Closed yruss972 closed 3 years ago
Hey @yruss972,
You're spot on! Presently, attack computation doesn't consider Deny actions (see https://github.com/FSecureLABS/awspx/wiki/FAQs#why-do-attacks-not-consider-deny-actions)
Is there anyway to take this into account manually using a query on the graph without respect to attack paths? If so, could you help me with the syntax?
Absolutely! You can write your own cypher queries, or construct them visually, using advanced search options (see: https://github.com/FSecureLABS/awspx/wiki/Data-Exploration#advanced-options for more info).
If you opt for cypher, you can start with something like this (assuming you're looking for the actions described by the attacks you listed previously):
MATCH actions=(source)-[:TRANSITIVE*0..]->(policy)-[action:ACTION]->(target)
WHERE action.Name IN ["iam:AddUserToGroup", "iam:AttachUserPolicy",
"iam:CreatePolicyVersion", "iam:PutUserPolicy"
]
// AND source.Name = "Bob" // e.g. filter by a source's name
// AND target.Name IN ["$User", "$Policy"] // target will one of these two types so use a collection
// AND Action.Effect IN ["Allow", "Deny"] // these are the only two options to filter an ACTION's Effect on
RETURN actions
I'd recommend filtering as far as possible because these graphs tend to get really big, really quickly.
It seems to me that the attacks algorithm is not taking Deny policies into account when creating paths. I'm not sure how to debug it.
Assuming a policy like:
I still see AttachUserPolicy attack paths coming from a user with that policy after running:
Is this a bug? Am I doing something wrong?