cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

AWSSSOUser-[:ALLOWED_BY]-AWSRole relationship is incorrect

Open achantavy opened this issue 4 months ago • 1 comments

Observed behavaior

~~We have observed that AWS Permission Sets might be global aunique, meaning that the "AdministratorAccess" Permission Set has the same ARN across all AWS accounts. This means that~~ In Cartography, we've observed that if we sync multiple AWS Identity Center instances, we may see AWSSSOUsers across different Identity Center instances attached to the same AWS Role via ALLOWED_BY. This is a bug.

Image

Expected behavior

We instead expect users scoped to the current identity center instance to be attached to the role.

Investigation

The main query logic is here:

https://github.com/cartography-cncf/cartography/blob/6b4ab69540b9b6237ff144888a019faf2af4ccfe/cartography/intel/aws/identitycenter.py#L241-L243

we look for roles that are associated with a given AWSPermissionSet. Then, we use that data to attach AWSSSOUsers that have that permission set, to the AWSRole. This does not bound on users that are in the current identity center.

To Reproduce

Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.

Run cartography on one org on one identity center instance where the AdministratorAccess permission set is defined for some users

Run cartography on another org with another identity center instance where the AdministratorAccess permission set is also defined for other users.

You will observe that all of those users will now be attached to unexpected roles.

Please complete the following information::

  • Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11913e2a44a4d4682506d8364a638ceac69]

0.110.0rc1

achantavy avatar Aug 07 '25 00:08 achantavy

On deeper investigation, the issue is here:

https://github.com/cartography-cncf/cartography/blob/6b4ab69540b9b6237ff144888a019faf2af4ccfe/cartography/models/aws/identitycenter/awspermissionset.py#L54

We are matching for role names with just contains. Image

This works reasonably well if there is just one identitycenter instance because the AdministratorAccess role will be provisioned for all those accounts. But if there are more, then cartography will get confused.

One fix could be to instead

    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
        {"arn": PropertyRef("RoleHint", fuzzy_and_ignore_case=True), "account_id": PropertyRef("account_id")},
    )

which would then require an update to the AWSRole schema to have an account_id field on it.

achantavy avatar Aug 07 '25 01:08 achantavy