New
Join our webinar! Building a customizable and extensible cloud asset inventory at scale
AWS
Tutorials

Integrate Orca into your AWS CSPM with Cloudquery

Kevin Rheinheimer

Kevin Rheinheimer

Here at CloudQuery, we’re all about increasing confidence in your Cloud Security Posture Management (CSPM). Whether you are interested in creating a comprehensive AWS asset inventory or are only interested in targeting specific AWS services, CloudQuery can give you quick, actionable insights on AWS resources in your own database. Let’s explore how to use CloudQuery’s Orca plugin to integrate security data with your exported AWS cloud resource data.

Why incorporate Orca into your AWS CSPM? #

Orca is an agentless Cloud-Native Application Protection Platform (CNAPP) that collects data directly from your cloud configuration and the workload’s runtime block storage out-of-band. Orca allows your organization and DevOps teams to seamlessly find, prioritize, and remediate cloud misconfigurations, vulnerabilities, and compliance issues. Connecting Orca to your AWS cloud data can allow you to build a custom approach to monitoring your cloud security posture.

How to setup Orca and CloudQuery #

Let’s cover a few basic setup steps to connect your AWS resources to Orca security data.
  1. Include aws_ec2_instances and aws_lambda_functions tables in your AWS sync configuration

Integrating Orca control results into your AWS EC2 instances data #

Once you have synced your AWS and Orca sources to your PostgreSQL database you can combine these two data sources. In this example, you will be looking at which running AWS EC2 instances, using the aws_ec2_instances table, are alerting and which controls have failure results. You will have two schemas for this example, aws and orca . You can use the below query to find all synced EC2 instances that have a control failure per Orca:
select distinct
 aws.account_id as aws_account_id,
 aws.region as region,
 aws.arn as aws_resource_id,
 aws.instance_id as instance_id,
 aws.instance_type as instance_type,
 aws.launch_time as launch_time,
 oa.state_last_seen as alert_state_last_seen,
 oa.description as alert_description,
 oa.details as alert_details,
 oa.recommendation as alert_remediation_recommendation
from
 aws.aws_ec2_instances aws
left join
 orca.orca_alerts oa on aws.instance_id = oa.asset_vendor_id
inner join
 orca.orca_compliance_framework_tests cft on oa.rule_id = cft.rule_id
where
 aws.state ->> 'Name' = 'running'
and
 cft.result = 'FAIL';
In this query, you select some AWS EC2 instance descriptive fields while utilizing the instance_id field to join to the orca_alerts table using the asset_vendor_id provided by Orca. You also can utilize the result field in the orca_compliance_framework_tests table to select for only those instances that have a failure result.

Finding vulnerabilities in your AWS Lambda Functions using Orca and CloudQuery #

You can also use Orca and CloudQuery to determine which of your AWS resources may be susceptible to vulnerabilities. In this example, you will use the aws_lambda_functions and orca_cves tables. You can use the below query to determine which of your lambda functions may be vulnerable:
select
 aws.account_id as aws_account_id,
 aws.region as region,
 aws.arn as aws_resource_id,
 cve.first_seen as vuln_first_seen,
 cve.affected_packages,
 cve.fix_available,
 cve.severity,
 cve.source_link
from
 aws.aws_lambda_functions aws
left join
 orca.orca_cves cve on cve.asset_vendor_id = aws.arn;
In this query, as before, you can use the asset_vendor_id field to join to your lambda function ARN. This allows you to select for descriptive fields about your lambda functions as well as actionable fields from your Orca scan, including which packages have been found vulnerable, severity of the vulnerability, if a fix is available, as well as the link back to NIST for more information about the vulnerability.
Be secure in your CSPM using CloudQuery and Orca today. Try CloudQuery with no credit card required and gain immediate insights into vulnerabilities and misconfigurations in your AWS environment. If you have any questions or want to connect with our engineering team, contact us or join our Community.
Ready to get started with CloudQuery? You can download and use CloudQuery and follow along Ready to get started with CloudQuery? You can try out CloudQuery locally with our quick start guide or explore the CloudQuery Platform (currently in beta) for a more scalable solution.
Want help getting started? Join the CloudQuery community to connect with other users and experts, or message our team directly here if you have any questions.
Kevin Rheinheimer

Written by Kevin Rheinheimer

Kevin is a senior data engineer at CloudQuery, specializing in cloud data infrastructure and application development.

Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

Join our mailing list

Subscribe to our newsletter to make sure you don't miss any updates.

Legal

© 2024 CloudQuery, Inc. All rights reserved.

We use tracking cookies to understand how you use the product and help us improve it. Please accept cookies to help us improve. You can always opt out later via the link in the footer.