My television is from the early days of high definition. It has done remarkably well over the years and has proved to be

- target_label: RedshiftCluster permissions: - redshift:* - redshift:CreateClusterUser - redshift:GetClusterCredentials - redshift:JoinGroup relationship_name: CAN_ADMINISTER,This short config searches the graph for policy statements that allow any one of the four above actions (redshift:*, redshift:CreateClusterUser, etc). Then, we find which AWS principals in the current account are attached to these statements. Finally, we draw a link from each principal to all RedshiftCluster nodes in the current account of the form (:AWSPrincipal)-[:CAN_ADMINISTER]->(:RedshiftCluster).,My set up as outlined above would be akin to taking the console back to watching a videotape on my current television. I wouldn’t do it as it would be an insult to the television and I will not insult the new PlayStation with standard settings. I want to ensure that I have a setup worthy of the mighty beast, one that would see this router of all things gaming smile.,There are lots of ideas we have around engineering a more reliable data sync, speeding up the sync process, making our plugin framework even more newcomer-friendly, and making the data useful for more people. More than just providing data, we’re excited about using the graph for both offensive and defensive automated actions: imagine having a robot army running around your environment using the graph as a map and fixing all the security problems that it finds. There are many possibilities to use this idea to its full potential and we look forward to building out this platform together with the open source infosec community.,PlayStation 5 represents a huge leap forward in gaming and collaboration. It will be the visual spectacle that Avatar was for film. It is an achievement in engineering and collaboration. It is a console that I desire, yet know I am not worthy of just yet.,I’m excited for everyone who will be getting a new console this week. The PlayStation 5 is the one that has caught my eye and for all those out there getting one, I tip my cap. One day I will make the leap but until I have the perfect infrastructure behind me, there is little point.,We have established mappings from AWS principal to sensitive Redshift resources, but as mentioned above in our Related Work section, this is still slightly duplicative of PMapper’s functionality. Why even build this into Cartography?,Whilst I am saying no today and making a truly adult decision, I am not saying no forever. The PlayStation 5 is an amazing piece of kit. I want to invest in the next incarnation of PS VR when it comes around. The combination of the two, alongside Resident Evil 8 and other exclusives such as the rumoured Metal Gear Solid remake will sway me.,But the best way to learn about race is to surround yourself with a racially diverse group of friends. As you begin to develop friendships with people with different racial and ethnic backgrounds, race and ethnicity will naturally come up in your conversations. They might even show up when you go out to dinner with them, because of how the people around you treat you, and it might sometimes be uncomfortable.,Our rationale here is that if an identity is able to perform any one of those four actions on a Redshift cluster, then we consider that a so-called “Redshift admin” and we want to draw a relationship from the identity to the cluster so that we can quickly query for them.,We’ve shared Cartography at several security conferences over our first year and a half as an open source project, but this is the first time that we’ve blogged about it here on the Lyft Engineering blog. The problem of understanding IAM permissions lends itself well to a graph-based solution, and we’re just scratching the surface of what we have planned.,You can draw your own resource permission relationships by copying our examples to your own yaml file and specifying its absolute path in the Cartography command-line interface’s --permission-relationships-file argument.,Beyond Resident Evil 8 is the knowledge that by owning one I would be one of the first. Amongst my friends, I would have bragging rights and this is one of the reasons why I pre-ordered the PlayStation 3 back in the day. For a 17-year-old me it would be a logical decision, but for a 31-year-old me with no Resident Evil on launch day it would prove to be an empty reason.,There are lots of ideas we have around engineering a more reliable data sync, speeding up the sync process, making our plugin framework even more newcomer-friendly, and making the data useful for more people. More than just providing data, we’re excited about using the graph for both offensive and defensive automated actions: imagine having a robot army running around your environment using the graph as a map and fixing all the security problems that it finds. There are many possibilities to use this idea to its full potential and we look forward to building out this platform together with the open source infosec community.,Now that we have enriched the IAM data in the graph, we can use Cartography’s Drift Detection feature to let us know via Slack alerts whenever the list of Redshift admins changes, and that we should investigate why this list changed. We’ll blog on the details of Drift Detection in a future post if there’s interest (and once we dig ourselves out from under of the pile of other wonderful ideas we want to build), but as a teaser, the result looks like this: