With all of this data in the graph, earlier in April of this year we thought that it’d be a great idea to evaluate IAM p

r her part, helped me by pointing out racial issues as they came up in television, the news or social situations — and by aiding me in seeing beyond homophily. But not everyone has a Black girlfriend to show them the way. To learn about race if you are a white person, you need to be proactive, and pay attention. For example, if you are in a class that has one Black person in it, that Black person will be present to that fact. That Black student may also make judgements about what it means to be a Black student in a class of white people, and may form a construct about how the white students judge him or her. (To be sure, in her biography Becoming, Michelle Obama writes about how hard it would be to be the first Black first first lady, and how she would be judged for her stumbles in ways that her white predecessors would not.)

You might have noticed that we only included 3 RPRs in the previous section regarding S3 buckets and DynamoDB tables, and you might be wondering why we didn’t perform this policy expansion logic for all principals and for all resources so that the graph would be as complete as possible. This is infeasible because AWS has a lot of built-in IAM policies that may not even apply to any principals in your environment. Running this calculation for everything is wasteful so we opted instead to include some sample RPRs in the default permission_relationships.yaml file and allow you to customize this to your needs. You can copy the process described in the next section to do this.

Since group expansion has already been calculated, this is the resulting set of roles and users that can access the sensitive S3 bucket. Only identity-based policies are evaluated at the moment, we plan to add resource policies in a future update.

Then, Cartography will search for all S3Bucket nodes in the current AWS account (since ResourceType is specified as S3Bucket above) and draw a graph edge labeled CAN_READ from the AWSPrincipal to the S3Bucket.

You can draw your own resource permission relationships by copying our examples to your own yaml file and specifying its absolute path in the Cartography command-line interface’s --permission-relationships-file argument.

Now that we have enriched the IAM data in the graph, we can use Cartography’s Drift Detection feature to let us know via Slack alerts whenever the list of Redshift admins changes, and that we should investigate why this list changed. We’ll blog on the details of Drift Detection in a future post if there’s interest (and once we dig ourselves out from under of the pile of other wonderful ideas we want to build), but as a teaser, the result looks like this:

- target_label: RedshiftCluster permissions: - redshift:* - redshift:CreateClusterUser - redshift:GetClusterCredentials - redshift:JoinGroup relationship_name: CAN_ADMINISTER

We have established mappings from AWS principal to sensitive Redshift resources, but as mentioned above in our Related Work section, this is still slightly duplicative of PMapper’s functionality. Why even build this into Cartography?

At the time of development, we knew of other great open-source projects that dealt with IAM like policyuniverse and Cloudsplaining, but we did not know of anything that performed offline evaluation in the way we wanted. We found that the closest project to our idea was NCC Group’s PMapper (neat!), but PMapper focuses on returning a single query answer and doesn’t yield as much of a full, explorable picture to the extent that Cartography does. There are more benefits to having this logic in Cartography itself, which we will cover in the next scenario.

More recently, we had a task to monitor the IAM principals that have admin access to AWS Redshift instances. This was a simple 6 line change to our permission_relationships.yaml file (and you can see the PR here):

Cartography will search allAWSPolicyStatement nodes that allow the S3:GetObject permission and find all AWSPrincipal nodes attached to these statements. Cartography also verifies that no other AWSPolicyStatement nodes deny the S3:GetObject permission.

Our rationale here is that if an identity is able to perform any one of those four actions on a Redshift cluster, then we consider that a so-called “Redshift admin” and we want to draw a relationship from the identity to the cluster so that we can quickly query for them.

In summary, we have taken the path(:AWSPrincipal)-->(:AWSPolicy)-->(:AWSPolicyStatement{effect:'Allow', resource:'s3', Action:'S3:GetObject'}), evaluated it against S3Bucket nodes, and simplified it to draw an edge from the principal to the S3 bucket like this: (:AWSPrincipal)-[:CAN_READ]->(:S3Bucket). The questions “what does this principal have permission to do?” and “who has access to my resource?” can now be queried at scale as they are precomputed and stored in the graph.

As seen above, our plan was for Cartography to automatically map AWS principals to the resources that they can access! These mappings would be specified in a permission_relationships.yaml file, and you can read how to configure this here. To understand how this works, we’ll walk you through the above picture’sCAN_READ example:

This short config searches the graph for policy statements that allow any one of the four above actions (redshift:*, redshift:CreateClusterUser, etc). Then, we find which AWS principals in the current account are attached to these statements. Finally, we draw a link from each principal to all RedshiftCluster nodes in the current account of the form (:AWSPrincipal)-[:CAN_ADMINISTER]->(:RedshiftCluster).

Category : general

With all of this data in the graph, earlier in April of this year we thought that it’d be a great idea to evaluate IAM p

Things to Know Before Moving to Vermont

Solid Reasons To Use Hand Wash Liquid For Better Health

Covid-19: un Conseil de défense se tiendra mercredi matin

Study the Huawei H31-211Mock test with Mock4Solutions and Pass the Mock test in First Attempt

Category