AWS Security Group Mapper: Visual Analysis Tool for Cloud Security

Problem

Understanding AWS security group relationships in production environments is notoriously difficult. Security groups reference other security groups, CIDR blocks overlap, and rules span multiple VPCs and regions. When I needed to audit security configurations or explain network topology to colleagues, I found myself manually tracing connections through the AWS console—a tedious and error-prone process.

Existing tools either provided static lists that were hard to interpret or required expensive enterprise licenses. I wanted something that could take the complex web of security group rules and transform it into an intuitive, interactive visualization that anyone on the team could explore.

The challenge was particularly acute when dealing with cross-VPC relationships and multi-region deployments, where understanding traffic flow required mentally stitching together information from multiple sources.

Approach

I built AWS Security Group Mapper as a Python tool that models security groups as a graph structure and renders them through multiple visualization engines. The architecture separates data collection, graph modeling, and visualization concerns to enable flexibility and maintainability.

Key Design Elements

• Graph-based modeling with NetworkX: Security groups become nodes, and their rules become edges in a directed graph. This representation naturally captures the relationship semantics and enables standard graph algorithms for analysis.

• Dual visualization engines: I implemented both Plotly for interactive exploration (zoom, pan, hover details, draggable nodes) and Matplotlib for static exports suitable for documentation. The choice is configuration-driven, so users select based on their use case.

• AWS API caching layer: To avoid hammering the AWS API during iterative analysis, I built a configurable caching system that stores API responses locally. This dramatically speeds up subsequent runs and reduces API costs.

• Visual distinction for relationship types: Solid lines represent intra-VPC connections while dashed lines indicate cross-VPC relationships. VPC boundaries appear as color-coded dotted rectangles, making it immediately clear which security groups belong together.

• Friendly CIDR naming: Common CIDR blocks like 0.0.0.0/0 display as “Internet” and private ranges show their class designation. This small detail significantly improves readability for security reviews.

The tool supports analyzing specific security groups by ID or generating complete maps across selected regions and profiles. Debug mode exposes the underlying data flow for troubleshooting complex environments.

Outcomes

• Clear security topology visualization: Transforms abstract security rules into explorable graphs where relationships are immediately visible, reducing the cognitive load of security audits.

• Multi-region analysis capability: A single command can map security groups across multiple AWS regions, providing a unified view of distributed security configurations.

• Documentation-ready exports: The static visualization option produces high-resolution images suitable for architecture documents, compliance reports, and stakeholder presentations.

Key Contributions

• Designed the graph data model that represents security groups and their rule relationships as a directed graph amenable to standard network analysis.

• Implemented interactive Plotly visualization with hover tooltips showing detailed security rules, draggable nodes for layout adjustment, and zoom/pan for large graphs.

• Built the AWS API caching system with configurable TTL to balance freshness against API efficiency during iterative analysis sessions.

• Created cross-VPC detection logic that identifies and visually distinguishes relationships spanning VPC boundaries—critical for understanding blast radius and network segmentation.

• Developed the configuration system using YAML for customizable visualization settings, cache behavior, and CIDR block aliases without code changes.