aws
orca
solutions
transformations
Integrate Orca into your AWS CSPM with Cloudquery
Kevin Rheinheimer •
Here at CloudQuery, we’re all about increasing confidence in your Cloud Security Posture Management (CSPM). Whether you are interested in creating a comprehensive AWS asset inventory or are only interested in targeting specific AWS services, CloudQuery can give you quick, actionable insights on AWS resources in your own database. Let’s explore how to use CloudQuery’s Orca plugin to integrate security data with your exported AWS cloud resource data.
Why incorporate Orca into your AWS CSPM? #
Orca is an agentless Cloud-Native Application Protection Platform (CNAPP) that collects data directly from your cloud configuration and the workload’s runtime block storage out-of-band. Orca allows your organization and DevOps teams to seamlessly find, prioritize, and remediate cloud misconfigurations, vulnerabilities, and compliance issues. Connecting Orca to your AWS cloud data can allow you to build a custom approach to monitoring your cloud security posture.
How to setup Orca and CloudQuery #
Let’s cover a few basic setup steps to connect your AWS resources to Orca security data.
- Include
aws_ec2_instancesandaws_lambda_functionstables in your AWS sync configuration
Integrating Orca control results into your AWS EC2 instances data #
Once you have synced your AWS and Orca sources to your PostgreSQL database you can combine these two data sources. In this example, you will be looking at which running AWS EC2 instances, using the
aws_ec2_instances table, are alerting and which controls have failure results. You will have two schemas for this example, aws and orca . You can use the below query to find all synced EC2 instances that have a control failure per Orca:select distinct
aws.account_id as aws_account_id,
aws.region as region,
aws.arn as aws_resource_id,
aws.instance_id as instance_id,
aws.instance_type as instance_type,
aws.launch_time as launch_time,
oa.state_last_seen as alert_state_last_seen,
oa.description as alert_description,
oa.details as alert_details,
oa.recommendation as alert_remediation_recommendation
from
aws.aws_ec2_instances aws
left join
orca.orca_alerts oa on aws.instance_id = oa.asset_vendor_id
inner join
orca.orca_compliance_framework_tests cft on oa.rule_id = cft.rule_id
where
aws.state ->> 'Name' = 'running'
and
cft.result = 'FAIL';In this query, you select some AWS EC2 instance descriptive fields while utilizing the
instance_id field to join to the orca_alerts table using the asset_vendor_id provided by Orca. You also can utilize the result field in the orca_compliance_framework_tests table to select for only those instances that have a failure result.Finding vulnerabilities in your AWS Lambda Functions using Orca and CloudQuery #
You can also use Orca and CloudQuery to determine which of your AWS resources may be susceptible to vulnerabilities. In this example, you will use the
aws_lambda_functions and orca_cves tables. You can use the below query to determine which of your lambda functions may be vulnerable:select
aws.account_id as aws_account_id,
aws.region as region,
aws.arn as aws_resource_id,
cve.first_seen as vuln_first_seen,
cve.affected_packages,
cve.fix_available,
cve.severity,
cve.source_link
from
aws.aws_lambda_functions aws
left join
orca.orca_cves cve on cve.asset_vendor_id = aws.arn;In this query, as before, you can use the
asset_vendor_id field to join to your lambda function ARN. This allows you to select for descriptive fields about your lambda functions as well as actionable fields from your Orca scan, including which packages have been found vulnerable, severity of the vulnerability, if a fix is available, as well as the link back to NIST for more information about the vulnerability.Be secure in your CSPM using CloudQuery and Orca today. Try CloudQuery with no credit card required and gain immediate insights into vulnerabilities and misconfigurations in your AWS environment. If you have any questions or want to connect with our engineering team, contact us or join our Discord channel.