________________________________________________________________________________
Regarding inventorization of assets: my team also did the same at Spotify last year for Google Cloud Platform.
https://engineering.atspotify.com/2019/06/04/painting-a-pict...
At the time Cartography support for GCP was lacking, so we just ingested Cloud Asset Inventory data in neo4j.
If you are on GCP I highly suggest using CAI as a backbone for IAM security controls: hands down the best service on the platform for security teams.
Thanks for sharing! We investigated using CAI last year in Cartography but decided against that and to be honest I can't quite remember why. It might have been something about required permissions, or it might have simply been me not understanding GCP well enough.
It might be time to revisit that decision now though: it would be neat to have your CAI ingestion logic in Cartography :-)
Hey! I strongly suggest using CAI rather than the GCP apis, it simplify a lot the collection of data and you won’t hit a road block with quotas and hidden quotas.
Pulling data from the APIs won’t scale and it’s the exact reason why we migrated off Forseti (forsetisecurity.org) , which we helped build in the first place.
Feel free to ping me if you want more details, my contact is in my profile.
Resources can also have policies applied to them directly that restrict access. This tool doesn't seem to address that? e.g.
-
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-iam-po...
-
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQS...
Good catch! We currently don't have resource policies but will add them in the future.
I am not a fan of Azure (and am DEFINITELY not a fan of their RBAC/auth model), but graphing and querying one's entire set of resources is one thing they got right. One can run a Kusto query against Azure AD to obtain the same information.
While you _can_ do it with the Azure REST API (and their various SDKs that leverage it), the easiest way to do it is via `az graph query` in the Azure CLI.
Here's the link to documentation describing how to do this since it's insanely hard to find:
https://docs.microsoft.com/en-us/azure/governance/resource-g...
That said, Cartography looks awesome and is probably better to use anyway. Awesome stuff, Lyft!
I've developed a few different security graphs also using Neo, and I wasn't aware of Cartography - well done!
You can encode entire policy DSLs in graphs, and I can foresee a graph replacement for UMA/XACML emerging organically. Add DLT concepts to it, and it's a huge deal, imo.
If you stare at the query long enough
My new phrase when I write anything resembling complicated.
I definitely picked this one up from math professors talking about proofs
An Eminem lyric becomes a tech article headline.
If I wasn’t, then why would I say IAM?
In the paper, the hacker news, every day I am
Don't you just love it when the URL includes the period of the sentence its in?
https://github.com/lyft/cartography
.
I have started to write links like this as a caution against this:
https://github.com/lyft/cartography#
.
For most sites, the trailing point at the end then doesn't make a difference. Doesn't look clean but works well.
For github links specifically, tacking #readme on the end is actually a much better user experience since it jumps right to the "what is this repo" section, if it has one. I do recognize, however, in _this_ context it puts one back in a mildly bad place since "#readme." will not do exactly what is intended, but it will still take one to the repo in question
Thanks for catching that broken link toward the end of the article, I think I fixed it. Medium's formatting is weird.
The two links to it at the top of the article don't have this problem.
Now that we have enriched the IAM data in the graph, we can use Cartography’s Drift Detection feature to let us know via Slack alerts whenever the list of Redshift admins changes, and that we should investigate why this list changed.
This seems wrong. I wouldn’t call changes in the Redshift admins list “data drift” and seems rather deterministic.
Hey Lyft folks, any thought to experimenting with the usability of the graph data in Cartography (as shown) vs putting the same data in a DSM?
https://en.m.wikipedia.org/wiki/Design_structure_matrix
I can imagine buckets or nested buckets as rows, policies, groups or users as columns, just as one way of viewing it. Alternative graphing tools such as Sourcetrail for source code also come to mind, as a way to merge policy source code with a graph view, for example.
has anyone used this outside of Lyft? I like the idea of it but would like real use case experiences before I invest time in it.
I've used it a few times but haven't put it into any production use. It's super easy to kick the tires on. Installing Neo4j is the hardest part, but you can skip that by using one of their free sandboxes here:
Cartography has some good ideas in there. For our case I am looking an event-driven model where the graph is continually updated as the environment changes. Then i can hook those changes to do targeted analysis as needed. I know HN loves to poo on serverless but the event-driven approach would be quite compatible with that as well.
For me the biggest challenge with any of this is trying to map the native data models of the cloud provider to something that is compatible with the simplistic property support in most graph databases (including Neo4j). Things move too quickly to be constantly mapping the schema from provider to the graph, I'd much rather have a system where I can just plop the native content and iterate on that.
You might be interested in these posts from one of our co-maintainers:
-
https://www.marcolancini.it/2020/blog-mapping-moving-clouds-...
-
https://www.marcolancini.it/2020/blog-tracking-moving-clouds...
Thanks for the PMapper shoutout!
since there are only 3 edge types, wouldn't it make sense to use some kind of iconography (thickness, color, dashedness, etc) to distinguish between the permissions granted by the edge? 'CAN_WRITE' introduces a lot of clutter
We actually don't write any UI code - we only define the graph schema and write the sync modules. The UI shown is from the standard Neo4j web interface. There are a bunch of other frontends for Neo4j that can do the differentiation you're describing.
Neo4J can change the color or thinkness in the UI, however the datastore does not allow cartography to set that ahead of time. The relationships like CAN_WRITE can be named whatever you like and set to what ever permissions you care about in your service.
Does anyone know whether Lyft has been able to use this to automatically target and execute offensive attacks through end objectives (e.g. pivoting through graph)?
I love that you're thinking of this. It'd be straightforward to build an orchestrator around this graph to perform automated pen-tests - like if an EC2 instance is compromised, the attacker can dump instance metadata (creds) and assume the IAM role that the instance runs as, and then from there potentially pivot to others and repeat. It'd be great as a pen-tester to be able to click on a graph node and say "give me a shell here" and then be dropped right in.
Blocked by cloudflare?