| CPC H04L 63/205 (2013.01) [H04L 63/102 (2013.01); H04L 63/105 (2013.01)] | 20 Claims |
|
1. A computer-implemented method executed using a threat assessment server that is communicatively coupled via one or more networks to one or more different cloud computing service providers, the method comprising:
receiving first input data specifying a first cloud service account that is associated with two or more cloud computing instances or two or more cloud storage instances, the two or more cloud computing instances or two or more cloud storage instances being hosted at a first cloud computing service provider, the first cloud service account being from among one or more different cloud service accounts that are associated with the one or more different cloud computing service providers each hosting respective cloud computing instances or cloud storage instances;
receiving second input data specifying an entry point identifier of a particular cloud resource from among the two or more cloud computing instances or two or more cloud storage instances;
using a plurality of first network calls from the threat assessment server to the first cloud computing service provider, accessing an Identity and Access Management (IAM) role that is associated with the particular cloud resource and accessing one or more policies that are attached to the IAM role, the one or more policies specifying one or more other resources and one or more actions that are allowable with the one or more other resources;
based on the one or more other resources and the one or more actions, digitally creating and storing a first entry in a first list of affected resources that is stored in main memory of the threat assessment server;
recursively executing a plurality of second network calls to access one or more other IAM roles and one or more other policies of the one or more other resources, and updating the first list of affected resources to create one or more second entries based on one or more service control policies that are associated with the first cloud service account;
inspecting one or more networking rules defined in the first cloud service account to determine if network traffic is possible between a first resource and a second resource specified in the first list of affected resources, and based on the inspection, digitally creating and storing a second list of source resources, destination resources, protocols and ports on which network traffic is possible;
joining the first list of affected resources and the second list and de-duplicating entries to create and store a joined list;
based on the joined list, executing one or more updates to the networking rules to change access to one or more vulnerable resources in the joined list, and deploying the updates using one or more calls from the threat assessment server to cloud service tools of the cloud service provider.
|