cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

Represent S3 bucket policies in the graph

Open achantavy opened this issue 4 years ago • 3 comments

Description:

Describe your idea. Please be detailed. If a feature request, please describe the desired behavior, what scenario it enables, and how it would be used.

Cartography already pulls s3 bucket policies and parses them with policyuniverse to determine internet exposure. We should expand on this feature to compute s3-specific permission relationships.

For background, S3 permissions can be defined by S3 ACLs, IAM policies, and S3 bucket policies (AWS ref).

We already surface S3 perms at the IAM level but we do not have visibility at S3 itself. Many orgs may choose to use only S3-specific perms so lack of this support in this cartography gives an incomplete picture.

Plan

I see this feature as needing 2 tasks.

  1. Represent the S3 policies and policy statements in the graph.
  2. Use the data from (1) to compute AWSPrincipal-to-S3Bucket S3-specific relationships. This will be similar to our resource permission relationships functionality with IAM, although I don't think we necessarily need to define a whole separate yaml file for that.

It data model will look like this: s3 bucket perms

Testing for this feature can be done like this: image

Help wanted! Please reach out if can work on this and we can help point in the right direction.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

  • https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
  • https://lyft.github.io/cartography/modules/aws/permissions-mapping.html

achantavy avatar Feb 01 '22 22:02 achantavy

Further discussion on Slack: https://lyftoss.slack.com/archives/CTZUQL0KX/p1643754325800859

Summarized,

  • Ideally we will be able to consolidate the IAM + resource policy story for at least S3 buckets
  • We will want to accurately represent cross-account bucket accesses

achantavy avatar Feb 02 '22 03:02 achantavy

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] avatar Apr 17 '22 04:04 stale[bot]

I've added more details in this one-pager: https://docs.google.com/document/d/1EOn9DBwubQhT_uk0WUO2Sx4WjSPR8mdBBbbWuheloc8/edit#. @SecPrez - can you have a look? :-)

achantavy avatar Aug 11 '22 15:08 achantavy