Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EC2 Snapshots gets lots of stuff, takes very long #793

Closed
danielsaporo opened this issue Mar 31, 2022 · 5 comments
Closed

EC2 Snapshots gets lots of stuff, takes very long #793

danielsaporo opened this issue Mar 31, 2022 · 5 comments

Comments

@danielsaporo
Copy link

I'm trying Cartography on an AWS account that is practically empty (just a few users), and noticed that it takes a while to run. What really stands out is that it takes over 9 minutes to get EBS snapshot data. And this account does not have (and never had) any EBS volumes in any regions.

Yet, when I debug get_snapshots() in snapshots.py, I see that client.get_paginator('describe_snapshots') returns many thousands of records despite the fact that there is no snapshot data in any region visible in the AWS Console.

So, what is describe_snapshots returning exactly, and do we need all that?
@ryan-lane
Copy link
Collaborator

Ah. It looks like that function returns all available snapshots. I think what we probably want here is to filter to snapshots owned by the current account. @achantavy @ramonpetgrave64, thoughts?

amlweems added a commit to praetorian-inc/cartography that referenced this issue Apr 6, 2022
@amlweems @dkaman
filter ebs snapshots to just the current account (lyft#793)
3b8ea97 
Co-authored-by: Dallas Kaman <dallas.kaman@praetorian.com>
@danielsaporo
Copy link
Author

Ah. It looks like that function returns all available snapshots. I think what we probably want here is to filter to snapshots owned by the current account.

Why does describe_snapshots return a lot of snapshots that don't belong to the current account? From the description I see:

Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.

The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots owned by other Amazon Web Services accounts for which you have explicit create volume permissions.

However I don't really understand this. I'm using a new AWS account which hasn't been granted access to any other account. I just hope AWS isn't returning a lot of stuff from other accounts that it shouldn't.

@ryan-lane
Copy link
Collaborator

@danielsaporo There's public EBS snapshots for public datasets, and there's a lot of them. This is similar to public AMIs. See, for example, how I changed that to only pull AMIs from owned accounts, but then introspected the graph to find other images that should be fetched: https://github.com/lyft/cartography/blob/master/cartography/intel/aws/ec2/images.py#L17-L59

ramonpetgrave64 added a commit that referenced this issue Apr 15, 2022
@dkaman @ramonpetgrave64
filter ebs snapshots to just the current account (#793) (#799)
60ca041 
* filter ebs snapshots to just the current account (#793)

Co-authored-by: Dallas Kaman <dallas.kaman@praetorian.com>

* add snapshots_in_use to get_snapshots

* filter duplicate snapshots in get_snapshots

* add integration test for get_snapshots_in_use

* small var name/comment updates

* Update tests/integration/cartography/intel/aws/ec2/test_ec2_snapshots.py

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

* update from linter

Co-authored-by: Dallas Kaman <dallas.kaman@praetorian.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
@ramonpetgrave64
Copy link
Contributor

Fixed in #799

@danielsaporo
Copy link
Author

Thanks for fixing this. What is the process to upgrade to a newer version of Cartography that includes this fix? Do I need to wait for some kind of release to happen first?

shinya-murakami-paypay pushed a commit to paypay/cartography that referenced this issue May 23, 2022
@dkaman @ramonpetgrave64 @shinya-murakami-paypay
filter ebs snapshots to just the current account (lyft#793) (lyft#799)
034740c 
* filter ebs snapshots to just the current account (lyft#793)

Co-authored-by: Dallas Kaman <dallas.kaman@praetorian.com>

* add snapshots_in_use to get_snapshots

* filter duplicate snapshots in get_snapshots

* add integration test for get_snapshots_in_use

* small var name/comment updates

* Update tests/integration/cartography/intel/aws/ec2/test_ec2_snapshots.py

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

* update from linter

Co-authored-by: Dallas Kaman <dallas.kaman@praetorian.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ryan-lane @ramonpetgrave64 @danielsaporo