Get Started

Deploy ZeusCloud locally and scan your AWS account(s)! If you run into any issues, check out our Troubleshooting guide.

Prepare AWS Credentials

Your ZeusCloud deployment will need AWS credentials to scan your account(s). Either set up an IAM role for ZeusCloud or set up an IAM user with an access key. The former uses short-term credentials, which is more secure! However, it can take a bit more time to setup.

Prerequisite: An existing named profile in ~/.aws/config. ZeusCloud will request credentials for the IAM role via this named profile.

If you have no such named profile, either

Create an IAM user with no permissions, create an access key for it, and create a named profile in ~/.aws/config and ~/.aws/credentials.
Try Option 2 below instead.

The steps to set up the IAM role are

Create a new IAM role in the account.
Attach the SecurityAudit policy to it.
Create a trust relationship policy allowing the user/role associated with the above named profile to assume this role. Here’s a template:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": <INSERT_USER_ARN_ASSOCIATED_WITH_NAMED_PROFILE>
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create a named profile in ~/.aws/config for this new IAM role. Here’s a template:

[profile zeuscloud]
region=us-west-2
role_arn=<INSERT_NEWLY_CREATED_ROLE_ARN>
source_profile=<INSERT_NAMED_PROFILE_THAT_ASSUMES_ROLE>

You must set a region in this named profile for ZeusCloud to successfully scan!

Deploy ZeusCloud Locally

1. Clone the repo.

Bash

git clone --recurse-submodules https://github.com/Zeus-Labs/ZeusCloud.git

2. Run ZeusCloud.

Bash

cd ZeusCloud
make quick-deploy

If you are not deploying locally (on an AWS VM, for instance), you will need to change the WEBSITE_DOMAIN and REACT_APP_API_DOMAIN environment variables in the .env file before deploying. Examples are http://<your-vm-ip>:80 or https://<your-deployed-domain>:443.

If you are deploying with Option 1, ZeusCloud expects your AWS configurations in ~/.aws. If your configurations are in a different location, update the AWS_DIRECTORY variable in the .env file. For Windows, change to %USERPROFILE%\.aws.

3. Visit UI

Visit http://localhost:80.

Connect ZeusCloud to AWS

Once ZeusCloud is deployed, you must connect it to the AWS account(s) you would like to scan. Navigate to Settings > Add new account. Fill in the Account Name with whatever string-identifier you would like. Fill in remaining fields based on whether you are deploying with Option 1 or 2.

Wait for Scan

Once you connect your account(s), ZeusCloud will scan them and run various security rules.

This process may take 10-15 minutes.

Monitor progress through the UI: the Settings page should show a percentage completed.
Monitor the terminal as well: you should see logs from the cartography container.

You should see backend container logs like above if the scan has successfully completed.

Explore ZeusCloud Findings

At the end of the scan, navigate to the Alerts tab to see findings for misconfiguration and attack path security rules.

Check out the Rules tab for a catalog of the security rules that were run. Check your compliance posture for various frameworks in the Compliance tab.

Introduction

Rules Catalog

Contribute

Community and Support

Prepare AWS Credentials

Deploy ZeusCloud Locally

1. Clone the repo.

2. Run ZeusCloud.

3. Visit UI

Connect ZeusCloud to AWS

Wait for Scan

Explore ZeusCloud Findings

Introduction

Rules Catalog

Contribute

Community and Support

Prepare AWS Credentials

Deploy ZeusCloud Locally

​1. Clone the repo.

​2. Run ZeusCloud.

​3. Visit UI

Connect ZeusCloud to AWS

Wait for Scan

Explore ZeusCloud Findings

1. Clone the repo.

2. Run ZeusCloud.

3. Visit UI