search

WithSecureLabs / awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
GNU General Public License v3.0
905 stars 102 forks source link

Is it possible to visualize data that was ingested from multiple AWS accounts that have connections? #34

Open jokercygnus opened 4 years ago

jokercygnus commented 4 years ago

Hi, Im trying to visualize data that was ingested from multiple AWS accounts, with the same profile (using AssumeRole). Unfortunately, it is only possible to load and visualize one DB at a time. Is there any way that I am missing to do that?

beatro0t commented 4 years ago

Hi @jokercygnus,

Thanks for the question. You're absolutely right, this is not yet something we have support for. Long story but currently data is loaded into the db by wrapping neo4j-admin import, which will recreate the database each time. While this approach is fast, there are quite a few limitations with it (not being able to visualize multiple accounts being one of them) and it something we are busy looking at changing.

For now, you can try unzipping the two zipped datasets you want to view and merging each CSV with the same name. Hopefully, if you zip it all up again, you can load it with awspx db --load-zip.

jokercygnus commented 4 years ago

Thank you for the reply. Yes I also thought about appending the CSVs to each other while taking a look inside the ZIPs. Hope it will go smooth.

beatro0t commented 4 years ago

I've added preliminary support for loading multiple ZIPs; however, it would be a bit of a cop out to say this feature has been added. The problem is that atm, resources are identified by their ARNs, as are generics and pseudo-nodes like Admin and CatchAll - which are not uniquely identifiable across zips. What you end up with is a single dataset that is misleading. Things like built-in managed policies do not include account numbers in their ARNs and so the actions they can perform in each account will be added together. It will appear as though users attached to them in one account can now perform actions affecting resources in both, which is incorrect. Things like attack paths do not consider accounts at all.

A fair amount of work needs to be done for this feature so for the time being the CLI will not accept more than one ZIP, although the function it calls takes a list. I'd prefer to add additional labels to each resource, rather than a property but need to do more investigation.