NFS/SMB File Share)
Systems Manager (Parameter Store (Parameter), Document)
WorkSpaces (Instances)
VPC (Endpoint/PrivateLink, Elastic Network Interface (ENI), Flow Log, Internet Gateway, Peer, Managed Prefix List, NAT Gateway, Route, Route Table, Site-to-Site VPN, Subnet, Traffic Mirror Target, Transit Gateway, Virtual Private Gateway)
VPC Subnet

Download Source Data

From the actions menu and the context details panel, you have the ability to download source data for a given resource. Currently, source data can only be downloaded for one resource at a time. The source data is available as a JSON file and contains a summary of the information found within Layered Context.

{
  "legacy_details": {
    "common": {
      "resource_id": "resourceaccesslist:70:us-west-1:resource-acl-example-name:",
      "resource_name": "resource-acl-example-name",
      "resource_type": "resourceaccesslist",
      "cloud": "ALICLOUD",
      "account": "Ali Cloud",
      "account_id": "1234567890123456",
      "account_status": "PAUSED",
      "organization_service_id": 70,
      "region": "us-west-1",
      "creation_timestamp": "None",
      "discovered_timestamp": "2021-11-02 12:15:41",
      "modified_timestamp": "2021-11-02 12:15:41",
      "namespace_id": "None",
      "properties": {
        "property_list": []
      },
      "noncompliance": []
    },
    "access_list_id": "resource-acl-example-id",
    "access_list_type": "security_group",
    "parent_resource_id": "privatenetwork:70:us-west-1:vpc-abc123def456ghi789:",
    "parent_resource_name": "smallvpc",
    "description": "System created security group.",
    "default_acl": "false",
    "associations": [],
    "association_count": 0
  },
  "details": {},
  "sources": {},
  "findings": {
    "insights": {
      "counts_by_severity": {
        "critical": 2,
        "high": 1,
        "medium": 2,
        "low": 2,
        "info": 0
      }
    }
  },
  "dependencies": {}
}

Layered Context API

There are two endpoints to enable interacting with Layered Context programmatically.

• Detail Resource: This endpoint details a resource, including parent account information and dependencies. Read more about in the InsightCloudSec API reference.
• Export Source Data: This endpoint will export a given resource's source data.