Show HN: Fix – An open source cloud asset inventory for cloud security engineers https://ift.tt/6wOeX9T

Show HN: Fix – An open source cloud asset inventory for cloud security engineers Hi, we’re Lukas, Lars and Matthias, and we're building “Fix” ( https://fix.security ). Fix is an open source cloud asset inventory for developers to track their infrastructure’s security posture aka “cloud security posture management” (CSPM). How Fix works: Fix takes a snapshot of your inventory on an hourly basis by calling the cloud APIs, runs policy and compliance checks such as the CIS benchmark against that inventory, and provides the findings in a dashboard, via .csv export or API so that developers can use the raw data and build workflows. We’re also working on data sync to S3 and RDBMS like Postgres, MySQL and Snowflake. One of Fix’s unique feature is our graph-based inventory, highlighting the connections between resources. Unlike traditional cloud security tools that just list assets, Fix also displays their interconnections. We maintain a large graph, where nodes are indexed JSON documents representing your cloud resources, and different edges signify various dependencies. This allows flexible searches and policy creation using our search syntax. For example: Find large EC2 instances: search is(aws_ec2_instance) and instance_cores > 8 Find unused EBS volumes with last reading IOPS more than 30d ago: search is(aws_ec2_volume) and volume_status = available and last_access > 30d Find IAM policies that are attached to users instead of groups or roles: search is(aws_iam_user) {attached_policy: --> is(aws_iam_policy)} user_policies!=[] or attached_policy!=null Find SNS topics that are not encrypted at rest using KMS CMKs: search is(aws_sns_topic) with(empty, --> is(aws_kms_key)) We also have a CLI tool ( https://ift.tt/7IyAM8B ) where you can use the raw json or yaml formatted results from the searches as an input into your pipelines. We also support full text search. For example, some developers like to tag their resources with their name: search “lukas” will produce a list of all resources that contain the string “lukas”. Full text search comes in handy when you want find a particular string (e.g. an IP address) across all your cloud accounts to figure out which account and region a resource is located in. There are existing security tools that use a graph, e.g. Wiz or Cisco with Lightspin (now Panoptica). Those enterprise tools have a few characteristics that we think make them less attractive for developers: - They require talking to a sales rep - They run you through a procurement process - They try to lock you into their platform Fix on the other hand is: - self-service sign-up with a free tier - available through the AWS Marketplace (coming soon) - open source We price Fix based on # of cloud accounts you collect data from, with a fair-usage limit of 200,000 (two hundred thousand) resources per account. Our lowest paid tier starts at $90 / month with three cloud accounts included. Fix Security is built with our open source project “Fix Inventory”: https://ift.tt/OUKTolY The open source has richer functionality than our SaaS app. It's multi-cloud and supports AWS, GCP, Azure, DigitalOcean, VMWare and Kubernetes. Over time, our plan is to support all these platforms in our SaaS app as well. Fix Inventory can update resources, including tags, and clean resources up based on age, usage, or policy non-compliance. Currently, this "mutating" function is not in the SaaS version. Fix Inventory is read-write, Fix Security is read-only. Fix Inventory was born in D2iQ (now Nutanix). It was Lukas' solution to managing and securing a growing cloud infrastructure. I would love your feedback on our solution. We’re here to help write your first queries. Just ping us on Discord ( https://ift.tt/EYA2Dtl ) and let us know you’re coming from HN. Also, I would love to hear what security tooling you use today and what you like / dislike about it. Cheers https://fix.security March 27, 2024 at 11:54PM