cartography 0.118.0__py3-none-any.whl → 0.119.0__py3-none-any.whl

cartography/rules/data/frameworks/mitre_attack/requirements/t1098_account_manipulation/__init__.py

@@ -12,32 +12,43 @@ _aws_account_manipulation_permissions = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
         AND stmt.effect = 'Allow'
-        WITH a, principal, stmt,
-            // Return labels that are not the general "AWSPrincipal" label
+        WITH a, principal, stmt, policy,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            // Define the list of IAM actions to match on
-            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] |
-                p] AS patterns
-        WITH a, principal, principal_type, stmt,
-            // Filter on the desired IAM actions
+            [p IN ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] | p] AS patterns
+
+        // Match only Allow statements whose actions fit the patterns
+        WITH a, principal, principal_type, stmt, policy,
             [action IN stmt.action
                 WHERE ANY(prefix IN patterns WHERE action STARTS WITH prefix)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS matched_actions
-        // Return only statement actions that we matched on
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Find explicit Deny statements for the same principal that overlap
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WHERE ANY(deny_action IN deny_stmt.action
+                    WHERE deny_action IN matched_allow_actions
+                    OR deny_action = 'iam:*'
+                    OR deny_action = '*')
+
+        // If a deny exists, exclude those principals
+        WITH a, principal, principal_type, policy, stmt, matched_allow_actions, deny_stmt
+        WHERE deny_stmt IS NULL
+
+        UNWIND matched_allow_actions AS action
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
             principal.arn AS principal_arn,
             principal_type,
-            collect(action) as action,
+            policy.name AS policy_name,
+            collect(DISTINCT action) AS action,
             stmt.resource AS resource
         ORDER BY account, principal_name
     """,
@@ -71,27 +82,42 @@ _aws_trust_relationship_manipulation = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        OPTIONAL MATCH (groupmember:AWSUser)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement {effect:"Allow"})
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
-        AND stmt.effect = 'Allow'
-        WITH a, principal, stmt,
+        WITH a, principal, policy, stmt,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            ['iam:UpdateAssumeRolePolicy','iam:CreateRole'] AS patterns
-        WITH a, principal, principal_type, stmt,
+            ['iam:UpdateAssumeRolePolicy', 'iam:CreateRole'] AS patterns
+
+        // Filter for matching Allow actions
+        WITH a, principal, principal_type, stmt, policy,
             [action IN stmt.action
                 WHERE ANY(p IN patterns WHERE action = p)
-                OR action = 'iam:*' OR action = '*'
-            ] AS matched_actions
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+                OR action = 'iam:*'
+                OR action = '*'
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Look for any explicit Deny statement on same principal that matches those actions
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WHERE ANY(action IN deny_stmt.action
+                WHERE action IN matched_allow_actions
+                    OR action = 'iam:*'
+                    OR action = '*')
+
+        // Exclude principals with an explicit Deny that overlaps
+        WITH a, principal, principal_type, policy, stmt, matched_allow_actions, deny_stmt
+        WHERE deny_stmt IS NULL
+
+        UNWIND matched_allow_actions AS action
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
             principal.arn AS principal_arn,
+            policy.name AS policy_name,
             principal_type,
-            collect(distinct action) as action,
+            collect(DISTINCT action) AS action,
             stmt.resource AS resource
         ORDER BY account, principal_name
     """,
@@ -118,33 +144,58 @@ _aws_service_account_manipulation_via_ec2 = Fact(
         MATCH (a:AWSAccount)-[:RESOURCE]->(ec2:EC2Instance)
         MATCH (ec2)-[:INSTANCE_PROFILE]->(profile:AWSInstanceProfile)
         MATCH (profile)-[:ASSOCIATED_WITH]->(role:AWSRole)
-        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        WHERE stmt.effect = 'Allow'
-        WITH a, ec2, role,
-            // Define the list of IAM actions to match on
-            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
-            // Filter on the desired IAM actions
-            [action IN stmt.action
-                WHERE ANY(p IN ['iam:Create','iam:Attach','iam:Put','iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
+        WITH a, ec2, role, allow_stmt,
+            ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] AS patterns
+
+        // Step 1: Collect allowed actions that match IAM modification patterns
+        WITH a, ec2, role, patterns,
+            [action IN allow_stmt.action
+                WHERE ANY(p IN patterns WHERE action STARTS WITH p)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS actions
-        // For the instances that are internet open, include the SG and rules
-        OPTIONAL MATCH (ec2{exposed_internet:True})-[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)<-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
-        // Return only statement actions that we matched on
-        WHERE size(actions) > 0
-        UNWIND actions AS flat_action
-        WITH a, ec2, role, sg, ip,
-            collect(DISTINCT flat_action) AS actions
-        RETURN DISTINCT a.name AS account,
-            a.id as account_id,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Step 2: Collect deny statements for the same role
+        OPTIONAL MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, ec2, role, patterns, matched_allow_actions,
+            // Flatten the deny action lists manually
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3: Compute effective = allows minus denies
+        WITH a, ec2, role, matched_allow_actions, all_deny_actions,
+            [action IN matched_allow_actions
+                WHERE NOT (
+                    // Full wildcard Deny *
+                    '*' IN all_deny_actions OR
+                    // IAM category wildcard Deny iam:*
+                    'iam:*' IN all_deny_actions OR
+                    // Exact match deny
+                    action IN all_deny_actions OR
+                    // Prefix wildcards like Deny iam:Update*
+                    ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND action STARTS WITH split(d,'*')[0])
+                )
+            ] AS effective_actions
+        WHERE size(effective_actions) > 0
+
+        // Step 4: Optional internet exposure context
+        OPTIONAL MATCH (ec2 {exposed_internet: True})
+            -[:MEMBER_OF_EC2_SECURITY_GROUP]->(sg:EC2SecurityGroup)
+            <-[:MEMBER_OF_EC2_SECURITY_GROUP]-(ip:IpPermissionInbound)
+
+        UNWIND effective_actions AS action
+        WITH a, ec2, role, sg, ip, COLLECT(DISTINCT action) AS actions
+        RETURN DISTINCT
+            a.name AS account,
+            a.id AS account_id,
             ec2.instanceid AS instance_id,
             ec2.exposed_internet AS internet_accessible,
-            ec2.publicipaddress as public_ip_address,
+            ec2.publicipaddress AS public_ip_address,
             role.name AS role_name,
-            collect(actions) as action,
-            ip.fromport as from_port,
-            ip.toport as to_port
+            actions,
+            ip.fromport AS from_port,
+            ip.toport AS to_port
         ORDER BY account, instance_id, internet_accessible, from_port
     """,
     cypher_visual_query="""
@@ -177,27 +228,49 @@ _aws_service_account_manipulation_via_lambda = Fact(
         "AWS Lambda functions with IAM roles that can manipulate other AWS accounts."
     ),
     cypher_query="""
-        // Find Lambda functions with account manipulation capabilities
+        // Find Lambda functions with IAM modification or account manipulation capabilities
         MATCH (a:AWSAccount)-[:RESOURCE]->(lambda:AWSLambda)
         MATCH (lambda)-[:STS_ASSUMEROLE_ALLOW]->(role:AWSRole)
-        MATCH (role)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
-        WHERE stmt.effect = 'Allow'
-        WITH a, lambda, role, stmt,
-            // Define the list of IAM actions to match on
-            ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update'] AS patterns,
-            // Filter on the desired IAM actions
-            [action IN stmt.action
-                WHERE ANY(p IN ['iam:Create', 'iam:Attach', 'iam:Put', 'iam:Update', 'iam:Add'] WHERE action STARTS WITH p)
+        MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
+        WITH a, lambda, role, allow_stmt,
+            ['iam:Create','iam:Attach','iam:Put','iam:Update','iam:Add'] AS patterns
+
+        // Step 1: Gather allowed actions that match IAM modification patterns
+        WITH a, lambda, role, patterns,
+            [action IN allow_stmt.action
+                WHERE ANY(p IN patterns WHERE action STARTS WITH p)
                 OR action = 'iam:*'
                 OR action = '*'
-            ] AS actions
-        // Return only statement actions that we matched on
-        WHERE size(actions) > 0
-        UNWIND actions AS flat_action
-        WITH a, lambda, role, stmt,
-            collect(DISTINCT flat_action) AS actions
-        RETURN DISTINCT a.name AS account,
-            a.id as account_id,
+            ] AS matched_allow_actions
+        WHERE size(matched_allow_actions) > 0
+
+        // Step 2: Gather all deny actions from the same role
+        OPTIONAL MATCH (role)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, lambda, role, patterns, matched_allow_actions,
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3: Subtract Deny actions from Allow actions
+        WITH a, lambda, role, matched_allow_actions, all_deny_actions,
+            [action IN matched_allow_actions
+                WHERE NOT (
+                    // Global wildcard deny
+                    '*' IN all_deny_actions OR
+                    // IAM wildcard deny
+                    'iam:*' IN all_deny_actions OR
+                    // Exact match deny
+                    action IN all_deny_actions OR
+                    // Prefix wildcards like Deny iam:Update*
+                    ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND action STARTS WITH split(d,'*')[0])
+                )
+            ] AS effective_actions
+        WHERE size(effective_actions) > 0
+
+        // Step 4: Return only Lambdas with effective IAM modification capabilities
+        UNWIND effective_actions AS action
+        WITH a, lambda, role, COLLECT(DISTINCT action) AS actions
+        RETURN DISTINCT
+            a.name AS account,
+            a.id AS account_id,
             lambda.arn AS arn,
             lambda.description AS description,
             lambda.anonymous_access AS internet_accessible,
@@ -232,37 +305,51 @@ _aws_policy_manipulation_capabilities = Fact(
     ),
     cypher_query="""
         MATCH (a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)
-        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(stmt:AWSPolicyStatement)
+        MATCH (principal)-[:POLICY]->(policy:AWSPolicy)-[:STATEMENT]->(allow_stmt:AWSPolicyStatement {effect:"Allow"})
         WHERE NOT principal.name STARTS WITH 'AWSServiceRole'
         AND NOT principal.name CONTAINS 'QuickSetup'
         AND principal.name <> 'OrganizationAccountAccessRole'
-        AND stmt.effect = 'Allow'
-
-        WITH a, principal, stmt,
-            // Return labels that are not the general "AWSPrincipal" label
+        WITH a, principal, policy, allow_stmt,
             [label IN labels(principal) WHERE label <> 'AWSPrincipal'][0] AS principal_type,
-            // Define the list of IAM actions to match on
-            [p IN
-            ['iam:CreatePolicy', 'iam:CreatePolicyVersion', 'iam:AttachUserPolicy', 'iam:AttachRolePolicy', 'iam:AttachGroupPolicy',
-            'iam:AttachRolePolicy', 'iam:AttachGroupPolicy', 'iam:DetachUserPolicy', 'iam:DetachRolePolicy', 'iam:DetachGroupPolicy',
-            'iam:PutUserPolicy', 'iam:PutRolePolicy', 'iam:PutGroupPolicy'] |
-                p] AS patterns
+            [
+            'iam:CreatePolicy','iam:CreatePolicyVersion',
+            'iam:AttachUserPolicy','iam:AttachRolePolicy','iam:AttachGroupPolicy',
+            'iam:DetachUserPolicy','iam:DetachRolePolicy','iam:DetachGroupPolicy',
+            'iam:PutUserPolicy','iam:PutRolePolicy','iam:PutGroupPolicy'
+            ] AS patterns
 
-        // Return only statement actions that we matched on
-        WITH a, principal, principal_type, stmt,
-            [action IN stmt.action
-                WHERE ANY(p IN patterns WHERE action = p)
-                OR action = 'iam:*' OR action = '*'
-            ] AS matched_actions
-        WHERE size(matched_actions) > 0
-        UNWIND matched_actions AS action
-        RETURN DISTINCT a.name AS account,
+        // Step 1 – Collect (action, resource) pairs for allowed statements
+        UNWIND allow_stmt.action AS allow_action
+            WITH a, principal, principal_type, policy, allow_stmt, allow_action, patterns
+            WHERE ANY(p IN patterns WHERE allow_action = p)
+            OR allow_action = 'iam:*'
+            OR allow_action = '*'
+        WITH a, principal, principal_type, policy, allow_stmt, allow_action, allow_stmt.resource AS allow_resources
+
+        // Step 2 – Gather all Deny statements for the same principal
+        OPTIONAL MATCH (principal)-[:POLICY]->(:AWSPolicy)-[:STATEMENT]->(deny_stmt:AWSPolicyStatement {effect:"Deny"})
+        WITH a, principal, principal_type, policy, allow_action, allow_resources,
+            REDUCE(acc = [], ds IN collect(deny_stmt.action) | acc + ds) AS all_deny_actions
+
+        // Step 3 – Filter out denied actions (handles *, iam:*, exact, and prefix wildcards)
+        WHERE NOT (
+            '*' IN all_deny_actions OR
+            'iam:*' IN all_deny_actions OR
+            allow_action IN all_deny_actions OR
+            ANY(d IN all_deny_actions WHERE d ENDS WITH('*') AND allow_action STARTS WITH split(d,'*')[0])
+        )
+
+        // Step 4 – Preserve (action, resource) mapping
+        UNWIND allow_resources AS resource
+        RETURN DISTINCT
+            a.name AS account,
             principal.name AS principal_name,
-            principal.arn AS principal_arn,
+            principal.arn  AS principal_arn,
             principal_type,
-            collect(action) as action,
-            stmt.resource AS resource
-        ORDER BY account, principal_name
+            policy.name    AS policy_name,
+            allow_action   AS action,
+            resource
+        ORDER BY account, principal_name, action, resource
     """,
     cypher_visual_query="""
     MATCH p1=(a:AWSAccount)-[:RESOURCE]->(principal:AWSPrincipal)

cartography/sync.py

@@ -36,6 +36,7 @@ import cartography.intel.kubernetes
 import cartography.intel.lastpass
 import cartography.intel.oci
 import cartography.intel.okta
+import cartography.intel.ontology
 import cartography.intel.openai
 import cartography.intel.pagerduty
 import cartography.intel.scaleway
@@ -84,6 +85,7 @@ TOP_LEVEL_MODULES: OrderedDict[str, Callable[..., None]] = OrderedDict(
         "pagerduty": cartography.intel.pagerduty.start_pagerduty_ingestion,
         "trivy": cartography.intel.trivy.start_trivy_ingestion,
         "sentinelone": cartography.intel.sentinelone.start_sentinelone_ingestion,
+        "ontology": cartography.intel.ontology.run,
         # Analysis should be the last stage
         "analysis": cartography.intel.analysis.run,
     }
@@ -212,6 +214,7 @@ class Sync:
                         intel_module_info.name,
                     )
                 available_modules[intel_module_info.name] = v
+        available_modules["ontology"] = cartography.intel.ontology.run
         available_modules["analysis"] = cartography.intel.analysis.run
         return available_modules
 

cartography/util.py

@@ -35,6 +35,22 @@ from cartography.stats import ScopedStatsClient
 logger = logging.getLogger(__name__)
 
 
+def is_service_control_policy_explicit_deny(
+    error: botocore.exceptions.ClientError,
+) -> bool:
+    """Return True if the ClientError was caused by an explicit service control policy deny."""
+    error_code = error.response.get("Error", {}).get("Code")
+    if error_code not in {"AccessDenied", "AccessDeniedException"}:
+        return False
+
+    message = error.response.get("Error", {}).get("Message")
+    if not message:
+        return False
+
+    lowered = message.lower()
+    return "explicit deny" in lowered and "service control policy" in lowered
+
+
 STATUS_SUCCESS = 0
 STATUS_FAILURE = 1
 STATUS_KEYBOARD_INTERRUPT = 130
@@ -259,6 +275,20 @@ def backoff_handler(details: Dict) -> None:
     )
 
 
+# Error codes that indicate a service is unavailable in a region or blocked by policies
+AWS_REGION_ACCESS_DENIED_ERROR_CODES = [
+    "AccessDenied",
+    "AccessDeniedException",
+    "AuthFailure",
+    "AuthorizationError",
+    "AuthorizationErrorException",
+    "InvalidClientTokenId",
+    "UnauthorizedOperation",
+    "UnrecognizedClientException",
+    "InternalServerErrorException",
+]
+
+
 # TODO Move this to cartography.intel.aws.util.common
 def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
     """
@@ -270,17 +300,6 @@ def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
 
     This should be used on `get_` functions that normally return a list of items.
     """
-    ERROR_CODES = [
-        "AccessDenied",
-        "AccessDeniedException",
-        "AuthFailure",
-        "AuthorizationError",
-        "AuthorizationErrorException",
-        "InvalidClientTokenId",
-        "UnauthorizedOperation",
-        "UnrecognizedClientException",
-        "InternalServerErrorException",
-    ]
 
     @wraps(func)
     # fix for AWS TooManyRequestsException
@@ -307,12 +326,20 @@ def aws_handle_regions(func: AWSGetFunc) -> AWSGetFunc:
                 ) from e
             # The account is not authorized to use this service in this region
             # so we can continue without raising an exception
-            if error_code in ERROR_CODES:
-                logger.warning(
-                    "{} in this region. Skipping...".format(
-                        e.response["Error"]["Message"],
-                    ),
-                )
+            if error_code in AWS_REGION_ACCESS_DENIED_ERROR_CODES:
+                error_message = e.response.get("Error", {}).get("Message")
+                if is_service_control_policy_explicit_deny(e):
+                    logger.warning(
+                        "Service control policy denied access while calling %s: %s",
+                        func.__name__,
+                        error_message,
+                    )
+                else:
+                    logger.warning(
+                        "{} in this region. Skipping...".format(
+                            error_message,
+                        ),
+                    )
                 return []
             else:
                 raise

{cartography-0.118.0.dist-info → cartography-0.119.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cartography
-Version: 0.118.0
+Version: 0.119.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Maintainer: Cartography Contributors
 License-Expression: Apache-2.0