AWS SSO Identity Store records not currently read #990
Labels
Comments
|
I've done some more looking at this. In our environment, AAD users are members of AAD groups that are assigned to an AWS role based on an inline policy. I don't see how to unveil an inline policy associated with group. |
|
I would love if the tool pulled in IAM Identity Center groups. Maybe one workaround could be to perform analysis on the roles that AWS creates under the hood for you a la |
|
Somewhat related, but we now map AWS SSO roles to Okta groups after #1307 |
This was referenced Nov 10, 2024
Closed
achantavy
pushed a commit
that referenced
this issue
Nov 19, 2024
**Summary** Mapped in [AWS Identity Center](https://aws.amazon.com/iam/identity-center/) and the access it provides to AWS accounts. New Nodes: (AWSIdentityCenter), (AWSPermissionSet), (AWSSSOUser) New Relationships: (AWSAccount)-[RESOURCE]->(AWSIdentityCenter) (AWSIdentityCenter)-[HAS_PERMISSION_SET]->(AWSPermissionSet) (AWSSSOUser)<-[ALLOWED_BY]-(AWSRole) (OktaUser)<-[CAN_ASSUME_IDENTITY]-(AWSSSOUser) (AWSPermissionSet)-[ASSIGNED_TO_ROLE]->(AWSRole)   **Console Trace** INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 1 Identity Center instances for region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 32 permission sets for instance arn:aws:sso:::instance/ssoins-72237a0dcb8c6df7 in region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 777 permission set role assignments INFO:cartography.intel.aws.identitycenter:Loading 803 SSO users for identity store d-906747a0b9 in region us-east-1 INFO:cartography.intel.aws.identitycenter:Getting role assignments for 803 users INFO:cartography.intel.aws.identitycenter:Loading 24292 role assignments INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-east-2 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-east-2 INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-west-1 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-west-1 INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-west-2 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-west-2 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #1 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #2 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #3 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #4 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #5 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #6 **Related issues or links** Fixes - #990 Checklist Provide proof that this works (this makes reviews move faster). Please perform one or more of the following: [ x ] Update/add unit or integration tests. [ X ] Include a screenshot showing what the graph looked like before and after your changes. [ X ] Include console log trace showing what happened before and after your changes. If you are changing a node or relationship: [ x ] Update the [schema](https://github.com/lyft/cartography/tree/master/docs/root/modules) and [readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md). If you are implementing a new intel module: [ X ] Use the NodeSchema [data model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node). ---------
chandanchowdhury
pushed a commit
to chandanchowdhury/cartography
that referenced
this issue
Nov 27, 2024
…cf#1380) **Summary** Mapped in [AWS Identity Center](https://aws.amazon.com/iam/identity-center/) and the access it provides to AWS accounts. New Nodes: (AWSIdentityCenter), (AWSPermissionSet), (AWSSSOUser) New Relationships: (AWSAccount)-[RESOURCE]->(AWSIdentityCenter) (AWSIdentityCenter)-[HAS_PERMISSION_SET]->(AWSPermissionSet) (AWSSSOUser)<-[ALLOWED_BY]-(AWSRole) (OktaUser)<-[CAN_ASSUME_IDENTITY]-(AWSSSOUser) (AWSPermissionSet)-[ASSIGNED_TO_ROLE]->(AWSRole)   **Console Trace** INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 1 Identity Center instances for region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 32 permission sets for instance arn:aws:sso:::instance/ssoins-72237a0dcb8c6df7 in region us-east-1 INFO:cartography.intel.aws.identitycenter:Loading 777 permission set role assignments INFO:cartography.intel.aws.identitycenter:Loading 803 SSO users for identity store d-906747a0b9 in region us-east-1 INFO:cartography.intel.aws.identitycenter:Getting role assignments for 803 users INFO:cartography.intel.aws.identitycenter:Loading 24292 role assignments INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-east-2 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-east-2 INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-west-1 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-west-1 INFO:cartography.intel.aws.identitycenter:Syncing Identity Center instances for region us-west-2 INFO:cartography.intel.aws.identitycenter:Loading 0 Identity Center instances for region us-west-2 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement #1 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement cartography-cncf#2 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement cartography-cncf#3 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement cartography-cncf#4 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement cartography-cncf#5 INFO:cartography.graph.statement:Completed aws_import_identity_center_cleanup statement cartography-cncf#6 **Related issues or links** Fixes - cartography-cncf#990 Checklist Provide proof that this works (this makes reviews move faster). Please perform one or more of the following: [ x ] Update/add unit or integration tests. [ X ] Include a screenshot showing what the graph looked like before and after your changes. [ X ] Include console log trace showing what happened before and after your changes. If you are changing a node or relationship: [ x ] Update the [schema](https://github.com/lyft/cartography/tree/master/docs/root/modules) and [readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md). If you are implementing a new intel module: [ X ] Use the NodeSchema [data model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node). --------- Signed-off-by: chandanchowdhury <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed in #930
Originally posted by jcmadick September 9, 2022
AWS has released an update to AWS SSO (now IAM Identity Center) that exposes access to users using SSO for AWS access.
https://docs.aws.amazon.com/singlesignon/latest/userguide/identities.html
These users and groups are not included in the normal AWS Security Audit permissions and are not pulled through the current cartography code. In my case, most of the relationships I'm interested in analyzing are tied to the SSO users and groups. I have pulled a list of users and a list of groups from our AWS SSO. I do not see anything in the fields to create or tie relationships. I've attached a sanitized copy of a user record and a group record
I had to have permissions added to my sp to allow read access to users and groups in the identity store (unique from the normal identity store.) From AWSCLI, the command is "aws identitystore list-users --identity-store-id d-*******" There are other list options including groups and group membership.
I don't think integrating the pulls would be a challenge, but finding the relationships is where I'm having challenges.
AWS_SSO_Group_json.txt
AWS_SSO_User_json.txt
The text was updated successfully, but these errors were encountered: