in cartography/intel/aws/iam.py [0:0]
def load_roles(session, roles, current_aws_account_id, aws_update_tag):
ingest_role = """
MERGE (rnode:AWSRole{arn: {Arn}})
ON CREATE SET rnode:AWSPrincipal, rnode.roleid = {RoleId}, rnode.firstseen = timestamp(),
rnode.createdate = {CreateDate}
ON MATCH SET rnode.name = {RoleName}, rnode.path = {Path}
SET rnode.lastupdated = {aws_update_tag}
WITH rnode
MATCH (aa:AWSAccount{id: {AWS_ACCOUNT_ID}})
MERGE (aa)-[r:AWS_ROLE]->(rnode)
ON CREATE SET r.firstseen = timestamp()
SET r.lastupdated = {aws_update_tag}
"""
ingest_policy_statement = """
MERGE (spnnode:AWSPrincipal{arn: {SpnArn}})
ON CREATE SET spnnode.firstseen = timestamp()
SET spnnode.lastupdated = {aws_update_tag}, spnnode.type = {SpnType}
WITH spnnode
MATCH (role:AWSRole{arn: {RoleArn}})
MERGE (role)-[r:TRUSTS_AWS_PRINCIPAL]->(spnnode)
ON CREATE SET r.firstseen = timestamp()
SET r.lastupdated = {aws_update_tag}
"""
# TODO support conditions
for role in roles:
session.run(
ingest_role,
Arn=role["Arn"],
RoleId=role["RoleId"],
CreateDate=str(role["CreateDate"]),
RoleName=role["RoleName"],
Path=role["Path"],
AWS_ACCOUNT_ID=current_aws_account_id,
aws_update_tag=aws_update_tag
)
for statement in role["AssumeRolePolicyDocument"]["Statement"]:
principal = statement["Principal"]
principal_values = []
if 'AWS' in principal:
principal_type, principal_values = 'AWS', principal['AWS']
elif 'Service' in principal:
principal_type, principal_values = 'Service', principal['Service']
elif 'Federated' in principal:
principal_type, principal_values = 'Federated', principal['Federated']
if not isinstance(principal_values, list):
principal_values = [principal_values]
for principal_value in principal_values:
session.run(
ingest_policy_statement,
SpnArn=principal_value,
SpnType=principal_type,
RoleArn=role['Arn'],
aws_update_tag=aws_update_tag
)