Skip to main content

Cloud Model

CodeShield's solution is based on a sophisticated cloud model that has been developed by CodeShield. Using the cloud provider's API, CodeShield analyzes your entire AWS environment and infers a graphical representation of the connectivity within the cloud environment. The graph model is the output of an IAM permissions analysis that resolves roles, policies, and actions to infer which cloud resources can inter-communicate. This also includes networks, subnet configurations, and VPCs, to which each resource belongs.

Based on the cloud model, the user can understand

  1. Initial Cloud Access: From which resource can an attacker enter the cloud environment.
  2. Lateral Movement: How can the attacker move within the cloud infrastructure.
  3. Connectivity: Which resources can communicate with each other and how is your infrastructure connected.

For a scan, the cloud model is accessible using the left navigation bar by navigating to Cloud Model.

Technically, CodeShield's cloud model is a graph data structure. The nodes represent cloud resources (like Lambdas, S3 Buckets, Sns Queues, EC2 instances, and many more) and edges represent different forms of relationships. The relationship depends on the node types.

For instance, for edges between a database and compute resources, the edge encodes potential data-flow and access. In the case of edges between users and groups, the edge encodes a belongs-to relationship.

Another example is the AccessRef which model access between two resources as defined by an IAM policy. Last but not least, TrustRelationships model trust of policies as defined by the principal of resource-based policies. E.g., if a role's trust-policy allows a User to assume that role, a TrustRelationship exists between the user and the role.