cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

Anonymous access vs Internet exposure

Open kunaals opened this issue 10 months ago • 2 comments

Anonymous access (IAM/Resource policy access) vs Internet exposure (network level access)

Description: I fear that anonymous access may be conflated with internet access in unintuitive ways. While reviewing #1446 I noticed that AWS API gateways have an endpointConfiguration that can either by regional, edge-optimized, or private. The first two create an internet-exposed gateway while the private option creates a VPC-only gateway. However, IIUC, this is unrelated to the IAM/Resource policies associated with the gateway. Using the "internet_exposed" flag that comes from PolicyUniverse for an API gateway is not correct as it does not account for this endpoint configuration.

Furthermore, it might be more intuitive to think about IAM/resource level access on a separate axis than internet exposure. If I'm an incident commander wanting to fix Log4Shell, I want to find all internet exposed instances and I don't care about what resources have particularly open IAM/resource policies. There's some nuance here and the answer isn't clear cut. Regardless, I think this would help us represent AWS in a more correct way and delineate IAM access vs network access.

Relevant Links: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html In this link it specifies that Resource Policies can be used to restrict access to certain CIDR blocks and IP addresses, but the resource policy alone does not give us the inherent network exposure based on the APIs endpoint configuration.

kunaals avatar Feb 03 '25 20:02 kunaals

I'd like to propose that as part of 1.0.0 we make a normalize a new internet_exposed flag that simply states whether the resource is directly exposed to the internet. Anonymous access would then mean something is accessible by anyone with the relevant IAM/Resource policies

kunaals avatar Feb 03 '25 20:02 kunaals

Hey @kunaals,

I came across this issue while making a PR (#1586 ) which added support for aws_api_gateway_method. If implementing the internet_exposed flag based on endpoint configuration is still a priority for the project, I would be interested in contributing to that in a follow-up PR.

Please let me know. Thanks!

Khushmagrawal avatar May 26 '25 12:05 Khushmagrawal