The Monitor

Visually identify and prioritize security risks using Cloudcraft

5 minute read

Published

Share

Visually identify and prioritize security risks using Cloudcraft
Colten Woo

Colten Woo

Jace Harker

Jace Harker

As cloud infrastructure becomes more dynamic and distributed, DevOps and security teams need to quickly detect risks and understand their context: where those risks live, how critical they are, and how to respond effectively. By surfacing misconfigurations, vulnerabilities, sensitive data risks, and identity threats directly on a real-time diagram of your infrastructure, Cloudcraft helps teams identify, prioritize, and remediate security issues at scale. This visual context allows teams to reduce risk across cloud environments, using a shared and trusted view of your architecture.

In this post, we’ll show you how you can use Cloudcraft to:

Identify misconfigured cloud resources

Misconfigurations in cloud resources can leave your organization vulnerable to attacks and lead to costly data breaches. To surface these misconfigurations, Datadog Cloud Security runs continuous configuration checks on your cloud resources using more than 1,000 out-of-the-box detection rules mapped to compliance standards and industry benchmarks. Using Cloudcraft, you can view all misconfigurations across your infrastructure on a diagram and dig deeper into each finding to investigate the issue.

View of misconfigurations on Cloudcraft infrastructure diagram
View of misconfigurations on Cloudcraft infrastructure diagram

Cloudcraft color-codes misconfigurations by their severity score and shows you relationships between resources, helping you prioritize which issues to focus on. In the example above, Cloudcraft has surfaced a critical misconfiguration: a publicly accessible EC2 instance has highly privileged IAM roles. After clicking into this finding, you can see other misconfigurations affecting the impacted resource before investigating further. For each misconfiguration, Datadog provides a detailed description of what happened, suggested remediation steps, and quick actions so you can open a Jira ticket, run a workflow, or otherwise act to remediate the issue.

Uncover the most impactful vulnerabilities in your environment

With ephemeral resources running on different packages and versions, tracking existing and new vulnerabilities can be challenging. To identify and remediate these issues, Cloud Security continuously scans your containers, hosts, and serverless functions for known vulnerabilities, from your pipelines to your production environment. The ability to see these findings in Cloudcraft enables you to quickly assess the number of vulnerabilities in your environment and their severity, so you can begin triaging them.

Vulnerability findings in Cloudcraft with detailed sidepanel of critical vulnerability
Vulnerability findings in Cloudcraft with detailed sidepanel of critical vulnerability

In the screenshot above, Cloudcraft has surfaced a vulnerability that carries a critical severity score, has an available exploit, and impacts a resource running in production. These three factors indicate that this is a high-priority vulnerability that should be addressed immediately. Once you click into the finding, you can see details about the vulnerable component, a description of the issue, and recommended remediation steps, along with actions you can take to begin triage.

Visualize identity risks and secure your infrastructure from IAM-based attacks

Mismanagement of identity and access management (IAM) systems is one of the leading causes of security breaches and insider threats. To mitigate entitlement and identity risks, Datadog Cloud Security Identity Risks scans your cloud environment for known IAM issues such as lingering administrative privileges, privilege escalations, permission gaps, and cross-account access. Cloudcraft enables you to visualize these findings in your infrastructure diagrams, so you can see which resources are impacted and which others are connected or downstream, helping you better assess identity risks, access paths, and blast radius.

Overprivileged resource finding in Cloudcraft
Overprivileged resource finding in Cloudcraft

In the screenshot above, Cloudcraft shows us that an AWS EC2 instance has administrative privileges, which could cause security issues or data leaks. The detailed side panel for this finding displays a summary of what happened, what entities the resource can access, who can access the resource, and other key information. For quick remediation, you can run a workflow in Workflow Automation, view suggested downsized policies before making the change in your cloud console, or create a Jira issue.

Spot and secure sensitive data stored in cloud resources

Securing sensitive data is critical for avoiding costly data breaches and meeting compliance standards. To catalog where this data is stored, Sensitive Data Scanner (SDS) scans text files (such as CSVs and JSONs) and tables in Amazon S3 buckets, using its rule library to determine if sensitive data is stored there. If SDS finds matches in any of your resources, Cloudcraft will mark them with an orange dot and label them with the number of matches found, so you can quickly focus on the most problematic resources that need your attention.

To continue your investigation, you can click a resource to open a side panel that shows you the number of matches, the types of sensitive data found, and the location of the first match.

Sensitive data findings in Cloudcraft
Sensitive data findings in Cloudcraft

Assess and strengthen your security posture using Cloudcraft

Cloudcraft brings together multiple security issues, so you can fully analyze possible risks and attack paths. By bringing security insights into architecture diagrams, Cloudcraft transforms how DevOps and security teams understand and manage cloud risk. To learn more about how to get started using the Security Overlay in Cloudcraft, see our documentation. And if you’re not yet a Datadog customer, sign up for a to get started.

Related Articles

Datadog Security extends compliance and threat protection capabilities for Google Cloud

Datadog Security extends compliance and threat protection capabilities for Google Cloud

Visualize cloud security relationships with Datadog Security Graph

Visualize cloud security relationships with Datadog Security Graph

Detect Amazon Bedrock misconfigurations with Datadog Cloud Security

Detect Amazon Bedrock misconfigurations with Datadog Cloud Security

Building on open source IaC scanning tools with Datadog

Building on open source IaC scanning tools with Datadog

Start monitoring your metrics in minutes