def add_to_neo(tx):
all_nodes = simple_storage.all_records('graph_nodes')
all_relations = simple_storage.all_records('graph_relationships')
for node in all_nodes:
tx.run('MERGE (t:{1} {{NodeId: "{0}", node_type: "{1}"}});'.format(node['node_id'], node['node_type']))
for rel in all_relations:
tx.run('MATCH (source {{NodeId: "{0}"}}), (target {{NodeId: "{1}"}}) MERGE (source)-[:SystemConnection {{type: "{2}"}}]->(target);'.format(rel['source_node'], rel['target_node'], rel['relation_name']))
def export():
all_nodes = simple_storage.all_records('graph_nodes')
all_relations = simple_storage.all_records('graph_relationships')
with open('graph_nodes.csv', 'w') as csvfile:
fieldnames = ['node_id', 'node_resource_id', 'node_type']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for graph_node in all_nodes:
writer.writerow(graph_node)
with open('graph_relationships.csv', 'w') as csvfile:
fieldnames = ['relation_name', 'source_node', 'target_node']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for graph_relation in all_relations:
writer.writerow(graph_relation)
def init(self):
all_users_to_ip = simple_storage.all_records('user_to_ip')
all_users = simple_storage.all_records('users')
all_roles = simple_storage.all_records('roles')
name_to_arn = {}
for user in all_users:
name_to_arn[user['UserName']] = user['Arn']
for role in all_roles:
name_to_arn[role['RoleName']] = role['Arn']
for user in all_users_to_ip:
if user['username'] not in name_to_arn:
continue
user_node = BaseRoleNode(name_to_arn[user['username']])
for ip in user['ips']:
ip_node = BasePublicIP(ip)
ip_node.relate(user_node, "UserPublicIPAddress")
def init(self):
all_lambda_functions = simple_storage.all_records('lambda_function')
all_lambda_functions_arn = set([])
for lambda_function in all_lambda_functions:
all_lambda_functions_arn.add(lambda_function['FunctionArn'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
if len(all_lambda_functions_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn':
user['Arn'],
'ActionNames':
['lambda:GetFunction', 'lambda:UpdateFunctionCode'],
'ResourceArns':
list(all_lambda_functions_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam',
'simulate_principal_policy',
simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
lambda_node = BaseLambdaNode(
simulation_data['EvalResourceName'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, lambda_node,
simulation_data['EvalActionName'])
def init(self):
all_instances = simple_storage.all_records('ec2_gather')
all_instances_arn = set([])
all_instances.append({'InstanceId': "ALL-INSTANCES"})
basic_arn = 'arn:aws:ec2:*:*:instance/'
for instance in all_instances:
all_instances_arn.add(basic_arn + instance['InstanceId'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
if len(all_instances_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn':
user['Arn'],
'ActionNames': ['ssm:SendCommand'],
'ResourceArns':
['arn:aws:ssm:*:*:document/AWS-RunPowerShellScript'],
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam',
'simulate_principal_policy',
simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
for instance in all_instances:
ec2_node = BaseEC2Node(instance['InstanceId'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node,
simulation_data['EvalActionName'])
def init(self):
all_instances = simple_storage.all_records('ec2_gather')
all_instances.append({'InstanceId': "ALL-INSTANCES"})
all_instances_arn = set([])
basic_arn = 'arn:aws:ec2:*:*:instance/'
for instance in all_instances:
all_instances_arn.add(basic_arn + instance['InstanceId'])
all_users = simple_storage.all_records('iam_gatherusers')
all_users.extend(simple_storage.all_records('iam_gatherroles'))
''''ec2:AssociateIamInstanceProfile',
'ec2:DetachVolume',
'ec2:AttachVolume','''
if len(all_instances_arn) == 0:
return
for user in all_users:
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
#'ec2:AssociateIamInstanceProfile'
#'ec2:StartInstances',
#'ec2:StopInstances'
'ec2:AttachVolume',
'ec2:DetachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
#'ec2:AssociateIamInstanceProfile'
'ec2:StartInstances',
'ec2:StopInstances'
#'ec2:AttachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
'ec2:AssociateIamInstanceProfile'
#'ec2:StartInstances',
#'ec2:StopInstances'
#'ec2:AttachVolume'
],
'ResourceArns': list(all_instances_arn),
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
#all_simulations = {"EvaluationResults": []}
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
ec2_node = BaseEC2Node(simulation_data['EvalResourceName'][len(basic_arn):])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])
simulation_params = {
'PolicySourceArn': user['Arn'],
'ActionNames': [
'ec2:DescribeInstances',
'ec2:ModifyInstanceAttribute',
'ec2:CopySnapshot',
'ec2:RunInstances'
],
'ContextEntries': [{
'ContextKeyName': 'aws:multifactorauthpresent',
'ContextKeyType': 'boolean',
'ContextKeyValues': ['true']
}]
}
all_simulations = run_single_region('iam', 'simulate_principal_policy', simulation_params)
for simulation_data in all_simulations["EvaluationResults"]:
if simulation_data["EvalDecision"] == "allowed":
for instance in all_instances:
ec2_node = BaseEC2Node(instance['InstanceId'])
role_node = BaseRoleNode(user['Arn'])
role_node.relate(self.storage, ec2_node, simulation_data['EvalActionName'])