Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM: represent STS_ASSUMEROLE_ALLOW from arn:aws:iam::ACCOUNT_NUMBER:root #1416

Open
achantavy opened this issue Dec 25, 2024 · 1 comment
Open

AWS IAM: represent STS_ASSUMEROLE_ALLOW from arn:aws:iam::ACCOUNT_NUMBER:root #1416

achantavy opened this issue Dec 25, 2024 · 1 comment
Labels
analysis Regarding ways to better understand and present data in the graph AWS Related to cartography's AWS module data-addition Describes adding new data to the graph

Comments

@achantavy
Copy link
Contributor

Description:

Describe your idea. Please be detailed. If a feature request, please
describe the desired behavior, what scenario it enables, and how it
would be used.

The AWS IAM sync currently draws STS_ASSUMEROLE_ALLOW relationships by looking for TRUSTS_AWS_PRINCIPAL relationships:

cartography/cartography/intel/aws/iam.py

Lines 457 to 463 in 4fa4b82

MATCH (:AWSAccount{id:$AccountId})-[:RESOURCE]->(target:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(source:AWSPrincipal)
WHERE NOT source.arn ENDS WITH 'root'
AND NOT source.type = 'Service'
AND NOT source.type = 'Federated'
RETURN target.arn AS target_arn,
source.arn AS source_arn
"""

This however does not handle arn:aws:iam::ACCOUNT_NUMBER:root. If a principal trusts root, then technically any role in that account is able to assume it. To properly represent this, we could draw an STS_ASSUMEROLE_ALLOW relationship from every role in ACCOUNT_NUMBER to the target principal. This could be quite edge heavy in some cases but would properly highlight cross account permissions.

cc: @SecPrez eager to hear your thoughts here. I'm thinking this is worth doing even if the rel count can be heavy for some cases.
@achantavy achantavy added AWS Related to cartography's AWS module data-addition Describes adding new data to the graph analysis Regarding ways to better understand and present data in the graph labels Dec 25, 2024
@achantavy
Copy link
Contributor Author

I imagine super nodes is potentially a consideration: https://medium.com/neo4j/graph-modeling-all-about-super-nodes-d6ad7e11015b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analysis Regarding ways to better understand and present data in the graph AWS Related to cartography's AWS module data-addition Describes adding new data to the graph
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@achantavy