duo-labs / cloudmapper

CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
BSD 3-Clause "New" or "Revised" License
6k stars 809 forks source link

Identify vendors that are not publicly documented #816

Open 0xdabbad00 opened 3 years ago

0xdabbad00 commented 3 years ago

We've had some PRs to add vendor accounts that aren't publicly documented. I've generally avoided these because: 1) The vendor might not want their account ID to be publicly known (not a great reason since there aren't any known threats for someone knowing your account ID) 2) What if an account is added that is wrong? Maybe an attacker tells me their account belongs to some vendor. Then I add it here and now a security team ignores some backdoor in their account?

However, I want this repo to have a complete list of known vendor accounts, and not have people have to maintain their own private lists or some other awkward solution.

As such, I think it makes sense to add in these vendors, but to indicate that I'm not entirely confident this info is true. This resolves reason 2 of not including them, and these vendors are just going to have to live with me ignoring reason 1.

0xdabbad00 commented 3 years ago

In order to deal with this, I'm going to just print a warning for now to tell people the vendor is unconfirmed when there is no source entry. So for all uncomfirmed vendors, we'll just not include a source. If you do want to include some sort of reference (even though that wouldn't really make sense), just add a yaml comment. For vendors like Bridgecrew that doesn't actually have their account ID publicly documented, they had added themself as a vendor and referenced their homepage as the "source". Since I knew the person that submitted it was from bridgecrew, I trusted it.