search

duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
5.9k stars 800 forks source link

Web of trust STS #812

Closed cbeltranbird closed 3 years ago

cbeltranbird commented 3 years ago

With cross-account STS-based authentication backed by SAML, this WoT failed to execute as the the two Arn's would never match. (The principal and the provider are not in the same account, by design.)

Here, we replicate the same behavior as before, but also add a fallback model of ensuring we actually trust the origin and target accounts. This allows WoT to graph the unidirectional trust for further inspection.

Additionally, web/style.json now includes labels to better understand what the colors mean at a glance. While this data is also available here, it's easier to share the WoT graph with all data present.

Lastly, ensured that any elasticsearch instance without an attached AccessPolicy be marked as ES_PUBLIC due to undocumented and unexpected behavior. Normally, AWS does not allow you to create a policy-less ES cluster, but there appears to be a way to create this state using the terraform provider.

0xdabbad00 commented 3 years ago

LGTM. Thank you @cbeltranbird! @steiza This can be merged.