Accuracy of exposed_internet flag on EC2 Instances #31
Comments
Yes, see here. The security group allows the 0.0.0.0/0 subnet via an IP Permission.
Let me see if I understand your suggestion correctly: there are cases with EC2 instances that have no public IP addresses and no public DNS names, but Cartography still marks them as Is that about right? We'll think on this, thanks for pointing it out. |
|
Hi @khourybrazil, talked with @sachafaust on this and we agree this is a bug. It looks like there are 2 cases that we need to fix.
A side note for case 2 above: e.publicdnsname gets set to the empty string by default and we might want to change that to |
|
@sachafaust Do we need to also take into account this case?
|
|
Scratch that, yeah the fix covers both cases (at least on our own data 😛) |
|
@khourybrazil hope we fixed the bug you found. Tks a lot ! |
* Fix for issue #31 * internal_commit * adding factors * trusted origin, full sync ok * api doc * run clean - added transform layer * Update oktaintel.py working full sync * Update oktaintel.py * updated doc * unit test foundation * Update __init__.py * lint * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * unit tests * cred setup * sync integration * Update okta_import_cleanup.json * lint bs * lint bs * Group member bug fix * PR Feedback * Update oktaintel.py * Update README.md * removing cli parameter * evan review part 1 * evan feedback part 2 - refactoring into smaller chunks * evan feedback - part 2 - CLI parameters * lint * utils * testing * bug fix * Update cli.py * splitting get and transform * Update users.py * Update groups.py * Update roles.py * fix doc * change unit test * Update test_syntax.py * fix unit test * fix index * Address Alex feedback - store data in memory vs graph call * fix * lint * Update okta_import_cleanup.json
* Fix for issue #31 * internal_commit * adding factors * trusted origin, full sync ok * api doc * run clean - added transform layer * Update oktaintel.py working full sync * Update oktaintel.py * updated doc * unit test foundation * Update __init__.py * lint * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * Update oktaintel.py * unit tests * cred setup * sync integration * Update okta_import_cleanup.json * lint bs * lint bs * Group member bug fix * PR Feedback * Update oktaintel.py * Update README.md * removing cli parameter * evan review part 1 * evan feedback part 2 - refactoring into smaller chunks * evan feedback - part 2 - CLI parameters * lint * utils * testing * bug fix * Update cli.py * splitting get and transform * Update users.py * Update groups.py * Update roles.py * fix doc * change unit test * Update test_syntax.py * fix unit test * fix index * Added in reply uris for okta applications * Add in dns querying for reply urls * added awssaml module * Adding in awssaml module into okta * Uncomment other syncs * Made CLI updates to get regex and fixed the applications unit test * added awssaml unittest * Add in CAN_ASSUME_ROLE mapping between AWSRole and Humans. Added in cleanup jobs * Updated readme's * Fix numbering in the readme * Fixed lint * Add an index for ReplyUri's * get reply urls in alphabetical order * Added CLI parameter for replyuri dns resolution * Reorder okta cleanup * Fix unit test to make sure its all working * Revert "Added CLI parameter for replyuri dns resolution" This reverts commit 9b65a68. * Revert "Fix unit test to make sure its all working" This reverts commit 6cb885f. * fix unit test * remove unneded list traversal * Fix docstring * Fix a comment in the cli help * Fixing PR feedback * removing extra line * reformat cleanup
If an instance doesn't have an EIP assigned to it, has an ENI attached to a private subnet in a VPC and has 0.0.0.0/0 permitted by a security group would it still be flagged with
exposed_internet? It probably is worth flagging but maybe with something that conveyed the excessive permissiveness instead?The text was updated successfully, but these errors were encountered: