Exemple #1
0
    def analyze_restapi(self, data):

        if "policy" in data:
            documentpolicy = data["policy"]
        else:
            return False, None

        document = json.dumps(documentpolicy, default=datetime_to_string)

        # check either vpc_id or potential subnet ip are found
        ipvpc_found = check_ipvpc_inpolicy(document=document,
                                           vpc_options=self.vpc_options)

        if ipvpc_found is not False:
            digest = ResourceDigest(id=data["id"],
                                    type="aws_api_gateway_rest_api")
            self.relations_found.append(
                ResourceEdge(from_node=digest,
                             to_node=self.vpc_options.vpc_digest()))
            return (
                True,
                Resource(
                    digest=digest,
                    name=data["name"],
                    details="",
                    group="network",
                    tags=resource_tags(data),
                ),
            )
        return False, None
Exemple #2
0
    def analyze_policy(self, client, data):

        documentpolicy = client.get_policy_version(
            PolicyArn=data["Arn"], VersionId=data["DefaultVersionId"]
        )

        document = json.dumps(documentpolicy, default=datetime_to_string)

        # check either vpc_id or potential subnet ip are found
        ipvpc_found = check_ipvpc_inpolicy(
            document=document, vpc_options=self.vpc_options
        )

        if ipvpc_found is True:
            digest = ResourceDigest(id=data["Arn"], type="aws_iam_policy")
            self.relations_found.append(
                ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())
            )
            return (
                True,
                Resource(
                    digest=digest,
                    name=data["PolicyName"],
                    details="IAM Policy version {}".format(data["DefaultVersionId"]),
                    group="security",
                ),
            )

        return False, None
Exemple #3
0
    def analyze_bucket(self, client, data):
        try:
            documentpolicy = client.get_bucket_policy(Bucket=data["Name"])
        except ClientError:
            return False, None

        document = json.dumps(documentpolicy, default=datetime_to_string)

        # check either vpc_id or potential subnet ip are found
        ipvpc_found = check_ipvpc_inpolicy(document=document,
                                           vpc_options=self.vpc_options)

        if ipvpc_found is True:
            tags_response = client.get_bucket_tagging(Bucket=data["Name"])
            digest = ResourceDigest(id=data["Name"],
                                    type="aws_s3_bucket_policy")
            self.relations_found.append(
                ResourceEdge(from_node=digest,
                             to_node=self.vpc_options.vpc_digest()))
            return (
                True,
                Resource(
                    digest=digest,
                    name=data["Name"],
                    details="",
                    group="storage",
                    tags=resource_tags(tags_response),
                ),
            )
        return False, None
Exemple #4
0
    def get_resources(self) -> List[Resource]:

        client = self.vpc_options.client("es")

        resources_found = []

        response = client.list_domain_names()

        if self.vpc_options.verbose:
            message_handler("Collecting data from Elasticsearch Domains...", "HEADER")

        for data in response["DomainNames"]:

            elasticsearch_domain = client.describe_elasticsearch_domain(
                DomainName=data["DomainName"]
            )

            documentpolicy = elasticsearch_domain["DomainStatus"]["AccessPolicies"]

            document = json.dumps(documentpolicy, default=datetime_to_string)

            # check either vpc_id or potencial subnet ip are found
            ipvpc_found = check_ipvpc_inpolicy(
                document=document, vpc_options=self.vpc_options
            )

            # elasticsearch uses accesspolicies too, so check both situation
            if (
                elasticsearch_domain["DomainStatus"]["VPCOptions"]["VPCId"]
                == self.vpc_options.vpc_id
                or ipvpc_found is True
            ):
                list_tags_response = client.list_tags(
                    ARN=elasticsearch_domain["DomainStatus"]["ARN"]
                )
                digest = ResourceDigest(
                    id=elasticsearch_domain["DomainStatus"]["DomainId"],
                    type="aws_elasticsearch_domain",
                )
                resources_found.append(
                    Resource(
                        digest=digest,
                        name=elasticsearch_domain["DomainStatus"]["DomainName"],
                        details="",
                        group="analytics",
                        tags=resource_tags(list_tags_response),
                    )
                )
                for subnet_id in elasticsearch_domain["DomainStatus"]["VPCOptions"][
                    "SubnetIds"
                ]:
                    self.relations_found.append(
                        ResourceEdge(
                            from_node=digest,
                            to_node=ResourceDigest(id=subnet_id, type="aws_subnet"),
                        )
                    )
        return resources_found
Exemple #5
0
 def test_check_ipvpc_inpolicy(self):
     vpce = {
         "VpcEndpoints": [{
             "VpcEndpointId": "vpce-1234abcd",
             "VpcId": "dummy"
         }]
     }
     policy = """
     {"Version":"2012-10-17","Id":"arn:queue","Statement":
     [{"Effect":"Allow","Principal":"*","Action":"SQS:*","Resource":"arn:queue"},
     {"Effect":"Allow","Principal":"*","Action":"sqs:*","Resource":"arn:queue","Condition":
     {"StringEquals":{"aws:sourceVpce":"vpce-1234abcd"}}}]}
     """
     vpc_options = MagicMock()
     vpc_options.vpc_id = "dummy"
     vpc_options.client.return_value.describe_vpc_endpoints.return_value = vpce
     result = check_ipvpc_inpolicy(policy, vpc_options)
     self.assertTrue("vpce-1234abcd" in result)
Exemple #6
0
 def test_check_vpce_inpolicy(self):
     subnets = {
         "Subnets": [{
             "CidrBlock": "10.0.64.0/18",
             "SubnetId": "subnet-123",
             "VpcId": "dummy",
         }]
     }
     policy = """
     {"Version":"2012-10-17","Id":"arn:queue","Statement":
     [{"Effect":"Allow","Principal":"*","Action":"SQS:*","Resource":"arn:queue"},
     {"Effect":"Allow","Principal":"*","Action":"sqs:*","Resource":"arn:queue","Condition":
     {"StringEquals":{"aws:sourceIp": "10.0.0.0/16"}}}]}
     """
     vpc_options = MagicMock()
     vpc_options.vpc_id = "dummy"
     vpc_options.client.return_value.describe_subnets.return_value = subnets
     result = check_ipvpc_inpolicy(policy, vpc_options)
     self.assertTrue("10.0.0.0/16" in result)
     self.assertTrue("10.0.64.0/18" in result)
     self.assertTrue("subnet-123" in result)
Exemple #7
0
    def get_resources(self) -> List[Resource]:

        client = self.vpc_options.client("mediastore")

        resources_found = []

        response = client.list_containers()

        if self.vpc_options.verbose:
            message_handler("Collecting data from Media Store...", "HEADER")

        for data in response["Containers"]:

            store_queue_policy = client.get_container_policy(
                ContainerName=data["Name"])

            document = json.dumps(store_queue_policy["Policy"],
                                  default=datetime_to_string)

            ipvpc_found = check_ipvpc_inpolicy(document=document,
                                               vpc_options=self.vpc_options)

            if ipvpc_found is not False:
                tags_response = client.list_tags_for_resource(
                    Resource=data["ARN"])
                digest = ResourceDigest(id=data["ARN"],
                                        type="aws_mediastore_polocy")
                resources_found.append(
                    Resource(
                        digest=digest,
                        name=data["Name"],
                        details="",
                        group="mediaservices",
                        tags=resource_tags(tags_response),
                    ))
                self.relations_found.append(
                    ResourceEdge(from_node=digest,
                                 to_node=self.vpc_options.vpc_digest()))
        return resources_found
Exemple #8
0
    def analyze_queues(self, client, queue):

        sqs_queue_policy = client.get_queue_attributes(
            QueueUrl=queue, AttributeNames=["QueueArn", "Policy"])

        if "Attributes" in sqs_queue_policy:

            if "Policy" in sqs_queue_policy["Attributes"]:

                documentpolicy = sqs_queue_policy["Attributes"]["Policy"]
                queuearn = sqs_queue_policy["Attributes"]["QueueArn"]
                document = json.dumps(documentpolicy,
                                      default=datetime_to_string)

                # check either vpc_id or potencial subnet ip are found
                ipvpc_found = check_ipvpc_inpolicy(
                    document=document, vpc_options=self.vpc_options)

                if ipvpc_found is not False:
                    list_tags_response = client.list_queue_tags(QueueUrl=queue)
                    resource_digest = ResourceDigest(
                        id=queuearn, type="aws_sqs_queue_policy")
                    self.relations_found.append(
                        ResourceEdge(
                            from_node=resource_digest,
                            to_node=self.vpc_options.vpc_digest(),
                        ))
                    return (
                        True,
                        Resource(
                            digest=resource_digest,
                            name=queue,
                            details="",
                            group="application",
                            tags=resource_tags(list_tags_response),
                        ),
                    )

        return False, None