CloudMapper Installation Guide

This guide walks you through the complete process of installing CloudMapper from the AWS Marketplace using CloudFormation templates for secure, automated deployment.

Prerequisites: You need an AWS account with appropriate permissions to create CloudFormation stacks, EC2 instances, and IAM roles.

Subscribe to CloudMapper on AWS Marketplace

Navigate to the AWS Marketplace and subscribe to CloudMapper to get access to the AMI and CloudFormation templates.

Go to AWS Marketplace in your AWS Console
Search for "CloudMapper by Buckshot Technologies"
Click on the product listing
Review pricing and terms
Click "Continue to Subscribe"
Accept the terms and conditions
Click "Continue to Configuration"

Configure Product Options

Select your deployment region and CloudFormation template version.

                                        Configuration Options:
                                        Fulfillment Option: CloudFormation Template
Software Version: Latest (1.1.0)
Region: Select your preferred AWS region

                                    

Click "Continue to Launch" after making your selections.

Launch CloudFormation Stack

Deploy CloudMapper using the provided CloudFormation template.

Launch Options:

Action: Launch CloudFormation
Template: cloudmapper-standard.yaml
Access: VPC with internet access

Security Features:

FIPS 140-2 Compliant
OIDC SSO Integration
HTTPS-Only Access
Air-gapped Compatible

Click "Launch" to proceed to CloudFormation.

Configure CloudFormation Parameters

Customize your CloudMapper deployment with the following parameters:

Security Model: CloudMapper enforces SSM-only access. SSH/KeyPair access is completely disabled for security.

Instance Configuration:

InstanceType: t3.medium              # Recommended minimum
VpcId: vpc-xxxxxxxxx                 # Target VPC
SubnetId: subnet-xxxxxxxxx           # Public or private subnet
AssociatePublicIpAddress: true       # Optional - create public IP

Security Configuration:

AllowedCIDR: 10.0.0.0/8             # IP range for HTTPS web access
# Note: SSM access is ALWAYS enabled (non-negotiable)

Backup Configuration:

EnableBackups: true                  # Automated daily backups (highly recommended)
# Backups include 30-day retention with 7-day cold storage transition

Application Configuration:

CloudMapperVersion: latest           # AMI version to deploy

Enhanced Security Features:

EBS deletion protection enabled (volumes survive instance termination)
Instance termination protection enabled
Encrypted EBS volumes (gp3, 20GB)
No SSH keys accepted or configured

Review and Deploy

Review your configuration and deploy the stack.

Review all parameters and settings
Check the "I acknowledge that AWS CloudFormation might create IAM resources" box
Click "Create Stack"
Monitor the stack creation process (typically 5-10 minutes)

Note: The CloudFormation stack will create IAM roles with necessary permissions for CloudMapper to scan your AWS infrastructure.

Access CloudMapper

Once the stack is created, access your CloudMapper instance via HTTPS.

Web Access (HTTPS Only):

# Public IP Access (if AssociatePublicIpAddress=true)
https://your-instance-public-ip

# Private IP Access (always available within VPC)
https://your-instance-private-ip

# Find your instance IPs from CloudFormation Outputs
aws cloudformation describe-stacks --stack-name your-stack-name \
  --query 'Stacks[0].Outputs[?OutputKey==`CloudMapperPublicIP`].OutputValue' \
  --output text

aws cloudformation describe-stacks --stack-name your-stack-name \
  --query 'Stacks[0].Outputs[?OutputKey==`CloudMapperPrivateIP`].OutputValue' \
  --output text

Public IP: Only available if you set AssociatePublicIpAddress=true during deployment. Private IP is always available for VPC-internal access.

Self-Signed Certificate: CloudMapper uses a self-signed SSL certificate. Your browser will show a security warning.

Accepting Self-Signed Certificate in Browser

Navigate to https://your-instance-ip
Browser will show "Your connection is not private" or similar warning
Chrome/Edge: Click "Advanced" → "Proceed to [IP] (unsafe)"
Firefox: Click "Advanced" → "Accept the Risk and Continue"
Safari: Click "Show Details" → "visit this website"

Production Recommendation: For production environments, we recommend placing an Application Load Balancer (ALB) in front of your CloudMapper instance with a trusted SSL certificate from AWS Certificate Manager (ACM).

SSM Access (REQUIRED - Only Access Method):

# Connect via AWS Systems Manager Session Manager
aws ssm start-session --target i-1234567890abcdef0

# Alternative: Use AWS Console
# 1. Go to EC2 → Instances
# 2. Select your CloudMapper instance
# 3. Click "Connect" → "Session Manager" → "Connect"

# Note: SSH is completely disabled - SSM is the ONLY way to access the system

Important: SSH access is completely disabled. CloudMapper enforces SSM-only access for maximum security. No SSH keys are configured or accepted.

Success! CloudMapper is now ready to scan and visualize your AWS infrastructure.

IAM Policies & Permissions

Pre-configured: The CloudFormation template automatically creates the necessary IAM role with appropriate permissions. No manual IAM configuration required.

Applied IAM Policies

ReadOnlyAccess AWS Managed
Broad read-only permissions across AWS services for comprehensive infrastructure discovery.
AmazonSSMManagedInstanceCore AWS Managed
Enables AWS Systems Manager Session Manager for secure shell access without SSH keys.
AWSBackupServiceRolePolicyForBackup AWS Managed (Backup Service Only)
Applied to backup service role when backups are enabled. Allows AWS Backup to create snapshots and backups of your CloudMapper instance.
AWSBackupServiceRolePolicyForRestores AWS Managed (Backup Service Only)
Applied to backup service role when backups are enabled. Allows AWS Backup to restore instances and volumes from backup recovery points.

What This Means

Can Read: All AWS resource configurations, metadata, and relationships across your account.
Cannot Modify: No permissions to create, update, or delete any AWS resources.
SSM Access: Allows secure terminal access through AWS console without SSH keys.
CloudWatch: Can send metrics and logs for monitoring and troubleshooting.

Built-in Services

AWS Systems Manager

Status: ALWAYS ENABLED

ONLY access method. SSH is completely disabled. Access via AWS Console → Systems Manager → Session Manager.

CloudWatch Integration

Status: Enabled by Default

Automatic metrics and logs collection for monitoring instance health and application performance.

AWS Backup

Status: Optional (Recommended)

Daily automated backups with 30-day retention and 7-day cold storage transition. EBS deletion protection always ON.

CloudFormation Stack Outputs

After successful deployment, your CloudFormation stack provides these outputs for easy access and management.

Instance Information

CloudMapperInstanceId: EC2 instance ID
CloudMapperPrivateIP: Private IP (always available)
CloudMapperPublicIP: Public IP (if enabled)
CloudMapperURL: HTTPS web URL (if public IP enabled)

Access & Management

SSMSessionCommand: Ready-to-use SSM command
BackupVaultName: Backup vault (if enabled)
Version: Deployed CloudMapper version

View Stack Outputs:

# List all stack outputs
aws cloudformation describe-stacks --stack-name your-cloudmapper-stack \
  --query 'Stacks[0].Outputs' --output table

# Get specific output (e.g., SSM command)
aws cloudformation describe-stacks --stack-name your-cloudmapper-stack \
  --query 'Stacks[0].Outputs[?OutputKey==`SSMSessionCommand`].OutputValue' \
  --output text

Zero Configuration Required: CloudMapper automatically detects its AWS region and begins discovery using the attached IAM role permissions.

Additional Configuration

Load Balancer with Trusted Certificate

Deploy an ALB with ACM certificate for production environments.

Setup Guide

OIDC SSO Setup

Configure single sign-on with your identity provider.

Learn More

Need Help? Check our Troubleshooting Guide, join GitHub Discussions, or report an issue.

Documentation

AWS Marketplace