def test_two_tags_filter_resource(self): resources = filter_resources( [ Resource( digest=ResourceDigest(id="1", type="type"), name="name", tags=[ResourceTag(key="key", value="value1")], ), Resource( digest=ResourceDigest(id="2", type="type"), name="name", tags=[ResourceTag(key="key", value="value2")], ), Resource( digest=ResourceDigest(id="3", type="type"), name="name", tags=[ResourceTag(key="key", value="wrong")], ), ], [ ResourceTag(key="key", value="value1"), ResourceTag(key="key", value="value2"), ], ) assert_that(resources).is_length(2).extracting(0).contains( ResourceDigest(id="1", type="type"), ResourceDigest(id="2", type="type"))
def analyze_assume_statement( self, resource_digest: ResourceDigest, statement ) -> List[Resource]: resources_found = [] if "Principal" in statement and "Service" in statement["Principal"]: assuming_services = statement["Principal"]["Service"] if not isinstance(assuming_services, list): assuming_services = [assuming_services] for assuming_service in assuming_services: if assuming_service in Principals.principals: principal = Principals.principals[assuming_service] principal_found = Resource( digest=ResourceDigest( id=assuming_service, type=principal["type"], ), name=principal["name"], details="principal", group=principal["group"], ) else: principal_found = Resource( digest=ResourceDigest(id=assuming_service, type="aws_general"), name=assuming_service, details="principal", group="general", ) if principal_found is not None: resources_found.append(principal_found) self.create_principal_relation( resource_digest, principal_found.digest ) return resources_found
def test_role_aggregation(self): sut = PolicyDiagram() principal_digest = ResourceDigest(id="ecs.amazonaws.com", type="aws_ecs_cluster") role_1_digest = ResourceDigest(id="AWSServiceRoleForECS1", type="aws_iam_role") role_2_digest = ResourceDigest(id="AWSServiceRoleForECS2", type="aws_iam_role") role_3_digest = ResourceDigest(id="AWSServiceRoleForECS3", type="aws_iam_role") policy_digest = ResourceDigest( id= "arn:aws:iam::policy/service-role/AmazonEC2ContainerServiceforEC2Role", type="aws_iam_policy", ) relations = [ ResourceEdge(from_node=role_1_digest, to_node=principal_digest, label="assumed by"), ResourceEdge(from_node=role_2_digest, to_node=principal_digest, label="assumed by"), ResourceEdge(from_node=role_3_digest, to_node=principal_digest, label="assumed by"), ResourceEdge(from_node=role_3_digest, to_node=policy_digest), ] result = sut.group_by_group( [ Resource(digest=principal_digest, name="principal"), Resource(digest=role_1_digest, name=""), Resource(digest=role_2_digest, name=""), Resource(digest=role_3_digest, name=""), Resource(digest=policy_digest, name=""), ], relations, ) assert_that(result).contains_key("") assert_that(result[""]).is_length(4) for resource in result[""]: assert_that(resource.digest).is_not_equal_to(role_1_digest) assert_that(resource.digest).is_not_equal_to(role_2_digest) relationships = sut.process_relationships(result, relations) assert_that(relationships).is_length(3) assert_that(relationships).contains( ResourceEdge( from_node=ResourceDigest(id=ROLE_AGGREGATE_PREFIX + principal_digest.id, type="aws_iam_role"), to_node=principal_digest, label="assumed by", ))
def restricted_ssh(self, restricted_ssh): client = self.options.client("ec2") security_groups = client.describe_security_groups() resources_found = [] # pylint: disable=too-many-nested-blocks for security_group in security_groups["SecurityGroups"]: for ip_permission in security_group["IpPermissions"]: if "FromPort" in ip_permission and "ToPort" in ip_permission: # Port 22 possible opened using port range if ip_permission["FromPort"] <= 22 >= ip_permission["ToPort"]: # IPv4 for cidr in ip_permission["IpRanges"]: if cidr["CidrIp"] == "0.0.0.0/0": resources_found.append( Resource( digest=ResourceDigest( id=security_group["GroupId"], type="restricted_ssh", ), details="The SSH port of this security group is opened to the world.", name=security_group["GroupName"], group="ec2_security", security=SecurityValues( status="CRITICAL", parameter="restricted_ssh", value="False", ), ) ) # IPv6 for cidr in ip_permission["Ipv6Ranges"]: if cidr["CidrIpv6"] == "::/0": resources_found.append( Resource( digest=ResourceDigest( id=security_group["GroupId"], type="restricted_ssh", ), details="The SSH port of this security group is opened to the world.", name=security_group["GroupName"], group="ec2_security", security=SecurityValues( status="CRITICAL", parameter="restricted_ssh", value="False", ), ) ) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") resources_found = [] filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}] response = client.describe_vpc_endpoints(Filters=filters) if self.vpc_options.verbose: message_handler("Collecting data from VPC Endpoints...", "HEADER") for data in response["VpcEndpoints"]: if data["VpcId"] == self.vpc_options.vpc_id: endpoint_digest = ResourceDigest( id=data["VpcEndpointId"], type="aws_vpc_endpoint_gateway") if data["VpcEndpointType"] == "Gateway": resources_found.append( Resource( digest=endpoint_digest, name=data["VpcEndpointId"], details="Vpc Endpoint Gateway RouteTable {}". format(", ".join(data["RouteTableIds"])), group="network", tags=resource_tags(data), )) self.relations_found.append( ResourceEdge( from_node=endpoint_digest, to_node=self.vpc_options.vpc_digest(), )) else: resources_found.append( Resource( digest=endpoint_digest, name=data["VpcEndpointId"], details="Vpc Endpoint Service Subnet {}".format( ", ".join(data["SubnetIds"])), group="network", tags=resource_tags(data), )) for subnet_id in data["SubnetIds"]: self.relations_found.append( ResourceEdge( from_node=endpoint_digest, to_node=ResourceDigest(id=subnet_id, type="aws_subnet"), )) return resources_found
def build_policy(data): return Resource( digest=ResourceDigest(id=data["Arn"], type="aws_iam_policy"), name=data["PolicyName"], details="IAM Policy version {}".format(data["DefaultVersionId"]), group="", )
def get_resources(self) -> List[Resource]: if self.vpc_options.verbose: message_handler("Collecting data from Instance Profiles...", "HEADER") paginator = self.vpc_options.client("iam").get_paginator( "list_instance_profiles" ) pages = paginator.paginate() resources_found = [] relations_found = [] for groups in pages: for data in groups["InstanceProfiles"]: profile_digest = ResourceDigest( id=data["InstanceProfileName"], type="aws_iam_instance_profile" ) resources_found.append( Resource( digest=profile_digest, name=data["InstanceProfileName"], details="", group="", ) ) if len(data["Roles"]) == 1: relations_found.append( ResourceEdge( from_node=profile_digest, to_node=ResourceDigest( id=data["Roles"][0]["RoleName"], type="aws_iam_role" ), ) ) self.relations_found = relations_found return resources_found
def access_keys_rotated(self, max_age): client = self.options.client("iam") users = client.list_users() resources_found = [] for user in users["Users"]: paginator = client.get_paginator("list_access_keys") for keys in paginator.paginate(UserName=user["UserName"]): for key in keys["AccessKeyMetadata"]: date_compare = datetime.utcnow() - timedelta( days=int(max_age)) date_compare = date_compare.replace(tzinfo=pytz.utc) last_rotate = key["CreateDate"] if last_rotate < date_compare: resources_found.append( Resource( digest=ResourceDigest( id=key["AccessKeyId"], type="access_keys_rotated"), details="You must rotate your keys", name=key["UserName"], group="iam_security", security=SecurityValues( status="CRITICAL", parameter="max_age", value=str(max_age), ), )) return resources_found
def pitr_enabled(self, pitr_enabled): client = self.options.client("dynamodb") tables = client.list_tables()["TableNames"] resources_found = [] for table in tables: if (client.describe_continuous_backups( TableName=table)["ContinuousBackupsDescription"] ["PointInTimeRecoveryDescription"]["PointInTimeRecoveryStatus"] == "DISABLED"): resources_found.append( Resource( digest=ResourceDigest(id=table, type="pitr_enabled"), details="PITR disabled", name=table, group="ddb_security", security=SecurityValues( status="CRITICAL", parameter="pitr_enabled", value="False", ), )) return resources_found
def ebs_encryption(self, ebs_encryption): client = self.options.client("ec2") volumes = client.describe_volumes()["Volumes"] resources_found = [] for volume in volumes: if volume["Encrypted"] is False: resources_found.append( Resource( digest=ResourceDigest( id=volume["VolumeId"], type="ebs_encryption" ), details="This volume is not encypted.", name=volume["VolumeId"], group="ec2_security", security=SecurityValues( status="CRITICAL", parameter="ebs_encryption", value="False", ), ) ) return resources_found
def imdsv2_check(self, imdsv2_check): client = self.options.client("ec2") instances = client.describe_instances()["Reservations"] resources_found = [] for instance in instances: for instance_detail in instance["Instances"]: if ( instance_detail["MetadataOptions"]["HttpEndpoint"] == "enabled" and instance_detail["MetadataOptions"]["HttpTokens"] == "optional" ): resources_found.append( Resource( digest=ResourceDigest( id=instance_detail["InstanceId"], type="imdsv2_check" ), details="IMDSv2 tokens not enforced", name=instance_detail["InstanceId"], group="ec2_security", security=SecurityValues( status="CRITICAL", parameter="imdsv2_check", value="False", ), ) ) return resources_found
def analyze_bucket(self, client, data): try: documentpolicy = client.get_bucket_policy(Bucket=data["Name"]) except ClientError: return False, None document = json.dumps(documentpolicy, default=datetime_to_string) # check either vpc_id or potential subnet ip are found ipvpc_found = check_ipvpc_inpolicy(document=document, vpc_options=self.vpc_options) if ipvpc_found is True: tags_response = client.get_bucket_tagging(Bucket=data["Name"]) digest = ResourceDigest(id=data["Name"], type="aws_s3_bucket_policy") self.relations_found.append( ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())) return ( True, Resource( digest=digest, name=data["Name"], details="", group="storage", tags=resource_tags(tags_response), ), ) return False, None
def get_resources(self) -> List[Resource]: if self.options.verbose: message_handler("Collecting data from IAM Roles...", "HEADER") paginator = self.client.get_paginator("list_roles") pages = paginator.paginate() resources_found = [] for roles in pages: for data in roles["Roles"]: resource_digest = ResourceDigest( id=data["RoleName"], type="aws_iam_role" ) tag_response = self.client.list_role_tags(RoleName=data["RoleName"],) resources_found.append( Resource( digest=resource_digest, name=data["RoleName"], details="", group="", tags=resource_tags(tag_response), ) ) if ( "AssumeRolePolicyDocument" in data and "Statement" in data["AssumeRolePolicyDocument"] ): for statement in data["AssumeRolePolicyDocument"]["Statement"]: resources_found.extend( self.analyze_assume_statement(resource_digest, statement) ) self.resources_found = resources_found return resources_found
def analyze_restapi(self, data): if "policy" in data: documentpolicy = data["policy"] else: return False, None document = json.dumps(documentpolicy, default=datetime_to_string) # check either vpc_id or potential subnet ip are found ipvpc_found = check_ipvpc_inpolicy(document=document, vpc_options=self.vpc_options) if ipvpc_found is not False: digest = ResourceDigest(id=data["id"], type="aws_api_gateway_rest_api") self.relations_found.append( ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())) return ( True, Resource( digest=digest, name=data["name"], details="", group="network", tags=resource_tags(data), ), ) return False, None
def analyze_policy(self, client, data): documentpolicy = client.get_policy_version( PolicyArn=data["Arn"], VersionId=data["DefaultVersionId"] ) document = json.dumps(documentpolicy, default=datetime_to_string) # check either vpc_id or potential subnet ip are found ipvpc_found = check_ipvpc_inpolicy( document=document, vpc_options=self.vpc_options ) if ipvpc_found is True: digest = ResourceDigest(id=data["Arn"], type="aws_iam_policy") self.relations_found.append( ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest()) ) return ( True, Resource( digest=digest, name=data["PolicyName"], details="IAM Policy version {}".format(data["DefaultVersionId"]), group="security", ), ) return False, None
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") resources_found = [] filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}] response = client.describe_security_groups(Filters=filters) if self.vpc_options.verbose: message_handler("Collecting data from Security Groups...", "HEADER") for data in response["SecurityGroups"]: group_digest = ResourceDigest(id=data["GroupId"], type="aws_security_group") resources_found.append( Resource( digest=group_digest, name=data["GroupName"], details="", group="network", tags=resource_tags(data), )) self.relations_found.append( ResourceEdge(from_node=group_digest, to_node=self.vpc_options.vpc_digest())) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") resources_found = [] filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}] response = client.describe_subnets(Filters=filters) if self.vpc_options.verbose: message_handler("Collecting data from Subnets...", "HEADER") for data in response["Subnets"]: nametag = get_name_tag(data) name = data["SubnetId"] if nametag is None else nametag subnet_digest = ResourceDigest(id=data["SubnetId"], type="aws_subnet") resources_found.append( Resource( digest=subnet_digest, name=name, details="Subnet using CidrBlock {} and AZ {}".format( data["CidrBlock"], data["AvailabilityZone"]), group="network", tags=resource_tags(data), )) self.relations_found.append( ResourceEdge(from_node=subnet_digest, to_node=self.vpc_options.vpc_digest())) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") resources_found = [] filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}] response = client.describe_route_tables(Filters=filters) if self.vpc_options.verbose: message_handler("Collecting data from Route Tables...", "HEADER") # Iterate to get all route table filtered for route_table in response["RouteTables"]: nametag = get_name_tag(route_table) name = route_table["RouteTableId"] if nametag is None else nametag table_digest = ResourceDigest(id=route_table["RouteTableId"], type="aws_route_table") is_main = False for association in route_table["Associations"]: if association["Main"] is True: is_main = True if is_main: self.relations_found.append( ResourceEdge( from_node=table_digest, to_node=self.vpc_options.vpc_digest(), )) else: for association in route_table["Associations"]: if "SubnetId" in association: self.relations_found.append( ResourceEdge( from_node=table_digest, to_node=ResourceDigest( id=association["SubnetId"], type="aws_subnet"), )) is_public = False for route in route_table["Routes"]: if ("DestinationCidrBlock" in route and route["DestinationCidrBlock"] == "0.0.0.0/0" and "GatewayId" in route and route["GatewayId"].startswith("igw-")): is_public = True resources_found.append( Resource( digest=table_digest, name=name, details="default: {}, public: {}".format( is_main, is_public), group="network", tags=resource_tags(route_table), )) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") client_vpn_endpoints = client.describe_client_vpn_endpoints() resources: List[Resource] = [] for client_vpn_endpoint in client_vpn_endpoints["ClientVpnEndpoints"]: if client_vpn_endpoint["VpcId"] == self.vpc_options.vpc_id: digest = ResourceDigest( id=client_vpn_endpoint["ClientVpnEndpointId"], type="aws_vpn_client_endpoint", ) nametag = get_name_tag(client_vpn_endpoint) name = (client_vpn_endpoint["ClientVpnEndpointId"] if nametag is None else nametag) resources.append( Resource( digest=digest, name=name, group="network", tags=resource_tags(client_vpn_endpoint), )) self.relations_found.append( ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())) return resources
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("es") resources_found = [] response = client.list_domain_names() if self.vpc_options.verbose: message_handler("Collecting data from Elasticsearch Domains...", "HEADER") for data in response["DomainNames"]: elasticsearch_domain = client.describe_elasticsearch_domain( DomainName=data["DomainName"] ) documentpolicy = elasticsearch_domain["DomainStatus"]["AccessPolicies"] document = json.dumps(documentpolicy, default=datetime_to_string) # check either vpc_id or potencial subnet ip are found ipvpc_found = check_ipvpc_inpolicy( document=document, vpc_options=self.vpc_options ) # elasticsearch uses accesspolicies too, so check both situation if ( elasticsearch_domain["DomainStatus"]["VPCOptions"]["VPCId"] == self.vpc_options.vpc_id or ipvpc_found is True ): list_tags_response = client.list_tags( ARN=elasticsearch_domain["DomainStatus"]["ARN"] ) digest = ResourceDigest( id=elasticsearch_domain["DomainStatus"]["DomainId"], type="aws_elasticsearch_domain", ) resources_found.append( Resource( digest=digest, name=elasticsearch_domain["DomainStatus"]["DomainName"], details="", group="analytics", tags=resource_tags(list_tags_response), ) ) for subnet_id in elasticsearch_domain["DomainStatus"]["VPCOptions"][ "SubnetIds" ]: self.relations_found.append( ResourceEdge( from_node=digest, to_node=ResourceDigest(id=subnet_id, type="aws_subnet"), ) ) return resources_found
def test_public_subnet(self): sut = VpcDiagram("4") subnet_1_digest = ResourceDigest(id="1", type="aws_subnet") subnet_2_digest = ResourceDigest(id="2", type="aws_subnet") route_digest = ResourceDigest(id="3", type="aws_route_table") vpc_digest = ResourceDigest(id="4", type="aws_vpc") ec2_1_digest = ResourceDigest(id="5", type="aws_instance") ec2_2_digest = ResourceDigest(id="6", type="aws_instance") lambda_digest = ResourceDigest(id="6", type="aws_lambda_function") relations = [ ResourceEdge(from_node=subnet_1_digest, to_node=vpc_digest), ResourceEdge(from_node=subnet_2_digest, to_node=vpc_digest), ResourceEdge(from_node=route_digest, to_node=vpc_digest), ResourceEdge(from_node=ec2_1_digest, to_node=subnet_1_digest), ResourceEdge(from_node=ec2_2_digest, to_node=subnet_2_digest), ResourceEdge(from_node=lambda_digest, to_node=subnet_1_digest), ResourceEdge(from_node=lambda_digest, to_node=subnet_2_digest), ] result = sut.group_by_group( [ Resource(digest=subnet_1_digest, name=""), Resource(digest=subnet_2_digest, name=""), Resource(digest=route_digest, name="", details="default: True, public: True"), Resource(digest=vpc_digest, name=""), Resource(digest=ec2_1_digest, name=""), Resource(digest=ec2_2_digest, name=""), Resource(digest=lambda_digest, name=""), ], relations, ) assert_that(result).contains_key("") assert_that(result[""]).is_length(6) for resource in result[""]: assert_that(resource.digest).is_not_equal_to(subnet_1_digest) assert_that(resource.digest).is_not_equal_to(subnet_2_digest) relationships = sut.process_relationships(result, relations) assert_that(relationships).is_length(8) assert_that(relationships).contains( ResourceEdge( from_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"), to_node=vpc_digest, )) assert_that(relationships).contains( ResourceEdge(from_node=route_digest, to_node=vpc_digest)) assert_that(relationships).contains( ResourceEdge( from_node=ec2_1_digest, to_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"), )) assert_that(relationships).contains( ResourceEdge( from_node=ec2_2_digest, to_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"), ))
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") vpc_response = client.describe_vpcs(VpcIds=[self.vpc_options.vpc_id]) return [ Resource( digest=self.vpc_options.vpc_digest(), name=self.vpc_options.vpc_id, tags=resource_tags(vpc_response["Vpcs"][0]), ) ]
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("autoscaling") resources_found = [] response = client.describe_auto_scaling_groups() if self.vpc_options.verbose: message_handler("Collecting data from Autoscaling Groups...", "HEADER") for data in response["AutoScalingGroups"]: asg_subnets = data["VPCZoneIdentifier"].split(",") # Using subnet to check VPC subnets = describe_subnet( vpc_options=self.vpc_options, subnet_ids=asg_subnets ) if subnets is not None: # Iterate subnet to get VPC for data_subnet in subnets["Subnets"]: if data_subnet["VpcId"] == self.vpc_options.vpc_id: asg_name = data["AutoScalingGroupName"] digest = ResourceDigest( id=asg_name, type="aws_autoscaling_group" ) if "LaunchConfigurationName" in data: details = "Using LaunchConfigurationName {0}".format( data["LaunchConfigurationName"] ) else: details = "Using Launch Template" resources_found.append( Resource( digest=digest, name=asg_name, details=details, group="compute", tags=resource_tags(data), ) ) self.relations_found.append( ResourceEdge( from_node=digest, to_node=ResourceDigest( id=data_subnet["SubnetId"], type="aws_subnet" ), ) ) return resources_found
def test_one_type_filter_resource(self): resources = filter_resources( [ Resource( digest=ResourceDigest(id="1", type="type1"), name="name", tags=[ResourceTag(key="key", value="value")], ), Resource( digest=ResourceDigest(id="2", type="type2"), name="name", tags=[ResourceTag(key="key", value="wrong")], ), ], [ResourceType(type="type1")], ) assert_that(resources).is_length(1) assert_that(resources[0].digest).is_equal_to( ResourceDigest(id="1", type="type1"))
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("ec2") resources_found = [] response = client.describe_instances() if self.vpc_options.verbose: message_handler("Collecting data from EC2 Instances...", "HEADER") for data in response["Reservations"]: for instances in data["Instances"]: if "VpcId" in instances: if instances["VpcId"] == self.vpc_options.vpc_id: nametag = get_name_tag(instances) asg_name = get_tag(instances, "aws:autoscaling:groupName") instance_name = ( instances["InstanceId"] if nametag is None else nametag ) ec2_digest = ResourceDigest( id=instances["InstanceId"], type="aws_instance" ) resources_found.append( Resource( digest=ec2_digest, name=instance_name, details="", group="compute", tags=resource_tags(instances), ) ) self.relations_found.append( ResourceEdge( from_node=ec2_digest, to_node=ResourceDigest( id=instances["SubnetId"], type="aws_subnet" ), ) ) if asg_name is not None: self.relations_found.append( ResourceEdge( from_node=ec2_digest, to_node=ResourceDigest( id=asg_name, type="aws_autoscaling_group" ), ) ) return resources_found
def aggregate_subnets(groups, group_type, group_name): if group_type in groups: subnet_ids = [] for subnet in groups[group_type]: subnet_ids.append(subnet.digest.id) groups[""].append( Resource( digest=ResourceDigest(id=group_type, type="aws_subnet"), name=group_name + ", ".join(subnet_ids), details=", ".join(subnet_ids), ))
def test_file_generation(self): general_resources = [ Resource( digest=ResourceDigest(id="123", type="aws_vpc"), name="name", details="details", ) ] grouped_resources = {"": general_resources} relations = [] result = self.sut.build_diagram(grouped_resources, relations) assert_that(result).starts_with(MX_FILE[:200])
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("mediaconnect") resources_found = [] response = client.list_flows() if self.vpc_options.verbose: message_handler("Collecting data from Media Connect...", "HEADER") for data in response["Flows"]: tags_response = client.list_tags_for_resource( ResourceArn=data["FlowArn"]) data_flow = client.describe_flow(FlowArn=data["FlowArn"]) if "VpcInterfaces" in data_flow["Flow"]: for data_interfaces in data_flow["Flow"]["VpcInterfaces"]: # Using subnet to check VPC subnets = describe_subnet( vpc_options=self.vpc_options, subnet_ids=data_interfaces["SubnetId"], ) if subnets is not None: if subnets["Subnets"][0][ "VpcId"] == self.vpc_options.vpc_id: digest = ResourceDigest(id=data["FlowArn"], type="aws_media_connect") resources_found.append( Resource( digest=digest, name=data["Name"], details= "Flow using VPC {} in VPC Interface {}". format(self.vpc_options.vpc_id, data_interfaces["Name"]), group="mediaservices", tags=resource_tags(tags_response), )) self.relations_found.append( ResourceEdge( from_node=digest, to_node=ResourceDigest( id=data_interfaces["SubnetId"], type="aws_subnet", ), )) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("efs") resources_found = [] # get filesystems available response = client.describe_file_systems() if self.vpc_options.verbose: message_handler("Collecting data from EFS Mount Targets...", "HEADER") for data in response["FileSystems"]: filesystem = client.describe_mount_targets( FileSystemId=data["FileSystemId"]) nametag = get_name_tag(data) filesystem_name = data[ "FileSystemId"] if nametag is None else nametag # iterate filesystems to get mount targets for datafilesystem in filesystem["MountTargets"]: # Using subnet to check VPC subnets = describe_subnet( vpc_options=self.vpc_options, subnet_ids=datafilesystem["SubnetId"]) if subnets is not None: if subnets["Subnets"][0][ "VpcId"] == self.vpc_options.vpc_id: digest = ResourceDigest(id=data["FileSystemId"], type="aws_efs_file_system") resources_found.append( Resource( digest=digest, name=filesystem_name, details="", group="storage", tags=resource_tags(data), )) self.relations_found.append( ResourceEdge( from_node=digest, to_node=ResourceDigest( id=datafilesystem["SubnetId"], type="aws_subnet"), )) return resources_found
def get_resources(self) -> List[Resource]: client = self.vpc_options.client("sagemaker") resources_found = [] response = client.list_training_jobs() if self.vpc_options.verbose: message_handler("Collecting data from Sagemaker Training Job...", "HEADER") for data in response["TrainingJobSummaries"]: tags_response = client.list_tags( ResourceArn=data["TrainingJobArn"], ) training_job = client.describe_training_job( TrainingJobName=data["TrainingJobName"]) if "VpcConfig" in training_job: for subnets in training_job["VpcConfig"]["Subnets"]: # Using subnet to check VPC subnet = describe_subnet(vpc_options=self.vpc_options, subnet_ids=subnets) if subnet is not None: if subnet["Subnets"][0][ "VpcId"] == self.vpc_options.vpc_id: sagemaker_trainingjob_digest = ResourceDigest( id=data["TrainingJobArn"], type="aws_sagemaker_training_job", ) resources_found.append( Resource( digest=sagemaker_trainingjob_digest, name=data["TrainingJobName"], details="", group="ml", tags=resource_tags(tags_response), )) self.relations_found.append( ResourceEdge( from_node=sagemaker_trainingjob_digest, to_node=ResourceDigest(id=subnets, type="aws_subnet"), )) return resources_found