Example #1
0
    def _check_acl(self, item, field, keys, recorder):
        acl = item.config.get('Grants', {})
        owner = item.config["Owner"]["ID"].lower()
        for key in acl.keys():
            if key.lower() not in keys:
                continue

            # Canonical ID == Owning Account - No issue
            if key.lower() == owner.lower():
                continue

            entity = Entity(category='ACL', value=key)
            account = self._get_account(field, key)
            if account:
                entity.account_name = account['name']
                entity.account_identifier = account['identifier']
            recorder(item, actions=acl[key], entity=entity)
Example #2
0
    def _check_acl(self, item, field, keys, recorder):
        acl = item.config.get('Grants', {})
        owner = item.config["Owner"]["ID"].lower()
        for key in acl.keys():
            if key.lower() not in keys:
                continue

            # Canonical ID == Owning Account - No issue
            if key.lower() == owner.lower():
                continue

            entity = Entity(category='ACL', value=key)
            account = self._get_account(field, key)
            if account:
                entity.account_name=account['name']
                entity.account_identifier=account['identifier']
            recorder(item, actions=acl[key], entity=entity)
Example #3
0
    def check_subscriptions_crossaccount(self, item):
        """
        "subscriptions": [
          {
               "Owner": "020202020202",
               "Endpoint": "*****@*****.**",
               "Protocol": "email",
               "TopicArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic",
               "SubscriptionArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic:..."
          }
        ]
        """
        subscriptions = item.config.get('subscriptions', [])
        for subscription in subscriptions:
            src_account_number = subscription.get('Owner', None)

            entity = Entity(category=subscription.get('Protocol'),
                            value=subscription.get('Endpoint'),
                            account_identifier=src_account_number,
                            account_name='UNKNOWN')

            account = self._get_account('identifier', src_account_number)
            if not account:
                self.record_unknown_access(item,
                                           entity,
                                           actions=['subscription'])
                continue

            if account['name'] == item.account:
                # Same Account
                continue

            entity.account_name = account['name']
            if account['label'] == 'friendly':
                self.record_friendly_access(item,
                                            entity,
                                            actions=['subscription'])
            elif account['label'] == 'thirdparty':
                self.record_thirdparty_access(item,
                                              entity,
                                              actions=['subscription'])
Example #4
0
    def check_subscriptions_crossaccount(self, item):
        """
        "subscriptions": [
          {
               "Owner": "020202020202",
               "Endpoint": "*****@*****.**",
               "Protocol": "email",
               "TopicArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic",
               "SubscriptionArn": ARN_PREFIX + ":sns:" + AWS_DEFAULT_REGION + ":020202020202:somesnstopic:..."
          }
        ]
        """
        subscriptions = item.config.get('subscriptions', [])
        for subscription in subscriptions:
            src_account_number = subscription.get('Owner', None)

            entity = Entity(
                category=subscription.get('Protocol'),
                value=subscription.get('Endpoint'),
                account_identifier=src_account_number,
                account_name='UNKNOWN')

            account = self._get_account('identifier', src_account_number)
            if not account:
                self.record_unknown_access(item, entity, actions=['subscription'])
                continue

            if account['name'] == item.account:
                # Same Account
                continue

            entity.account_name = account['name']
            if account['label'] == 'friendly':
                self.record_friendly_access(item, entity, actions=['subscription'])
            elif account['label'] == 'thirdparty':
                self.record_thirdparty_access(item, entity, actions=['subscription'])