def _check_acl(self, item, field, keys, recorder):
acl = item.config.get('Grants', {})
owner = item.config["Owner"]["ID"].lower()
for key in acl.keys():
if key.lower() not in keys:
continue
# Canonical ID == Owning Account - No issue
if key.lower() == owner.lower():
continue
entity = Entity(category='ACL', value=key)
account = self._get_account(field, key)
if account:
entity.account_name = account['name']
entity.account_identifier = account['identifier']
recorder(item, actions=acl[key], entity=entity)
def _check_acl(self, item, field, keys, recorder):
acl = item.config.get('Grants', {})
owner = item.config["Owner"]["ID"].lower()
for key in acl.keys():
if key.lower() not in keys:
continue
# Canonical ID == Owning Account - No issue
if key.lower() == owner.lower():
continue
entity = Entity(category='ACL', value=key)
account = self._get_account(field, key)
if account:
entity.account_name=account['name']
entity.account_identifier=account['identifier']
recorder(item, actions=acl[key], entity=entity)
def check_subscriptions_crossaccount(self, item):
"""
"subscriptions": [
{
"Owner": "020202020202",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic",
"SubscriptionArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic:..."
}
]
"""
subscriptions = item.config.get('subscriptions', [])
for subscription in subscriptions:
src_account_number = subscription.get('Owner', None)
entity = Entity(category=subscription.get('Protocol'),
value=subscription.get('Endpoint'),
account_identifier=src_account_number,
account_name='UNKNOWN')
account = self._get_account('identifier', src_account_number)
if not account:
self.record_unknown_access(item,
entity,
actions=['subscription'])
continue
if account['name'] == item.account:
# Same Account
continue
entity.account_name = account['name']
if account['label'] == 'friendly':
self.record_friendly_access(item,
entity,
actions=['subscription'])
elif account['label'] == 'thirdparty':
self.record_thirdparty_access(item,
entity,
actions=['subscription'])
def check_subscriptions_crossaccount(self, item):
"""
"subscriptions": [
{
"Owner": "020202020202",
"Endpoint": "*****@*****.**",
"Protocol": "email",
"TopicArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic",
"SubscriptionArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic:..."
}
]
"""
subscriptions = item.config.get('subscriptions', [])
for subscription in subscriptions:
src_account_number = subscription.get('Owner', None)
entity = Entity(
category=subscription.get('Protocol'),
value=subscription.get('Endpoint'),
account_identifier=src_account_number,
account_name='UNKNOWN')
account = self._get_account('identifier', src_account_number)
if not account:
self.record_unknown_access(item, entity, actions=['subscription'])
continue
if account['name'] == item.account:
# Same Account
continue
entity.account_name = account['name']
if account['label'] == 'friendly':
self.record_friendly_access(item, entity, actions=['subscription'])
elif account['label'] == 'thirdparty':
self.record_thirdparty_access(item, entity, actions=['subscription'])