Today I’m excited to announce the open-source software project that the AutoCloud team has been working hard on for the last few months:
CloudGraph is a search engine for your public cloud infrastructure, powered by DGraph and GraphQL. Within seconds, query assets, configurations, and more across accounts and providers. CloudGraph also enables you to solve a host of security, compliance, governance, and FinOps challenges in the time it takes to write a single GraphQL query.
We currently support select services on AWS, with more added each day. Support for Azure and Google Cloud coming soon. We’re also looking forward to contributions from the community and have endeavored to make contributing new providers and services as simple as possible.
So what does it look like? Let’s see some examples.
Here’s how you’d get a list of publicly accessible S3 buckets in an account:
{% c-block language="JSON" %}
query {
queryawsS3(filter: { access: { eq: "Public" } }) {
id
arn
access
}
}
{% c-block-end %}
To get the daily cost of all your M Series EC2 instances in us-east-1:
{% c-block language="JSON" %}
query {
queryawsEc2(
filter: { region: { eq: "us-east-1" }, instanceType: { regexp: "/^m5a*/" } }
) {
id
arn
dailyCost
}
}
{% c-block-end %}
Traverse nested resources to find the unencrypted EBS boot disks in production:
{% c-block language="JSON" %}
query {
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
key
value
vpc {
id
arn
alb {
id
arn
ec2Instance {
id
arn
ebs(filter: { isBootDisk: true, encrypted: false }) {
id
arn
}
}
}
}
}
}
{% c-block-end %}
Why CloudGraph?
Whether you're a cloud architect with 15 years of experience or someone who is just getting started on their cloud journey, there is no denying that staying on top of security, compliance, governance, FinOps, and operations, is challenging, time-consuming work.
Even answering basic questions like, "What all is running in the us-east-1 region?", "Are my RDS clusters properly secured and compliant?", or "How much am I paying for my AWS account?" requires time, expertise, and expensive 3rd party software.
Not Anymore...
Ask any question about your AWS environments, and get back answers instantly in a single place with a standardized API. If you can dream it you can query it with CloudGraph! Head over to our GitHub page to start exploring your AWS environments.
What’s next?
The CloudGraph team is just getting started. In addition to adding support for additional cloud providers like Azure/GCP/K8s, we are working hard to bring you free compliance policy packs (CIS, HIPPA, SOC2), enhanced billing data, IAM data, operations data, and more. Follow us on LinkedIn and Twitter for updates!
A big shout out to our team, all of our beta testers, customers, investors, and other people who helped us make CloudGraph a reality 🙏. We could not have done it without you ❤️.
CloudGraph FAQs
Q: Why did you build CloudGraph?
A: Being a cloud professional is hard work. Every day you are likely doing a lot of repetitive tasks to access data for multiple clouds, environments, and sources in order to perform your job. To compound this annoyance, cloud providers have very different paradigms for operating basic services like networking, compute, and storage. We built CloudGraph to make it easy for anyone who works with the cloud to quickly search their environments, using a single standardized API in order to uncover previously difficult-to-understand insights 10x faster than is currently possible.
Q: How does CloudGraph work?
A: Under the hood, CloudGraph reaches out to a cloud provider (e.g. AWS), sucks up all of the configuration data, processes it, and stores a copy of this data for you using Dgraph. Then, a local endpoint is exposed that allows you to write GraphQL queries against your stored data. You can do anything you normally would with the AWS SDK/CLI, but you can also run more powerful queries with additional metadata that CloudGraph layers in (compliance, security, cost, etc.). CloudGraph ships with pre-packaged GraphQL query tools including [GraphQL Playground](https://github.com/graphql/graphql-playground) and Altair but you can also feel free to use your own. It also includes a schema visualization tool called [Voyager](https://github.com/APIs-guru/graphql-voyager) so you can understand relationships between entities.
Q: Who is CloudGraph for?
A: CloudGraph was created for cloud architects, developers, engineers, and other software professionals who need easy, quick, and intuitive access to security, compliance, governance, or FinOps data about their clouds.
Q: What permissions does CloudGraph require?
A: To keep things simple we recommended that you supply CloudGraph with an IAM User or Role that has the AWS-managed, “ReadOnlyAccess” policy. If you don’t feel comfortable giving that level of access, feel free to create your own policy scoped to the actions and services you would like CloudGraph to be able to reach. For more information on authentication with AWS please view our AWS Provider Repository.
Q: Is my data secure with CloudGraph, does CloudGraph ever share my information in any way with anyone?
A: No. CloudGraph only stores your data locally and WILL NEVER share your data with any 3rd party including CloudGraph or AutoCloud.
Q: Can CloudGraph change or mutate my cloud environments in any way?
A: No. CloudGraph is read-only and as such, it can NEVER MUTATE your existing environment. It creates a local copy of your data to query against.
Q: How much does CloudGraph cost?
A: CloudGraph is 100% open source and free to use.
Q: Why use GraphQL to query your cloud environments?
A: GraphQL is a modern, powerful, easy, and efficient way to query your cloud configuration and asset data compared to other languages. Using GraphQL you can declaratively fetch just the data you need, and effortlessly understand the relationships between entities like VPCs, subnets, and EC2 instances. No SQL joins. GraphQL also enables type safety, auto-completion, and great scalability.
Q: What AWS services does CloudGraph support?
A: To view the current list of supported AWS services please view our AWS Provider Repository. New services are added on a weekly basis.
Q: What about other cloud providers?
A: Azure support is coming in October 2021, followed quickly by Google Cloud Platform and K8s. After that, we plan on letting the community decide what providers they would like built next.
Q: I need a service or provider that you don’t currently support, what are my options?
A: We have tried to make it as easy as possible to add both community-driven providers and to enhance existing CloudGraph supported providers with services we might currently be missing. If you’re interested in contributing or extending CloudGraph in this way please view our contribution guidelines.