Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for AWS EC2 Network ACLs #1386

Merged
merged 5 commits into from
Nov 18, 2024
Merged

Add support for AWS EC2 Network ACLs #1386

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
004d00f
Add support for AWS EC2 Network ACLs
Nov 16, 2024
f202f81
linter
Nov 16, 2024
5509473
consistent type
Nov 16, 2024
d889b1c
Add nacl to resources list
Nov 16, 2024
d23ea54
Merge branch 'master' into nacls
Nov 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
linter 
Signed-off-by: Alex Chantavy <achantavy@lyft.com>
  • Loading branch information
Alex Chantavy committed Nov 16, 2024
commit f202f81c8fe534e92a3e487b9342a90c83bad6db
12 changes: 4 additions & 8 deletions cartography/intel/aws/ec2/network_acls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,17 @@
import logging
import re
from collections import namedtuple
from typing import Any
from typing import Dict
from typing import List

import boto3
import neo4j

from cartography.models.aws.ec2.network_acl_rules import EC2NetworkAclInboundRuleSchema, EC2NetworkAclEgressRuleSchema
from cartography.models.aws.ec2.network_acls import EC2NetworkAclSchema
from .util import get_botocore_config
from cartography.client.core.tx import load
from cartography.graph.job import GraphJob
from cartography.models.aws.ec2.networkinterfaces import EC2NetworkInterfaceSchema
from cartography.models.aws.ec2.privateip_networkinterface import EC2PrivateIpNetworkInterfaceSchema
from cartography.models.aws.ec2.securitygroup_networkinterface import EC2SecurityGroupNetworkInterfaceSchema
from cartography.models.aws.ec2.subnet_networkinterface import EC2SubnetNetworkInterfaceSchema
from cartography.models.aws.ec2.network_acl_rules import EC2NetworkAclEgressRuleSchema
from cartography.models.aws.ec2.network_acl_rules import EC2NetworkAclInboundRuleSchema
from cartography.models.aws.ec2.network_acls import EC2NetworkAclSchema
from cartography.util import aws_handle_regions
from cartography.util import timeit

Expand Down Expand Up @@ -183,6 +178,7 @@ def load_network_acl_egress_rules(
lastupdated=update_tag,
)


@timeit
def cleanup_network_acls(neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]) -> None:
GraphJob.from_node_schema(EC2NetworkAclSchema(), common_job_parameters).run(neo4j_session)
Expand Down
23 changes: 14 additions & 9 deletions cartography/models/aws/ec2/network_acl_rules.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,15 @@
from dataclasses import dataclass

from cartography.models.core.relationships import CartographyRelSchema, TargetNodeMatcher, make_target_node_matcher, \
LinkDirection, OtherRelationships, CartographyRelProperties

from cartography.models.core.common import PropertyRef

from cartography.models.core.nodes import CartographyNodeProperties, CartographyNodeSchema, ExtraNodeLabels
from cartography.models.core.nodes import CartographyNodeProperties
from cartography.models.core.nodes import CartographyNodeSchema
from cartography.models.core.nodes import ExtraNodeLabels
from cartography.models.core.relationships import CartographyRelProperties
from cartography.models.core.relationships import CartographyRelSchema
from cartography.models.core.relationships import LinkDirection
from cartography.models.core.relationships import make_target_node_matcher
from cartography.models.core.relationships import OtherRelationships
from cartography.models.core.relationships import TargetNodeMatcher


@dataclass(frozen=True)
Expand Down Expand Up @@ -62,16 +66,17 @@ class EC2NetworkAclInboundRuleSchema(CartographyNodeSchema):
"""
label: str = 'EC2NetworkAclRule'
extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(
['IpPermissionInbound']
['IpPermissionInbound'],
)
properties: EC2NetworkAclRuleNodeProperties = EC2NetworkAclRuleNodeProperties()
sub_resource_relationship: EC2NetworkAclRuleToAWSAccount = EC2NetworkAclRuleToAWSAccount()
other_relationships: OtherRelationships = OtherRelationships(
[
EC2NetworkAclRuleToAcl(),
]
],
)


@dataclass(frozen=True)
class EC2NetworkAclEgressRuleSchema(CartographyNodeSchema):
"""
Expand All @@ -88,5 +93,5 @@ class EC2NetworkAclEgressRuleSchema(CartographyNodeSchema):
other_relationships: OtherRelationships = OtherRelationships(
[
EC2NetworkAclRuleToAcl(),
]
)
],
)
7 changes: 2 additions & 5 deletions cartography/models/aws/ec2/network_acls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
from dataclasses import dataclass

from cartography.models.aws.ec2.networkinterface_instance import EC2NetworkInterfaceToAWSAccount
from cartography.models.aws.ec2.networkinterface_instance import EC2NetworkInterfaceToEC2Instance
from cartography.models.aws.ec2.networkinterface_instance import EC2NetworkInterfaceToEC2SecurityGroup
from cartography.models.aws.ec2.networkinterface_instance import EC2NetworkInterfaceToEC2Subnet
from cartography.models.core.common import PropertyRef
from cartography.models.core.nodes import CartographyNodeProperties
from cartography.models.core.nodes import CartographyNodeSchema
Expand Down Expand Up @@ -41,6 +37,7 @@ class EC2NetworkAclToVpc(CartographyRelSchema):
rel_label: str = "MEMBER_OF_AWS_VPC"
properties: EC2NetworkAclToVpcRelProperties = EC2NetworkAclToVpcRelProperties()


@dataclass(frozen=True)
class EC2NetworkAclToSubnetRelProperties(CartographyRelProperties):
lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
Expand Down Expand Up @@ -85,5 +82,5 @@ class EC2NetworkAclSchema(CartographyNodeSchema):
[
EC2NetworkAclToVpc(),
EC2NetworkAclToSubnet(),
]
],
)
56 changes: 28 additions & 28 deletions tests/data/aws/ec2/network_acls/instances.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@
"AttachTime": "2023-08-04 22:31:02+00:00",
"DeleteOnTermination": True,
"Status": "attached",
"VolumeId": "vol-0e4"
}
}
"VolumeId": "vol-0e4",
},
},
],
"ClientToken": "b20f8",
"EbsOptimized": True,
Expand All @@ -32,14 +32,14 @@
"DeleteOnTermination": True,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
"NetworkCardIndex": 0,
},
"Description": "",
"Groups": [
{
"GroupId": "sg-0564",
"GroupName": "group-name-1"
}
"GroupName": "group-name-1",
},
],
"Ipv6Addresses": [],
"MacAddress": "11:22:33:44:55:66",
Expand All @@ -49,89 +49,89 @@
"PrivateIpAddresses": [
{
"Primary": True,
"PrivateIpAddress": "10.190.1.148"
}
"PrivateIpAddress": "10.190.1.148",
},
],
"SourceDestCheck": True,
"Status": "in-use",
"SubnetId": "subnet-0a1a",
"VpcId": "vpc-0767",
"InterfaceType": "interface"
}
"InterfaceType": "interface",
},
],
"RootDeviceName": "/dev/xvda",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupId": "sg-0564",
"GroupName": "group-name-1"
}
"GroupName": "group-name-1",
},
],
"SourceDestCheck": True,
"Tags": [
{
"Key": "Name",
"Value": "prod-tag"
}
"Value": "prod-tag",
},
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 1,
"ThreadsPerCore": 2
"ThreadsPerCore": 2,
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
"CapacityReservationPreference": "open",
},
"HibernationOptions": {
"Configured": False
"Configured": False,
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "optional",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
"InstanceMetadataTags": "disabled",
},
"EnclaveOptions": {
"Enabled": False
"Enabled": False,
},
"PlatformDetails": "Linux/UNIX",
"UsageOperation": "RunInstances",
"UsageOperationUpdateTime": "2023-08-04 22:31:01+00:00",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": False,
"EnableResourceNameDnsAAAARecord": False
"EnableResourceNameDnsAAAARecord": False,
},
"MaintenanceOptions": {
"AutoRecovery": "default"
"AutoRecovery": "default",
},
"CurrentInstanceBootMode": "legacy-bios",
"InstanceId": "i-0ba7",
"ImageId": "ami-0414",
"State": {
"Code": 16,
"Name": "running"
"Name": "running",
},
"PrivateDnsName": "ip-10-190-1-148.ec2.internal",
"PublicDnsName": "",
"StateTransitionReason": "",
"AmiLaunchIndex": 0,
"ProductCodes": [],
"InstanceType": "t3.micro",
"LaunchTime": datetime.datetime(2023, 8, 4,22, 31, 1, tzinfo=tz.utc),
"LaunchTime": datetime.datetime(2023, 8, 4, 22, 31, 1, tzinfo=tz.utc),
"Placement": {
"GroupName": "",
"Tenancy": "default",
"AvailabilityZone": "us-east-1b"
"AvailabilityZone": "us-east-1b",
},
"Monitoring": {
"State": "disabled"
"State": "disabled",
},
"SubnetId": "subnet-0a1a",
"VpcId": "vpc-0767",
"PrivateIpAddress": "10.190.1.148"
}
]
"PrivateIpAddress": "10.190.1.148",
},
],
}]
20 changes: 10 additions & 10 deletions tests/data/aws/ec2/network_acls/network_acls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,53 +4,53 @@
{
"NetworkAclAssociationId": "aclassoc-080e",
"NetworkAclId": "acl-077e",
"SubnetId": "subnet-0fbc"
"SubnetId": "subnet-0fbc",
},
{
"NetworkAclAssociationId": "aclassoc-0c41",
"NetworkAclId": "acl-077e",
"SubnetId": "subnet-0a1a"
"SubnetId": "subnet-0a1a",
},
{
"NetworkAclAssociationId": "aclassoc-0d84",
"NetworkAclId": "acl-077e",
"SubnetId": "subnet-06ba"
}
"SubnetId": "subnet-06ba",
},
],
"Entries": [
{
"CidrBlock": "0.0.0.0/0",
"Egress": True,
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": 100
"RuleNumber": 100,
},
{
"CidrBlock": "0.0.0.0/0",
"Egress": True,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 32767
"RuleNumber": 32767,
},
{
"CidrBlock": "0.0.0.0/0",
"Egress": False,
"Protocol": "-1",
"RuleAction": "allow",
"RuleNumber": 100
"RuleNumber": 100,
},
{
"CidrBlock": "0.0.0.0/0",
"Egress": False,
"Protocol": "-1",
"RuleAction": "deny",
"RuleNumber": 32767
}
"RuleNumber": 32767,
},
],
"IsDefault": True,
"NetworkAclId": "acl-077e",
"Tags": [],
"VpcId": "vpc-0767",
"OwnerId": "000000000000"
"OwnerId": "000000000000",
},
]
8 changes: 4 additions & 4 deletions tests/data/aws/ec2/network_acls/subnets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": False,
"EnableResourceNameDnsAAAARecord": False
"EnableResourceNameDnsAAAARecord": False,
},
"SubnetId": "subnet-0a1a",
"State": "available",
Expand All @@ -22,7 +22,7 @@
"AvailableIpAddressCount": 250,
"AvailabilityZone": "us-east-1b",
"DefaultForAz": False,
"MapPublicIpOnLaunch": False
"MapPublicIpOnLaunch": False,
},
{
"AvailabilityZoneId": "use1-az4",
Expand All @@ -36,7 +36,7 @@
"PrivateDnsNameOptionsOnLaunch": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": False,
"EnableResourceNameDnsAAAARecord": False
"EnableResourceNameDnsAAAARecord": False,
},
"SubnetId": "subnet-06ba",
"State": "available",
Expand All @@ -45,6 +45,6 @@
"AvailableIpAddressCount": 251,
"AvailabilityZone": "us-east-1a",
"DefaultForAz": False,
"MapPublicIpOnLaunch": False
"MapPublicIpOnLaunch": False,
},
]
8 changes: 4 additions & 4 deletions tests/data/aws/ec2/network_acls/vpcs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,14 @@
"AssociationId": "vpc-cidr-assoc-0348",
"CidrBlock": "10.190.0.0/20",
"CidrBlockState": {
"State": "associated"
}
}
"State": "associated",
},
},
],
"IsDefault": False,
"VpcId": "vpc-0767",
"State": "available",
"CidrBlock": "10.190.0.0/20",
"DhcpOptionsId": "dopt-aefb"
"DhcpOptionsId": "dopt-aefb",
},
]
Loading
Loading