-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support for determining the last used date of an access keys #1101
base: master
Are you sure you want to change the base?
Changes from all commits
9b50e35
bce38a9
27bbc25
bc585c5
ed8d4af
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -1,8 +1,10 @@ | ||||||||||||||||
{ | ||||||||||||||||
"statements": [{ | ||||||||||||||||
"query": "MATCH (n:AccountAccessKey)<-[:AWS_ACCESS_KEY]-(:AWSUser)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ID}) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)", | ||||||||||||||||
"iterative": true, | ||||||||||||||||
"iterationsize": 100 | ||||||||||||||||
}], | ||||||||||||||||
"name": "cleanup AccountAccessKey" | ||||||||||||||||
"statements": [ | ||||||||||||||||
{ | ||||||||||||||||
"query": "MATCH (n:UserAccessKey)<-[:AWS_ACCESS_KEY]-(:AWSUser)<-[:RESOURCE]-(:AWSAccount{id: $AWS_ID}) WHERE n.lastupdated <> $UPDATE_TAG WITH n LIMIT $LIMIT_SIZE DETACH DELETE (n)", | ||||||||||||||||
"iterative": true, | ||||||||||||||||
"iterationsize": 100 | ||||||||||||||||
} | ||||||||||||||||
], | ||||||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. cleanup the relationship as well
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. not really sure what the changes being outlined here are There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is just the standard for cartography.
This shouldn't really be needed for access keys, since a given access key should only ever relate to one user in its lifetime. But you never know. |
||||||||||||||||
"name": "cleanup UserAccessKey" | ||||||||||||||||
} |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -227,6 +227,18 @@ def get_account_access_key_data(boto3_session: boto3.session.Session, username: | |||||
logger.warning( | ||||||
f"Could not get access key for user {username} due to NoSuchEntityException; skipping.", | ||||||
) | ||||||
# We add Last Used data to each access key | ||||||
access_keys_metadata = access_keys['AccessKeyMetadata'] | ||||||
for access_key in access_keys_metadata: | ||||||
access_key_id = access_key['AccessKeyId'] | ||||||
last_used_result = client.get_access_key_last_used(AccessKeyId=access_key_id) | ||||||
last_used_info = last_used_result.get( | ||||||
'AccessKeyLastUsed', | ||||||
{"LastUsedDate": None, "LastUsedService": None, "LastUsedRegion": None} | ||||||
) | ||||||
access_key['LastUsedDate'] = last_used_info.get('LastUsedDate', None) | ||||||
access_key['LastUsedService'] = last_used_info.get('ServiceName', None) | ||||||
access_key['LastUsedRegion'] = last_used_info.get('Region', None) | ||||||
return access_keys | ||||||
|
||||||
|
||||||
|
@@ -252,7 +264,7 @@ def load_users( | |||||
ingest_user, | ||||||
ARN=user["Arn"], | ||||||
USERID=user["UserId"], | ||||||
CREATE_DATE=str(user["CreateDate"]), | ||||||
CREATE_DATE=user["CreateDate"], | ||||||
USERNAME=user["UserName"], | ||||||
PATH=user["Path"], | ||||||
PASSWORD_LASTUSED=str(user.get("PasswordLastUsed", "")), | ||||||
|
@@ -281,7 +293,7 @@ def load_groups( | |||||
ingest_group, | ||||||
ARN=group["Arn"], | ||||||
GROUP_ID=group["GroupId"], | ||||||
CREATE_DATE=str(group["CreateDate"]), | ||||||
CREATE_DATE=group["CreateDate"], | ||||||
GROUP_NAME=group["GroupName"], | ||||||
PATH=group["Path"], | ||||||
AWS_ACCOUNT_ID=current_aws_account_id, | ||||||
|
@@ -358,7 +370,7 @@ def load_roles( | |||||
ingest_role, | ||||||
Arn=role["Arn"], | ||||||
RoleId=role["RoleId"], | ||||||
CreateDate=str(role["CreateDate"]), | ||||||
CreateDate=role["CreateDate"], | ||||||
RoleName=role["RoleName"], | ||||||
Path=role["Path"], | ||||||
AWS_ACCOUNT_ID=current_aws_account_id, | ||||||
|
@@ -480,13 +492,17 @@ def sync_assumerole_relationships( | |||||
|
||||||
@timeit | ||||||
def load_user_access_keys(neo4j_session: neo4j.Session, user_access_keys: Dict, aws_update_tag: int) -> None: | ||||||
# TODO change the node label to reflect that this is a user access key, not an account access key | ||||||
ingest_account_key = """ | ||||||
ingest_user_key = """ | ||||||
MATCH (user:AWSUser{arn: $UserARN}) | ||||||
WITH user | ||||||
MERGE (key:AccountAccessKey{accesskeyid: $AccessKeyId}) | ||||||
MERGE (key:UserAccessKey{accesskeyid: $AccessKeyId}) | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
ON CREATE SET key.firstseen = timestamp(), key.createdate = $CreateDate | ||||||
SET key.status = $Status, key.lastupdated = $aws_update_tag | ||||||
SET | ||||||
key.status = $Status, | ||||||
key.lastuseddate = $LastUsedDate, | ||||||
key.lastusedservice = $LastUsedService, | ||||||
key.lastusedregion = $LastUsedRegion, | ||||||
key.lastupdated = $aws_update_tag | ||||||
WITH user,key | ||||||
MERGE (user)-[r:AWS_ACCESS_KEY]->(key) | ||||||
ON CREATE SET r.firstseen = timestamp() | ||||||
|
@@ -497,11 +513,14 @@ def load_user_access_keys(neo4j_session: neo4j.Session, user_access_keys: Dict, | |||||
for key in access_keys["AccessKeyMetadata"]: | ||||||
if key.get('AccessKeyId'): | ||||||
neo4j_session.run( | ||||||
ingest_account_key, | ||||||
ingest_user_key, | ||||||
UserARN=arn, | ||||||
AccessKeyId=key['AccessKeyId'], | ||||||
CreateDate=str(key['CreateDate']), | ||||||
CreateDate=key['CreateDate'], | ||||||
Status=key['Status'], | ||||||
LastUsedDate=key['LastUsedDate'], | ||||||
LastUsedService=key['LastUsedService'], | ||||||
LastUsedRegion=key['LastUsedRegion'], | ||||||
aws_update_tag=aws_update_tag, | ||||||
) | ||||||
|
||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add an additional property
id
, which is will be equivalent to accesskeyidThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this might be on a previous version of the code - as it currently stands the following is the code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is what I mean, along with another suggestion below upon MERGE