CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Alternatives To Cloudmapper
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Sops12,9446513 days ago13May 09, 2022383mpl-2.0Go
Simple and flexible tool for managing secrets
12 hours ago27apache-2.0Python
Prowler is an Open Source Security tool for AWS, Azure and GCP to perform Cloud Security best practices assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more.
My Arsenal Of Aws Security Tools8,148
22 days ago2apache-2.0Shell
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
Devops Resources6,995
6 days ago13Groovy
DevOps resources - Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP
Tfsec5,922132 days ago404September 21, 2022113mitGo
Security scanner for your Terraform code
12 days ago200bsd-3-clauseJavaScript
CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
2 days ago44April 06, 2022169gpl-2.0Python
Multi-Cloud Security Auditing Tool
Steampipe5,2843a day ago352September 20, 2022247agpl-3.0Go
Use SQL to instantly query your cloud services (AWS, Azure, GCP and more). Open source CLI. No DB required.
a month ago1mit
Ultimate DevSecOps library
2 years ago1June 15, 201585apache-2.0Python
Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Alternatives To Cloudmapper
Select To Compare

Alternative Project Comparisons


Note the Network Visualization functionality (command prepare) is no longer maintained.

CloudMapper helps you analyze your Amazon Web Services (AWS) environments. The original purpose was to generate network diagrams and display them in your browser (functionality no longer maintained). It now contains much more functionality, including auditing for security issues.


  • audit: Check for potential misconfigurations.
  • collect: Collect metadata about an account. More details here.
  • find_admins: Look at IAM policies to identify admin users and roles, or principals with specific privileges. More details here.
  • find_unused: Look for unused resources in the account. Finds unused Security Groups, Elastic IPs, network interfaces, volumes and elastic load balancers.
  • prepare/webserver: See Network Visualizations
  • public: Find public hosts and port ranges. More details here.
  • sg_ips: Get geoip info on CIDRs trusted in Security Groups. More details here.
  • stats: Show counts of resources for accounts. More details here.
  • weboftrust: Show Web Of Trust. More details here.
  • report: Generate HTML report. Includes summary of the accounts and audit findings. More details here.
  • iam_report: Generate HTML report for the IAM information of an account. More details here.

If you want to add your own private commands, you can create a private_commands directory and add them there.


Ideal layout
Report screenshot Findings summary
Findings IAM report
Command-line audit Command-line public command



On macOS:

# clone the repo
git clone
# Install pre-reqs for pyjq
brew install autoconf automake awscli freetype jq libtool python3
cd cloudmapper/
python3 -m venv ./venv && source venv/bin/activate
pip install --prefer-binary -r requirements.txt

On Linux:

# clone the repo
git clone
# (AWS Linux, Centos, Fedora, RedHat etc.):
# sudo yum install autoconf automake libtool python3-devel.x86_64 python3-tkinter python-pip jq awscli
# (Debian, Ubuntu etc.):
# You may additionally need "build-essential"
sudo apt-get install autoconf automake libtool python3.7-dev python3-tk jq awscli
cd cloudmapper/
python3 -m venv ./venv && source venv/bin/activate
pip install -r requirements.txt

Run with demo data

A small set of demo data is provided. This will display the same environment as the demo site

# Generate the data for the network map
python prepare --config config.json.demo --account demo
# Generate a report
python report --config config.json.demo --account demo
python webserver

This will run a local webserver at View the network map from that link, or view the report at


  1. Configure information about your account.
  2. Collect information about an AWS account.

1. Configure your account

Copy the config.json.demo to config.json and edit it to include your account ID and name (ex. "prod"), along with any external CIDR names. A CIDR is an IP range such as which means only the IP

2. Collect data about the account

This step uses the CLI to make describe and list calls and records the json in the folder specified by the account name under account-data.

AWS Privileges required

You must have AWS credentials configured that can be used by the CLI with read permissions for the different metadata to collect. I recommend using aws-vault. CloudMapper will collect IAM information, which means you MUST use MFA. Only the collect step requires AWS access.

You must have the following privileges (these grant various read access of metadata):

  • arn:aws:iam::aws:policy/SecurityAudit
  • arn:aws:iam::aws:policy/job-function/ViewOnlyAccess

Collect the data

Collecting the data is done as follows:

python collect --account my_account

Analyze the data

From here, try running the different commands, such as:

python report --account my_account
python webserver

Then view the report in your browser at

Further configuration

Generating a config file

Instead of modifying config.json directly, there is a command to configure the data there, in case that is needed:

python configure {add-account|remove-account} --config-file CONFIG_FILE --name NAME --id ID [--default DEFAULT]
python configure {add-cidr|remove-cidr} --config-file CONFIG_FILE --cidr CIDR --name NAME

This will allow you to define the different AWS accounts you use in your environment and the known CIDR IPs.

If you use AWS Organizations, you can also automatically add organization member accounts to config.json using:

python configure discover-organization-accounts

You need to be authenticated to the AWS CLI and have the permission organization:ListAccounts prior to running this command.

Using audit config overrides

You may find that you don't care about some of audit items. You may want to ignore the check entirely, or just specific resources. Copy config/audit_config_override.yaml.example to config/audit_config_override.yaml and edit the file based on the comments in there.

Using a Docker container

The docker container that is created is meant to be used interactively.

docker build -t cloudmapper .

Cloudmapper needs to make IAM calls and cannot use session credentials for collection, so you cannot use the aws-vault server if you want to collect data, and must pass role credentials in directly or configure aws credentials manually inside the container. The following code exposes your raw credentials inside the container.

    export $(aws-vault exec YOUR_PROFILE --no-session -- env | grep ^AWS | xargs) && \ 
    docker run -ti \
        -p 8000:8000 \
        cloudmapper /bin/bash

This will drop you into the container. Run aws sts get-caller-identity to confirm this was setup correctly. Cloudmapper demo data is not copied into the docker container so you will need to collect live data from your system. Note docker defaults may limit the memory available to your container. For example on Mac OS the default is 2GB which may not be enough to generate the report on a medium sized account.

python configure add-account --config-file config.json --name YOUR_ACCOUNT --id YOUR_ACCOUNT_NUMBER
python collect --account YOUR_ACCOUNT
python report --account YOUR_ACCOUNT
python prepare --account YOUR_ACCOUNT
python webserver --public

You should then be able to view the report by visiting

Running CloudMapper regularly to audit your environment

A CDK app for deploying CloudMapper via Fargate so that it runs nightly, sends audit findings as alerts to a Slack channel, and generating a report that is saved on S3, is described here.


For network diagrams, you may want to try lyft/cartography or anaynayak/aws-security-viz

For auditing and other AWS security tools see toniblyx/my-arsenal-of-aws-security-tools


Popular Amazon Web Services Projects
Popular Security Projects
Popular Cloud Computing Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Amazon Web Services