def analyze_restapi(self, data):
if "policy" in data:
documentpolicy = data["policy"]
else:
return False, None
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(document=document,
vpc_options=self.vpc_options)
if ipvpc_found is not False:
digest = ResourceDigest(id=data["id"],
type="aws_api_gateway_rest_api")
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return (
True,
Resource(
digest=digest,
name=data["name"],
details="",
group="network",
tags=resource_tags(data),
),
)
return False, None
def analyze_policy(self, client, data):
documentpolicy = client.get_policy_version(
PolicyArn=data["Arn"], VersionId=data["DefaultVersionId"]
)
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(
document=document, vpc_options=self.vpc_options
)
if ipvpc_found is True:
digest = ResourceDigest(id=data["Arn"], type="aws_iam_policy")
self.relations_found.append(
ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())
)
return (
True,
Resource(
digest=digest,
name=data["PolicyName"],
details="IAM Policy version {}".format(data["DefaultVersionId"]),
group="security",
),
)
return False, None
def analyze_bucket(self, client, data):
try:
documentpolicy = client.get_bucket_policy(Bucket=data["Name"])
except ClientError:
return False, None
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(document=document,
vpc_options=self.vpc_options)
if ipvpc_found is True:
tags_response = client.get_bucket_tagging(Bucket=data["Name"])
digest = ResourceDigest(id=data["Name"],
type="aws_s3_bucket_policy")
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return (
True,
Resource(
digest=digest,
name=data["Name"],
details="",
group="storage",
tags=resource_tags(tags_response),
),
)
return False, None
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("es")
resources_found = []
response = client.list_domain_names()
if self.vpc_options.verbose:
message_handler("Collecting data from Elasticsearch Domains...", "HEADER")
for data in response["DomainNames"]:
elasticsearch_domain = client.describe_elasticsearch_domain(
DomainName=data["DomainName"]
)
documentpolicy = elasticsearch_domain["DomainStatus"]["AccessPolicies"]
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potencial subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(
document=document, vpc_options=self.vpc_options
)
# elasticsearch uses accesspolicies too, so check both situation
if (
elasticsearch_domain["DomainStatus"]["VPCOptions"]["VPCId"]
== self.vpc_options.vpc_id
or ipvpc_found is True
):
list_tags_response = client.list_tags(
ARN=elasticsearch_domain["DomainStatus"]["ARN"]
)
digest = ResourceDigest(
id=elasticsearch_domain["DomainStatus"]["DomainId"],
type="aws_elasticsearch_domain",
)
resources_found.append(
Resource(
digest=digest,
name=elasticsearch_domain["DomainStatus"]["DomainName"],
details="",
group="analytics",
tags=resource_tags(list_tags_response),
)
)
for subnet_id in elasticsearch_domain["DomainStatus"]["VPCOptions"][
"SubnetIds"
]:
self.relations_found.append(
ResourceEdge(
from_node=digest,
to_node=ResourceDigest(id=subnet_id, type="aws_subnet"),
)
)
return resources_found
def test_check_ipvpc_inpolicy(self):
vpce = {
"VpcEndpoints": [{
"VpcEndpointId": "vpce-1234abcd",
"VpcId": "dummy"
}]
}
policy = """
{"Version":"2012-10-17","Id":"arn:queue","Statement":
[{"Effect":"Allow","Principal":"*","Action":"SQS:*","Resource":"arn:queue"},
{"Effect":"Allow","Principal":"*","Action":"sqs:*","Resource":"arn:queue","Condition":
{"StringEquals":{"aws:sourceVpce":"vpce-1234abcd"}}}]}
"""
vpc_options = MagicMock()
vpc_options.vpc_id = "dummy"
vpc_options.client.return_value.describe_vpc_endpoints.return_value = vpce
result = check_ipvpc_inpolicy(policy, vpc_options)
self.assertTrue("vpce-1234abcd" in result)
def test_check_vpce_inpolicy(self):
subnets = {
"Subnets": [{
"CidrBlock": "10.0.64.0/18",
"SubnetId": "subnet-123",
"VpcId": "dummy",
}]
}
policy = """
{"Version":"2012-10-17","Id":"arn:queue","Statement":
[{"Effect":"Allow","Principal":"*","Action":"SQS:*","Resource":"arn:queue"},
{"Effect":"Allow","Principal":"*","Action":"sqs:*","Resource":"arn:queue","Condition":
{"StringEquals":{"aws:sourceIp": "10.0.0.0/16"}}}]}
"""
vpc_options = MagicMock()
vpc_options.vpc_id = "dummy"
vpc_options.client.return_value.describe_subnets.return_value = subnets
result = check_ipvpc_inpolicy(policy, vpc_options)
self.assertTrue("10.0.0.0/16" in result)
self.assertTrue("10.0.64.0/18" in result)
self.assertTrue("subnet-123" in result)
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("mediastore")
resources_found = []
response = client.list_containers()
if self.vpc_options.verbose:
message_handler("Collecting data from Media Store...", "HEADER")
for data in response["Containers"]:
store_queue_policy = client.get_container_policy(
ContainerName=data["Name"])
document = json.dumps(store_queue_policy["Policy"],
default=datetime_to_string)
ipvpc_found = check_ipvpc_inpolicy(document=document,
vpc_options=self.vpc_options)
if ipvpc_found is not False:
tags_response = client.list_tags_for_resource(
Resource=data["ARN"])
digest = ResourceDigest(id=data["ARN"],
type="aws_mediastore_polocy")
resources_found.append(
Resource(
digest=digest,
name=data["Name"],
details="",
group="mediaservices",
tags=resource_tags(tags_response),
))
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return resources_found
def analyze_queues(self, client, queue):
sqs_queue_policy = client.get_queue_attributes(
QueueUrl=queue, AttributeNames=["QueueArn", "Policy"])
if "Attributes" in sqs_queue_policy:
if "Policy" in sqs_queue_policy["Attributes"]:
documentpolicy = sqs_queue_policy["Attributes"]["Policy"]
queuearn = sqs_queue_policy["Attributes"]["QueueArn"]
document = json.dumps(documentpolicy,
default=datetime_to_string)
# check either vpc_id or potencial subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(
document=document, vpc_options=self.vpc_options)
if ipvpc_found is not False:
list_tags_response = client.list_queue_tags(QueueUrl=queue)
resource_digest = ResourceDigest(
id=queuearn, type="aws_sqs_queue_policy")
self.relations_found.append(
ResourceEdge(
from_node=resource_digest,
to_node=self.vpc_options.vpc_digest(),
))
return (
True,
Resource(
digest=resource_digest,
name=queue,
details="",
group="application",
tags=resource_tags(list_tags_response),
),
)
return False, None