Lyft is an AWS shop, and AWS’ access control mechanism is called IAM. It determines which Principals (e.g. users, groups

Then, Cartography will search for all S3Bucket nodes in the current AWS account (since ResourceType is specified as S3Bucket above) and draw a graph edge labeled CAN_READ from the AWSPrincipal to the S3Bucket.

Cartography will search allAWSPolicyStatement nodes that allow the S3:GetObject permission and find all AWSPrincipal nodes attached to these statements. Cartography also verifies that no other AWSPolicyStatement nodes deny the S3:GetObject permission.

MATCH (stat:AWSPolicyStatement)--(pol:AWSPolicy)--(principal:AWSPrincipal) WHERE stat.effect = 'Allow' AND any(x IN stat.resource WHERE x='*') AND any(x IN stat.action WHERE x='*' ) RETURN *

It’s great that we have the data, but it’s cumbersome to need to remember all the rules of IAM policy evaluation to answer this question. It would save us a lot of time to be able to simply ask “who has permission to read from my storage buckets?” or “who has permission to run queries on my DynamoDB tables?”

With all of this data in the graph, earlier in April of this year we thought that it’d be a great idea to evaluate IAM policies offline so that we could determine a given principal’s resulting accesses (for those familiar with Windows security, this calculation might remind you a bit of RSOP). We called this feature Resource Permission Relationships.

Since group expansion has already been calculated, this is the resulting set of roles and users that can access the sensitive S3 bucket. Only identity-based policies are evaluated at the moment, we plan to add resource policies in a future update.

The result can look something like this. If you try this yourself, you might be in for an unpleasant surprise if you aren’t expecting any principals to be highly privileged:

In summary, we have taken the path(:AWSPrincipal)-->(:AWSPolicy)-->(:AWSPolicyStatement{effect:'Allow', resource:'s3', Action:'S3:GetObject'}), evaluated it against S3Bucket nodes, and simplified it to draw an edge from the principal to the S3 bucket like this: (:AWSPrincipal)-[:CAN_READ]->(:S3Bucket). The questions “what does this principal have permission to do?” and “who has access to my resource?” can now be queried at scale as they are precomputed and stored in the graph.

As a motivating example, we wanted to quickly see which principals had root or “root-like” privileges in our environment. An IAM policy like this allows the equivalent of root privileges to all principals it is attached to because it allows any action to be performed on any resource:

As seen above, our plan was for Cartography to automatically map AWS principals to the resources that they can access! These mappings would be specified in a permission_relationships.yaml file, and you can read how to configure this here. To understand how this works, we’ll walk you through the above picture’sCAN_READ example:

You might have noticed that we only included 3 RPRs in the previous section regarding S3 buckets and DynamoDB tables, and you might be wondering why we didn’t perform this policy expansion logic for all principals and for all resources so that the graph would be as complete as possible. This is infeasible because AWS has a lot of built-in IAM policies that may not even apply to any principals in your environment. Running this calculation for everything is wasteful so we opted instead to include some sample RPRs in the default permission_relationships.yaml file and allow you to customize this to your needs. You can copy the process described in the next section to do this.

If you stare at the query long enough, it makes sense: we look for PolicyStatements that are attached to AWSPolicy nodes that are attached to AWSPrincipals where * is set as both a Resource and an Action.

AWS roles, users, and groups have policies attached to them, which determine the Actions they are allowed to perform or not perform against a defined set of Resources. IAM can get very complicated: you can specify advanced clauses like NotAction (which determine what a Resource can’t do) or NotResource (which determine the resources this statement does not apply to). Further, you can use the * character to have a policy apply to objects that match a given text string. A principal’s resulting access is determined by all the policy statements mapped to it.

http://molos.bodasturias.com/jph/Video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1npk-6.php

http://molos.bodasturias.com/jph/Video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1nro-11.php

http://www.ectp.org/mdt/video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1edj-5.php

http://molos.bodasturias.com/jph/v-ideos-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1vzd-10.php

http://www.ectp.org/mdt/Video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1ole-9.php

http://molos.bodasturias.com/jph/video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1umg-5.php

http://www.ectp.org/mdt/v-ideos-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1blo-3.php

http://www.ectp.org/mdt/video-tsmokі-mіnsk-v-cholet-basket-v-fr-fr-1jem-9.php

http://molos.bodasturias.com/jph/video-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1hvi-.php

http://www.ectp.org/mdt/Video-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1tao-.php

http://molos.bodasturias.com/jph/video-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1qxh-10.php

http://elta.actiup.com/mbu/Video-Lulea-Hockey-Rogle-BK-v-en-gb-1auk-3.php

http://elta.actiup.com/mbu/videos-red-bull-v-dornbirner-v-at-at-1hme-18.php

http://www.ectp.org/mdt/Video-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1laa30122020-17.php

http://elta.actiup.com/mbu/video-red-bull-v-dornbirner-v-at-at-1evm-5.php

http://elta.actiup.com/mbu/Video-red-bull-v-dornbirner-v-at-at-1ifj-23.php

http://molos.bodasturias.com/jph/videos-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1zyr-6.php

http://elta.actiup.com/mbu/v-ideos-Graz-99ers-EC-VSV-v-en-gb-slf-.php

http://www.ectp.org/mdt/Video-Tsmoki-Minsk-Cholet-Basket-v-en-gb-1toy-4.php

http://elta.actiup.com/mbu/Video-Graz-99ers-EC-VSV-v-en-gb-cfe-.php

ething I vowed I wouldn’t do: go back to school again. I enrolled in a Library and Information Science graduate program because I have seen that archivist and digital humanities jobs are relatively well-advertised (at least until the pandemic hit). It would be a career I would find satisfying and that would draw on my interests and skills and my past degrees. However, taking this path will mean taking on more debt, and there is still no guarantee I’ll get a well-paying, full-time job with benefits when I graduate. A couple of former colleagues of mine have gone into K-12 teaching, but even that requires a grueling, expensive process that leads to one of the most essential yet underpaid professions in America.

At the time of development, we knew of other great open-source projects that dealt with IAM like policyuniverse and Cloudsplaining, but we did not know of anything that performed offline evaluation in the way we wanted. We found that the closest project to our idea was NCC Group’s PMapper (neat!), but PMapper focuses on returning a single query answer and doesn’t yield as much of a full, explorable picture to the extent that Cartography does. There are more benefits to having this logic in Cartography itself, which we will cover in the next scenario.