Thanks for sharing! We investigated using CAI last year in Cartography but decided against that and to be honest I can't quite remember why. It might have been something about required permissions, or it might have simply been me not understanding GCP well enough.
It might be time to revisit that decision now though: it would be neat to have your CAI ingestion logic in Cartography :-)
I am not a fan of Azure (and am DEFINITELY not a fan of their RBAC/auth model), but graphing and querying one's entire set of resources is one thing they got right. One can run a Kusto query against Azure AD to obtain the same information.
While you _can_ do it with the Azure REST API (and their various SDKs that leverage it), the easiest way to do it is via `az graph query` in the Azure CLI.
I've developed a few different security graphs also using Neo, and I wasn't aware of Cartography - well done!
You can encode entire policy DSLs in graphs, and I can foresee a graph replacement for UMA/XACML emerging organically. Add DLT concepts to it, and it's a huge deal, imo.
I have started to write links like this as a caution against this: https://github.com/lyft/cartography#.
For most sites, the trailing point at the end then doesn't make a difference. Doesn't look clean but works well.
> Now that we have enriched the IAM data in the graph, we can use Cartography’s Drift Detection feature to let us know via Slack alerts whenever the list of Redshift admins changes, and that we should investigate why this list changed.
This seems wrong. I wouldn’t call changes in the Redshift admins list “data drift” and seems rather deterministic.
I can imagine buckets or nested buckets as rows, policies, groups or users as columns, just as one way of viewing it. Alternative graphing tools such as Sourcetrail for source code also come to mind, as a way to merge policy source code with a graph view, for example.
I've used it a few times but haven't put it into any production use. It's super easy to kick the tires on. Installing Neo4j is the hardest part, but you can skip that by using one of their free sandboxes here: https://neo4j.com/sandbox/
Cartography has some good ideas in there. For our case I am looking an event-driven model where the graph is continually updated as the environment changes. Then i can hook those changes to do targeted analysis as needed. I know HN loves to poo on serverless but the event-driven approach would be quite compatible with that as well.
For me the biggest challenge with any of this is trying to map the native data models of the cloud provider to something that is compatible with the simplistic property support in most graph databases (including Neo4j). Things move too quickly to be constantly mapping the schema from provider to the graph, I'd much rather have a system where I can just plop the native content and iterate on that.
since there are only 3 edge types, wouldn't it make sense to use some kind of iconography (thickness, color, dashedness, etc) to distinguish between the permissions granted by the edge? 'CAN_WRITE' introduces a lot of clutter
We actually don't write any UI code - we only define the graph schema and write the sync modules. The UI shown is from the standard Neo4j web interface. There are a bunch of other frontends for Neo4j that can do the differentiation you're describing.
Neo4J can change the color or thinkness in the UI, however the datastore does not allow cartography to set that ahead of time. The relationships like CAN_WRITE can be named whatever you like and set to what ever permissions you care about in your service.
Does anyone know whether Lyft has been able to use this to automatically target and execute offensive attacks through end objectives (e.g. pivoting through graph)?
I love that you're thinking of this. It'd be straightforward to build an orchestrator around this graph to perform automated pen-tests - like if an EC2 instance is compromised, the attacker can dump instance metadata (creds) and assume the IAM role that the instance runs as, and then from there potentially pivot to others and repeat. It'd be great as a pen-tester to be able to click on a graph node and say "give me a shell here" and then be dropped right in.
[+] [-] gbrindisi|5 years ago|reply
At the time Cartography support for GCP was lacking, so we just ingested Cloud Asset Inventory data in neo4j.
If you are on GCP I highly suggest using CAI as a backbone for IAM security controls: hands down the best service on the platform for security teams.
[+] [-] alexchantavy|5 years ago|reply
It might be time to revisit that decision now though: it would be neat to have your CAI ingestion logic in Cartography :-)
[+] [-] js2|5 years ago|reply
- https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-po...
- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQS...
[+] [-] alexchantavy|5 years ago|reply
[+] [-] nunez|5 years ago|reply
While you _can_ do it with the Azure REST API (and their various SDKs that leverage it), the easiest way to do it is via `az graph query` in the Azure CLI.
Here's the link to documentation describing how to do this since it's insanely hard to find: https://docs.microsoft.com/en-us/azure/governance/resource-g...
That said, Cartography looks awesome and is probably better to use anyway. Awesome stuff, Lyft!
[+] [-] motohagiography|5 years ago|reply
You can encode entire policy DSLs in graphs, and I can foresee a graph replacement for UMA/XACML emerging organically. Add DLT concepts to it, and it's a huge deal, imo.
[+] [-] withinboredom|5 years ago|reply
My new phrase when I write anything resembling complicated.
[+] [-] bigyikes|5 years ago|reply
[+] [-] declank|5 years ago|reply
[+] [-] divbzero|5 years ago|reply
[+] [-] NikolaeVarius|5 years ago|reply
https://github.com/lyft/cartography.
[+] [-] bennofs|5 years ago|reply
[+] [-] alexchantavy|5 years ago|reply
[+] [-] jagged-chisel|5 years ago|reply
[+] [-] ellisv|5 years ago|reply
This seems wrong. I wouldn’t call changes in the Redshift admins list “data drift” and seems rather deterministic.
[+] [-] lstamour|5 years ago|reply
I can imagine buckets or nested buckets as rows, policies, groups or users as columns, just as one way of viewing it. Alternative graphing tools such as Sourcetrail for source code also come to mind, as a way to merge policy source code with a graph view, for example.
[+] [-] ProAm|5 years ago|reply
[+] [-] jcims|5 years ago|reply
Cartography has some good ideas in there. For our case I am looking an event-driven model where the graph is continually updated as the environment changes. Then i can hook those changes to do targeted analysis as needed. I know HN loves to poo on serverless but the event-driven approach would be quite compatible with that as well.
For me the biggest challenge with any of this is trying to map the native data models of the cloud provider to something that is compatible with the simplistic property support in most graph databases (including Neo4j). Things move too quickly to be constantly mapping the schema from provider to the graph, I'd much rather have a system where I can just plop the native content and iterate on that.
[+] [-] alexchantavy|5 years ago|reply
- https://www.marcolancini.it/2020/blog-mapping-moving-clouds-...
- https://www.marcolancini.it/2020/blog-tracking-moving-clouds...
[+] [-] convolvatron|5 years ago|reply
[+] [-] alexchantavy|5 years ago|reply
[+] [-] SecPrez|5 years ago|reply
[+] [-] ncc-erik|5 years ago|reply
[+] [-] curquantcat|5 years ago|reply
[+] [-] alexchantavy|5 years ago|reply
[+] [-] shard972|5 years ago|reply
[deleted]