search

cartography-cncf / cartography

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
https://cartography-cncf.github.io/cartography/
Apache License 2.0
3.02k stars 344 forks source link

Represent S3 bucket policies in the graph #759

Open achantavy opened 2 years ago

achantavy commented 2 years ago

Description:

Describe your idea. Please be detailed. If a feature request, please describe the desired behavior, what scenario it enables, and how it would be used.

Cartography already pulls s3 bucket policies and parses them with policyuniverse to determine internet exposure. We should expand on this feature to compute s3-specific permission relationships.

For background, S3 permissions can be defined by S3 ACLs, IAM policies, and S3 bucket policies (AWS ref).

We already surface S3 perms at the IAM level but we do not have visibility at S3 itself. Many orgs may choose to use only S3-specific perms so lack of this support in this cartography gives an incomplete picture.

Plan

I see this feature as needing 2 tasks.

  1. Represent the S3 policies and policy statements in the graph.
  2. Use the data from (1) to compute AWSPrincipal-to-S3Bucket S3-specific relationships. This will be similar to our resource permission relationships functionality with IAM, although I don't think we necessarily need to define a whole separate yaml file for that.

It data model will look like this: s3 bucket perms

Testing for this feature can be done like this: image

Help wanted! Please reach out if can work on this and we can help point in the right direction.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

achantavy commented 2 years ago

Further discussion on Slack: https://lyftoss.slack.com/archives/CTZUQL0KX/p1643754325800859

Summarized,

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

achantavy commented 2 years ago

I've added more details in this one-pager: https://docs.google.com/document/d/1EOn9DBwubQhT_uk0WUO2Sx4WjSPR8mdBBbbWuheloc8/edit#. @SecPrez - can you have a look? :-)