Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added support for AWS KMS #527

Merged
merged 27 commits into from
Feb 19, 2021
Merged

Added support for AWS KMS #527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
9eaba96
Updated Readme to add Cloudanix as a Cartography user
mpurusottamc Dec 5, 2020
2cd649d
Merge remote-tracking branch 'upstream/master' into master
mpurusottamc Dec 6, 2020
8d33f8d
Merge branch 'master' of github.com:lyft/cartography
mpurusottamc Dec 9, 2020
62e9b7d
Added KMS module in AWS for cartography
kedarghule Dec 18, 2020
bf4ac34
Merge branch 'aws-kms' of https://github.com/Cloudanix/cartography in…
kedarghule Dec 18, 2020
b5f5999
Added indexes and removed TODOs
kedarghule Dec 21, 2020
639118e
fixed kms policy key issue
mpurusottamc Jan 20, 2021
6811fb2
updated documentation for AWS KMS
mpurusottamc Feb 2, 2021
bfe44e3
removed unnecessary references from kms
mpurusottamc Feb 2, 2021
eac9dd6
Merge branch 'upstream-master' into aws-kms
mpurusottamc Feb 2, 2021
9cbac13
Merge branch 'master' into aws-kms
mpurusottamc Feb 3, 2021
2728f35
Minor changes as per linter
kedarghule Feb 3, 2021
b5d6f40
Minor changes
kedarghule Feb 3, 2021
cc136d7
removed trailing space
mpurusottamc Feb 3, 2021
95bd761
added @aws_handle_regions for functions which fetch data by region
mpurusottamc Feb 10, 2021
59e1971
added KMSAlias and KMSGrant details into aws schema document
mpurusottamc Feb 10, 2021
c7596f9
removed verbose logs
mpurusottamc Feb 10, 2021
4555717
Used UNWIND instead of the loops, removed copypasta (Oops!)
kedarghule Feb 15, 2021
562e8ac
Trimmed trailing whitespace
kedarghule Feb 15, 2021
6d64be6
Integration tests added
kedarghule Feb 15, 2021
f9b7ab7
Added trailing commas
kedarghule Feb 15, 2021
4af174d
Added trailing commas 2
kedarghule Feb 15, 2021
3ea24c0
Minor updates
kedarghule Feb 15, 2021
6f97387
Added trailing commas 3
kedarghule Feb 15, 2021
c14d378
kms schema updated to add anonymous access & actions
mpurusottamc Feb 16, 2021
d7b4d12
Removed unnecessary comment
kedarghule Feb 19, 2021
197d1ba
Merge branch 'master' into aws-kms
kedarghule Feb 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ You can learn more about the story behind Cartography in our [presentation at BS
Start [here](docs/setup/install.md).

## Supported platforms
- [Amazon Web Services](docs/setup/config/aws.md) - EC2, Elasticsearch, Elastic Kubernetes Service, DynamoDB, IAM, Lambda, RDS, Redshift, Route53, S3, STS, Tags
- [Amazon Web Services](docs/setup/config/aws.md) - EC2, Elasticsearch, Elastic Kubernetes Service, DynamoDB, IAM, Lambda, RDS, Redshift, Route53, S3, STS, Tags, KMS
- [Google Cloud Platform](docs/setup/config/gcp.md) - Cloud Resource Manager, Compute, DNS, Storage, Google Kubernetes Engine
- [Google GSuite](docs/setup/config/gsuite.md) - users, groups
- [Duo CRXcavator](docs/setup/config/crxcavator.md) - Chrome extensions, GSuite users
Expand Down
3 changes: 3 additions & 0 deletions cartography/data/indexes.cypher
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,9 @@ CREATE INDEX ON :IpPermissionsEgress(ruleid);
CREATE INDEX ON :IpRange(id);
CREATE INDEX ON :IpRule(ruleid);
CREATE INDEX ON :JamfComputerGroup(id);
CREATE INDEX ON :KMSKey(id);
CREATE INDEX ON :KMSAlias(id);
CREATE INDEX ON :KMSGrant(id);
CREATE INDEX ON :LoadBalancer(dnsname);
CREATE INDEX ON :LoadBalancer(id);
CREATE INDEX ON :LoadBalancerV2(dnsname);
Expand Down
35 changes: 35 additions & 0 deletions cartography/data/jobs/cleanup/aws_import_kms_cleanup.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"statements": [
{
"query": "MATCH (n:KMSKey)<-[:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
},
{
"query": "MATCH (:KMSKey)<-[r:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
},
{
"query": "MATCH (n:KMSGrant)-[:APPLIED_ON]->(:KMSKey)<-[:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
},
{
"query": "MATCH (:KMSGrant)-[r:APPLIED_ON]->(:KMSKey)<-[:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
},
{
"query": "MATCH (n:KMSAlias)-[:KNOWN_AS]->(:KMSKey)<-[:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE n.lastupdated <> {UPDATE_TAG} WITH n LIMIT {LIMIT_SIZE} DETACH DELETE (n) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
},
{
"query": "MATCH (:KMSAlias)-[r:KNOWN_AS]->(:KMSKey)<-[:RESOURCE]-(:AWSAccount{id: {AWS_ID}}) WHERE r.lastupdated <> {UPDATE_TAG} WITH r LIMIT {LIMIT_SIZE} DELETE (r) return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
}
],
"name": "cleanup KMS"
}
10 changes: 10 additions & 0 deletions cartography/data/jobs/cleanup/aws_kms_details.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"statements": [
{
"query": "MATCH (:AWSAccount{id: {AWS_ID}})-[:RESOURCE]->(s:KMSKey) WHERE EXISTS(s.anonymous_access)\n WITH s LIMIT {LIMIT_SIZE}\nREMOVE s.anonymous_access, s.anonymous_actions return COUNT(*) as TotalCompleted",
"iterative": true,
"iterationsize": 100
}
],
"name": "AWS KMS Key Exposure Details"
}
2 changes: 2 additions & 0 deletions cartography/intel/aws/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from . import eks
from . import elasticsearch
from . import iam
from . import kms
from . import lambda_function
from . import organizations
from . import permission_relationships
Expand Down Expand Up @@ -48,6 +49,7 @@ def _sync_one_account(neo4j_session, boto3_session, account_id, sync_tag, common
lambda_function.sync(neo4j_session, boto3_session, regions, account_id, sync_tag, common_job_parameters)
rds.sync(neo4j_session, boto3_session, regions, account_id, sync_tag, common_job_parameters)
redshift.sync(neo4j_session, boto3_session, regions, account_id, sync_tag, common_job_parameters)
kms.sync(neo4j_session, boto3_session, regions, account_id, sync_tag, common_job_parameters)

# NOTE each of the below will generate DNS records
route53.sync(neo4j_session, boto3_session, account_id, sync_tag)
Expand Down
Loading