The Exposure Paths feature provides the capability to search for asset exposure paths based on asset information. If you have purchased a CWPP product, it also displays the corresponding host's process information, vulnerability information, and high-risk baseline information. Using this feature, you can enter a public network asset. CSC then displays the mapping paths of the services mounted on the backend of that asset, and you can even see the specific port processes. Alternatively, you can enter a private network asset to view the process of how it is exposed to the Internet through network devices such as a NAT Gateway, Elastic IP, CLB, or CDN.
Exposed Path Search
1. Log in to the CSC console, and click CSPM in the left navigation pane.
2. The feature supports searching for asset exposure paths in Cloud Security Posture Management > Cloud Boundary Analysis > Exposure Paths.
3. Enter one or more asset IDs, domain names, or IP addresses to start the search. Entering a port yields more precise paths. The page is divided into two sections: Tree Diagram and Data Details List.
Exposed Path Tree Diagram
1. Asset exposure paths are displayed in a tree diagram. The initial node is Internet. Nodes facing the Internet are Internet Nodes. All subsequent asset nodes are Backend Service Nodes. Host-type assets can be associated with Process Port Nodes. If a process has vulnerabilities or high-risk baseline issues, it is associated with a Risk Node. The following section describes the node statuses.
Node Type
Color Code
Description
Internet node
Red: Fully open
Orange: Restricted access
Gray: Unable to access
Fully open: All addresses on the Internet are allowed to access this port.
Restricted access: Access control is configured for the cloud resource, allowing only addresses in the allowlist to access this port.
Unable to access: The cloud resource is inaccessible because it is in an abnormal state or powered off.
Backend service node
Blue: Normal
Gray: Abnormal
Normal: The asset is in a normal operating, active, or similar state.
Abnormal: The asset is in an abnormal state, such as powered off or inactive.
2. In the exposure path, hover the mouse over a node to view its detailed information.
Data Details List
In the exposure path, CSC provides more detailed data displays based on the node information of the exposure path.
Internet Node List: Displays data information for nodes that are exposed to the Internet.
Backend Service Node List: Displays data information for backend services that are mapped after Internet nodes.
Host List: Displays the host list, security protection status, and data on vulnerabilities and high-risk baseline risks.
Host Process List: Displays host process information collected by CWPP, enabling you to understand application information and port listening status on the host.
Host Risk List: It is categorized into host vulnerabilities and high-risk baseline risks. High-risk baseline risks include detecting weak passwords, unauthorized access, and so on.
Exposed Path Example Interpretation
The path relationships in the figure below are as follows:
1. The EIP (eip-****, IP address:111.***.***.***) is bound to an ENI (eni-****).
2. The ENI (eni-****) is bound to a CVM (ins-***).
3. By associating CWPP assets, it is discovered that three processes on the CVM (ins-***) are listening on four ports: 22, 323, 80, and 546.
4. Because the security group policy for the ENI sets ports 1-65535 to be open to 0.0.0.0/0, the public IP address (123.***.***.***) is ultimately exposed to the Internet with ports 1-65535 open. In reality, the accessible ports are 22, 323, 80, and 546.
Application Scenario Examples
1. When an intrusion alarm is triggered for the CVM instance ins-bi****, you need to investigate potential intrusion paths. You can enter the instance ID in the exposure path to display the scenarios where this asset is exposed to the Internet.
2. Analysis indicates that all ports on the asset were opened via a security group, and a public IP address (111.***.***.***) was configured. Additionally, port 22 was opened through a CLB (139.***.***.***) and a NAT Gateway (119.***.***.***). The asset has a weak password for the Linux system, which is likely the main cause of the intrusion. You can investigate based on this direction.
