def add_to_neo(tx): all_nodes = simple_storage.all_records('graph_nodes') all_relations = simple_storage.all_records('graph_relationships') for node in all_nodes: tx.run('MERGE (t:{1} {{NodeId: "{0}", node_type: "{1}"}});'.format(node['node_id'], node['node_type'])) for rel in all_relations: tx.run('MATCH (source {{NodeId: "{0}"}}), (target {{NodeId: "{1}"}}) MERGE (source)-[:SystemConnection {{type: "{2}"}}]->(target);'.format(rel['source_node'], rel['target_node'], rel['relation_name']))
def export(): all_nodes = simple_storage.all_records('graph_nodes') all_relations = simple_storage.all_records('graph_relationships') with open('graph_nodes.csv', 'w') as csvfile: fieldnames = ['node_id', 'node_resource_id', 'node_type'] writer = csv.DictWriter(csvfile, fieldnames=fieldnames) writer.writeheader() for graph_node in all_nodes: writer.writerow(graph_node) with open('graph_relationships.csv', 'w') as csvfile: fieldnames = ['relation_name', 'source_node', 'target_node'] writer = csv.DictWriter(csvfile, fieldnames=fieldnames) writer.writeheader() for graph_relation in all_relations: writer.writerow(graph_relation)
def init(self): all_users_to_ip = simple_storage.all_records('user_to_ip') all_users = simple_storage.all_records('users') all_roles = simple_storage.all_records('roles') name_to_arn = {} for user in all_users: name_to_arn[user['UserName']] = user['Arn'] for role in all_roles: name_to_arn[role['RoleName']] = role['Arn'] for user in all_users_to_ip: if user['username'] not in name_to_arn: continue user_node = BaseRoleNode(name_to_arn[user['username']]) for ip in user['ips']: ip_node = BasePublicIP(ip) ip_node.relate(user_node, "UserPublicIPAddress")
def init(self): all_lambda_functions = simple_storage.all_records('lambda_function') all_lambda_functions_arn = set([]) for lambda_function in all_lambda_functions: all_lambda_functions_arn.add(lambda_function['FunctionArn']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) if len(all_lambda_functions_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': ['lambda:GetFunction', 'lambda:UpdateFunctionCode'], 'ResourceArns': list(all_lambda_functions_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": lambda_node = BaseLambdaNode( simulation_data['EvalResourceName']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, lambda_node, simulation_data['EvalActionName'])
def init(self): all_instances = simple_storage.all_records('ec2_gather') all_instances_arn = set([]) all_instances.append({'InstanceId': "ALL-INSTANCES"}) basic_arn = 'arn:aws:ec2:*:*:instance/' for instance in all_instances: all_instances_arn.add(basic_arn + instance['InstanceId']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) if len(all_instances_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': ['ssm:SendCommand'], 'ResourceArns': ['arn:aws:ssm:*:*:document/AWS-RunPowerShellScript'], 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": for instance in all_instances: ec2_node = BaseEC2Node(instance['InstanceId']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
def init(self): all_instances = simple_storage.all_records('ec2_gather') all_instances.append({'InstanceId': "ALL-INSTANCES"}) all_instances_arn = set([]) basic_arn = 'arn:aws:ec2:*:*:instance/' for instance in all_instances: all_instances_arn.add(basic_arn + instance['InstanceId']) all_users = simple_storage.all_records('iam_gatherusers') all_users.extend(simple_storage.all_records('iam_gatherroles')) ''''ec2:AssociateIamInstanceProfile', 'ec2:DetachVolume', 'ec2:AttachVolume',''' if len(all_instances_arn) == 0: return for user in all_users: simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ #'ec2:AssociateIamInstanceProfile' #'ec2:StartInstances', #'ec2:StopInstances' 'ec2:AttachVolume', 'ec2:DetachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ #'ec2:AssociateIamInstanceProfile' 'ec2:StartInstances', 'ec2:StopInstances' #'ec2:AttachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ 'ec2:AssociateIamInstanceProfile' #'ec2:StartInstances', #'ec2:StopInstances' #'ec2:AttachVolume' ], 'ResourceArns': list(all_instances_arn), 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) #all_simulations = {"EvaluationResults": []} for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):]) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName']) simulation_params = { 'PolicySourceArn': user['Arn'], 'ActionNames': [ 'ec2:DescribeInstances', 'ec2:ModifyInstanceAttribute', 'ec2:CopySnapshot', 'ec2:RunInstances' ], 'ContextEntries': [{ 'ContextKeyName': 'aws:multifactorauthpresent', 'ContextKeyType': 'boolean', 'ContextKeyValues': ['true'] }] } all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params) for simulation_data in all_simulations["EvaluationResults"]: if simulation_data["EvalDecision"] == "allowed": for instance in all_instances: ec2_node = BaseEC2Node(instance['InstanceId']) role_node = BaseRoleNode(user['Arn']) role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])