AWS Security Group Visualization Tools

AWS Security Group Visualization Tools

I recently had a customer ask for a method of visualizing their collection of AWS Security Groups. I did some research and identified a few different tools – there are two particular tools I wanted to introduce.

Dome9 Clarity Visualization Tool:

I’ve attached a screenshot of the result of the use of the Dome9 Clarity visualization tool. For basic ingress mapping the tool is easy to understand. A screenshot is below:

Dome9 Clarity - Security Group Ingress

The tool can get a bit muddled with multiple security groups and I was also a bit frustrated by the fact that the tool seemed to operate on a schedule rather than reflecting real-time Security Group changes. The “yellow”/”green” lights highlighting potential security flaws are a frustration – allowing port 80 in from the entire world to a load-balancer facing the public Internet isn’t a warning – this is desired behavior. A yellow light would be port 22 into an RDS instance, which simply won’t work, or a Security Group shared by an EC2 instance and an RDS instance – which shouldn’t have the same set of inbound rules, ever.

Anay Nayak’s “aws-security-viz” Tool:

For those folks who wish to provide a visualization of Security Groups without subscribing to a service, who prefer open-source tooling or wish to customize output – Anay Nayak’s aws-security-viz tool (on GitHub) will fit the bill. I’m impressed by the tool for two reasons: it supports both inbound and outbound visualization and the fact that the tool provides a dot format or svg format output – meaning you can get your hands on the files themselves. I did find the tool a bit of a challenge to run under OS X – I ran in Vagrant. A screenshot of the aws-security-viz tool’s output is below:

aws-security-viz - dot Format Output


Hopefully the screenshot and description of each tool has provided enough of a description that you’ll be able to identify which tool that will best meet your needs.