cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

AWS IAM: represent STS_ASSUMEROLE_ALLOW from arn:aws:iam::ACCOUNT_NUMBER:root

Open achantavy opened this issue 1 year ago • 2 comments

Description:

Describe your idea. Please be detailed. If a feature request, please describe the desired behavior, what scenario it enables, and how it would be used.

The AWS IAM sync currently draws STS_ASSUMEROLE_ALLOW relationships by looking for TRUSTS_AWS_PRINCIPAL relationships: https://github.com/cartography-cncf/cartography/blob/4fa4b82cbd1e3fc7c88868ac08294ea276b98610/cartography/intel/aws/iam.py#L457-L463

This however does not handle arn:aws:iam::ACCOUNT_NUMBER:root. If a principal trusts root, then technically any role in that account is able to assume it. To properly represent this, we could draw an STS_ASSUMEROLE_ALLOW relationship from every role in ACCOUNT_NUMBER to the target principal. This could be quite edge heavy in some cases but would properly highlight cross account permissions.

cc: @SecPrez eager to hear your thoughts here. I'm thinking this is worth doing even if the rel count can be heavy for some cases.

achantavy avatar Dec 25 '24 07:12 achantavy

I imagine super nodes is potentially a consideration: https://medium.com/neo4j/graph-modeling-all-about-super-nodes-d6ad7e11015b

achantavy avatar Dec 28 '24 03:12 achantavy

@SecPrez - what do you think?

achantavy avatar Feb 12 '25 23:02 achantavy