cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/core/cost_estimator.py

@@ -0,0 +1,301 @@
+"""
+Cost Estimator - Static pricing for common AWS resources.
+
+Provides monthly cost estimates without requiring additional AWS permissions.
+Uses conservative static pricing for "hero" resources where waste is obvious.
+
+Sources:
+- estimate: Static rules based on public AWS pricing (default)
+- pricing-api: AWS Pricing API (future)
+- cost-explorer: Real billing data (future, opt-in)
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from decimal import Decimal
+from typing import Any
+
+from cyntrisec.core.schema import Asset
+
+# Average hours per month
+HOURS_PER_MONTH = Decimal("730")
+
+# Static pricing (US-East-1, approximate)
+# These are conservative estimates for ranking purposes
+STATIC_PRICING = {
+    # NAT Gateway: $0.045/hr + $0.045/GB processed
+    "ec2:nat-gateway": {
+        "hourly": Decimal("0.045"),
+        "monthly_base": Decimal("32.85"),  # 730 * 0.045
+        "confidence": "high",
+        "assumptions": [
+            "$0.045/hr NAT Gateway base rate (us-east-1)",
+            "730 hours/month",
+            "Data processing fees not included",
+        ],
+    },
+    # Elastic IP (unattached): $0.005/hr
+    "ec2:elastic-ip": {
+        "hourly": Decimal("0.005"),
+        "monthly_base": Decimal("3.65"),  # 730 * 0.005
+        "confidence": "high",
+        "assumptions": [
+            "$0.005/hr for unused Elastic IP",
+            "Only applies when not attached to running instance",
+        ],
+    },
+    # ALB: $0.0225/hr + LCU charges
+    "elbv2:load-balancer:application": {
+        "hourly": Decimal("0.0225"),
+        "monthly_base": Decimal("16.43"),  # 730 * 0.0225
+        "confidence": "medium",
+        "assumptions": [
+            "$0.0225/hr ALB base rate",
+            "LCU charges not included (traffic-dependent)",
+        ],
+    },
+    # NLB: $0.0225/hr + NLCU charges
+    "elbv2:load-balancer:network": {
+        "hourly": Decimal("0.0225"),
+        "monthly_base": Decimal("16.43"),
+        "confidence": "medium",
+        "assumptions": [
+            "$0.0225/hr NLB base rate",
+            "NLCU charges not included",
+        ],
+    },
+    # EBS gp2/gp3: ~$0.10/GB-month
+    "ec2:ebs-volume:gp2": {
+        "per_gb_month": Decimal("0.10"),
+        "confidence": "high",
+        "assumptions": ["$0.10/GB-month for gp2"],
+    },
+    "ec2:ebs-volume:gp3": {
+        "per_gb_month": Decimal("0.08"),
+        "confidence": "high",
+        "assumptions": ["$0.08/GB-month for gp3 base"],
+    },
+    # RDS instance classes (approximate)
+    "rds:db-instance:db.t3.micro": {
+        "monthly_base": Decimal("12.41"),
+        "confidence": "medium",
+        "assumptions": ["On-demand pricing, single-AZ"],
+    },
+    "rds:db-instance:db.t3.small": {
+        "monthly_base": Decimal("24.82"),
+        "confidence": "medium",
+        "assumptions": ["On-demand pricing, single-AZ"],
+    },
+    "rds:db-instance:db.t3.medium": {
+        "monthly_base": Decimal("49.64"),
+        "confidence": "medium",
+        "assumptions": ["On-demand pricing, single-AZ"],
+    },
+    "rds:db-instance:db.m5.large": {
+        "monthly_base": Decimal("124.10"),
+        "confidence": "medium",
+        "assumptions": ["On-demand pricing, single-AZ"],
+    },
+}
+
+# Optional regional overrides for static pricing
+REGIONAL_PRICING: dict[str, dict[str, dict[str, Any]]] = {}
+
+# Priority ranking for known high-cost resources
+COST_PRIORITY = [
+    "ec2:nat-gateway",
+    "rds:db-instance",
+    "elbv2:load-balancer",
+    "ec2:ebs-volume",
+    "ec2:elastic-ip",
+]
+
+
+@dataclass
+class CostEstimate:
+    """Cost estimate with provenance metadata."""
+
+    monthly_cost_usd_estimate: Decimal
+    cost_source: str  # "estimate", "pricing-api", "cost-explorer"
+    confidence: str  # "high", "medium", "low"
+    assumptions: list[str] = field(default_factory=list)
+
+    def to_dict(self) -> dict[str, Any]:
+        return {
+            "monthly_cost_usd_estimate": float(self.monthly_cost_usd_estimate),
+            "cost_source": self.cost_source,
+            "confidence": self.confidence,
+            "assumptions": self.assumptions,
+        }
+
+
+class CostEstimator:
+    """
+    Estimate monthly costs for AWS resources.
+
+    Default mode uses static pricing rules that require no extra permissions.
+    Future modes can use AWS Pricing API or Cost Explorer for more accuracy.
+    """
+
+    def __init__(self, source: str = "estimate", *, region: str = "us-east-1"):
+        """
+        Initialize estimator.
+
+        Args:
+            source: Cost data source - "estimate", "pricing-api", "cost-explorer"
+        """
+        self._source = source
+        self._region = region
+        if source not in ("estimate", "pricing-api", "cost-explorer"):
+            raise ValueError(f"Unknown cost source: {source}")
+
+    @property
+    def source(self) -> str:
+        """Return configured cost source."""
+        return self._source
+
+    def estimate(self, asset: Asset) -> CostEstimate | None:
+        """
+        Estimate monthly cost for an asset.
+
+        Returns None if no estimate is available for this asset type.
+        """
+        region = asset.aws_region or self._region
+        if self._source == "estimate":
+            return self._static_estimate(asset, region)
+        elif self._source == "pricing-api":
+            # Future: call AWS Pricing API
+            return self._static_estimate(asset, region)  # Fallback for now
+        elif self._source == "cost-explorer":
+            # Future: call Cost Explorer
+            return None  # Requires opt-in
+        return None
+
+    def _static_estimate(self, asset: Asset, region: str) -> CostEstimate | None:
+        """Generate estimate from static pricing rules."""
+        asset_type = asset.asset_type
+        props = asset.properties or {}
+        pricing_table = REGIONAL_PRICING.get(region, STATIC_PRICING)
+        region_fallback = region != "us-east-1" and region not in REGIONAL_PRICING
+
+        # NAT Gateway
+        if asset_type == "ec2:nat-gateway":
+            pricing = pricing_table["ec2:nat-gateway"]
+            return CostEstimate(
+                monthly_cost_usd_estimate=pricing["monthly_base"],
+                cost_source="estimate",
+                confidence=pricing["confidence"],
+                assumptions=self._assumptions_with_region(pricing["assumptions"], region_fallback),
+            )
+
+        # Elastic IP (only if unattached)
+        if asset_type == "ec2:elastic-ip":
+            # Check if attached to an instance
+            instance_id = props.get("instance_id") or props.get("InstanceId")
+            if not instance_id:
+                pricing = pricing_table["ec2:elastic-ip"]
+                return CostEstimate(
+                    monthly_cost_usd_estimate=pricing["monthly_base"],
+                    cost_source="estimate",
+                    confidence=pricing["confidence"],
+                    assumptions=self._assumptions_with_region(pricing["assumptions"], region_fallback),
+                )
+            return None  # Attached EIPs are free
+
+        # Load Balancers
+        if asset_type == "elbv2:load-balancer":
+            lb_type = props.get("type", "application").lower()
+            key = f"elbv2:load-balancer:{lb_type}"
+            if key in pricing_table:
+                pricing = pricing_table[key]
+                return CostEstimate(
+                    monthly_cost_usd_estimate=pricing["monthly_base"],
+                    cost_source="estimate",
+                    confidence=pricing["confidence"],
+                    assumptions=self._assumptions_with_region(pricing["assumptions"], region_fallback),
+                )
+
+        # EBS Volumes
+        if asset_type == "ec2:ebs-volume":
+            volume_type = props.get("volume_type", props.get("VolumeType", "gp2")).lower()
+            size_gb = props.get("size", props.get("Size", 0))
+            key = f"ec2:ebs-volume:{volume_type}"
+
+            if key in pricing_table and size_gb:
+                pricing = pricing_table[key]
+                monthly = pricing["per_gb_month"] * Decimal(str(size_gb))
+                return CostEstimate(
+                    monthly_cost_usd_estimate=monthly,
+                    cost_source="estimate",
+                    confidence=pricing["confidence"],
+                    assumptions=self._assumptions_with_region(
+                        pricing["assumptions"] + [f"{size_gb} GB volume"], region_fallback
+                    ),
+                )
+
+        # RDS Instances
+        if asset_type == "rds:db-instance":
+            db_class = props.get("db_instance_class", props.get("DBInstanceClass", ""))
+            key = f"rds:db-instance:{db_class}"
+
+            if key in pricing_table:
+                pricing = pricing_table[key]
+                return CostEstimate(
+                    monthly_cost_usd_estimate=pricing["monthly_base"],
+                    cost_source="estimate",
+                    confidence=pricing["confidence"],
+                    assumptions=self._assumptions_with_region(pricing["assumptions"], region_fallback),
+                )
+            # Unknown class - return None with low confidence indicator
+            fallback_estimate = self._unknown_rds_estimate(pricing_table)
+            return CostEstimate(
+                monthly_cost_usd_estimate=fallback_estimate,
+                cost_source="estimate",
+                confidence="unknown",
+                assumptions=self._assumptions_with_region(
+                    ["Unknown RDS class - estimate uses median of known classes"],
+                    region_fallback,
+                ),
+            )
+
+        return None
+
+    @staticmethod
+    def _unknown_rds_estimate(pricing_table: dict[str, dict[str, Any]]) -> Decimal:
+        """Return a fallback estimate for unknown RDS classes."""
+        values = [
+            p["monthly_base"]
+            for key, p in pricing_table.items()
+            if key.startswith("rds:db-instance:") and "monthly_base" in p
+        ]
+        if not values:
+            return Decimal("1")
+        values_sorted = sorted(values)
+        return values_sorted[len(values_sorted) // 2]
+
+    @staticmethod
+    def _assumptions_with_region(assumptions: list[str], region_fallback: bool) -> list[str]:
+        """Add region fallback note when needed."""
+        if region_fallback:
+            return assumptions + ["Pricing fallback: us-east-1 (region not supported)"]
+        return assumptions
+
+    def get_priority(self, asset: Asset) -> int:
+        """
+        Get cost priority ranking for an asset.
+
+        Lower number = higher priority (more likely to be expensive waste).
+        Returns 999 for unknown types.
+        """
+        asset_type = asset.asset_type
+
+        for i, prefix in enumerate(COST_PRIORITY):
+            if asset_type.startswith(prefix):
+                return i
+
+        return 999  # Unknown type
+
+    def sort_by_cost_priority(self, assets: list[Asset]) -> list[Asset]:
+        """Sort assets by cost priority (highest cost first)."""
+        return sorted(assets, key=lambda a: self.get_priority(a))

cyntrisec/core/cuts.py

@@ -0,0 +1,360 @@
+"""
+Minimal Cut Finder - Find optimal remediations that block attack paths.
+
+Uses a greedy set-cover approximation approach to find the minimum set of
+edges (relationships) whose removal disconnects all entry points from
+all sensitive targets.
+
+The algorithm works by:
+1. Building a flow network from entry points to targets
+2. Finding edges that appear on multiple attack paths
+3. Selecting edges that block the most paths with fewest changes
+4. Ranking remediations based on ROI (Risk Reduction vs Cost Savings)
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from collections import defaultdict
+from dataclasses import dataclass, field
+from decimal import Decimal
+
+from cyntrisec.core.cost_estimator import CostEstimator
+from cyntrisec.core.graph import AwsGraph
+from cyntrisec.core.schema import AttackPath, CostCutCandidate, Relationship
+
+log = logging.getLogger(__name__)
+
+
+@dataclass
+class Remediation:
+    """
+    A proposed remediation action that blocks attack paths.
+
+    Attributes:
+        relationship: The edge to remove/modify
+        action: Type of remediation (remove, restrict, isolate)
+        description: Human-readable description
+        paths_blocked: List of attack path IDs this blocks
+        priority: Base priority (paths blocked)
+        cost_savings: Estimated monthly USD savings if implemented
+        roi_score: Combined score (Priority + Cost Factor)
+    """
+
+    relationship: Relationship
+    action: str
+    description: str
+    paths_blocked: list[uuid.UUID] = field(default_factory=list)
+    priority: float = 0.0
+    cost_savings: Decimal = Decimal("0")
+    roi_score: float = 0.0
+
+    # Metadata for display
+    source_name: str = ""
+    target_name: str = ""
+    relationship_type: str = ""
+
+
+@dataclass
+class CutResult:
+    """
+    Result of the minimal cut analysis.
+
+    Attributes:
+        remediations: Ordered list of recommended fixes (highest ROI first)
+        total_paths: Total attack paths in the graph
+        paths_blocked: Number of paths blocked by all remediations
+        coverage: Percentage of paths blocked (0-1)
+    """
+
+    remediations: list[Remediation]
+    total_paths: int
+    paths_blocked: int
+    coverage: float
+
+
+class MinCutFinder:
+    """
+    Finds minimal set of edge removals to block all attack paths.
+
+    Uses a greedy set-cover approximation:
+    1. Count how many attack paths each edge appears on
+    2. Select edge that appears on most paths
+    3. Remove those paths from consideration
+    4. Repeat until all paths covered or budget exhausted
+    
+    ROI Ranking:
+    After identifying minimal cuts, we sort them by a combined score:
+    ROI = (Paths_Blocked * 1.0) + (Monthly_Savings * 0.1)
+    This rewards high-security impact AND cost savings.
+    """
+
+    def __init__(self, cost_estimator: CostEstimator | None = None):
+        self.cost_estimator = cost_estimator or CostEstimator()
+
+    def find_cuts(
+        self,
+        graph: AwsGraph,
+        paths: list[AttackPath],
+        *,
+        max_cuts: int = 10,
+        relationship_types: set[str] | None = None,
+    ) -> CutResult:
+        """
+        Find minimal set of edges to remove that blocks all attack paths.
+
+        Args:
+            graph: The capability graph
+            paths: Attack paths discovered by PathFinder
+            max_cuts: Maximum number of remediations to return
+            relationship_types: If provided, only consider these edge types
+
+        Returns:
+            CutResult with ordered list of remediations
+        """
+        if not paths:
+            return CutResult(
+                remediations=[],
+                total_paths=0,
+                paths_blocked=0,
+                coverage=1.0,
+            )
+
+        # Build indexes
+        edge_to_paths, relationship_lookup = self._build_indexes(graph, paths)
+
+        # Greedy set cover
+        remediations: list[Remediation] = []
+        remaining_paths: set[uuid.UUID] = {p.id for p in paths}
+        used_edges: set[uuid.UUID] = set()
+
+        # We collect more candidates than max_cuts initally to allow re-ranking,
+        # but the greedy algorithm is iterative (dependant choices).
+        # Optimization: We stick to greedy set cover for *correctness* (blocking paths),
+        # then rank the chosen set by ROI to show best ones first?
+        # NO: Set cover order matters.
+        # Alternative: At each greedy step, pick Best(ROI) instead of Best(Coverage).
+        # This might result in MORE cuts needed, but they are cheaper.
+        # For Phase 2 MVP: We perform standard set cover, THEN rank the resulting independent cuts.
+        # (Assuming the cuts found are roughly independent, which isn't always true but works
+        # for list output).
+
+        while remaining_paths and len(remediations) < max_cuts:
+            # Modified Greedy: Score edges by (Coverage + Cost_Weight)
+            best_edge_id, best_coverage = self._find_best_edge_roi(
+                graph,
+                edge_to_paths,
+                relationship_lookup,
+                used_edges,
+                remaining_paths,
+                relationship_types
+            )
+
+            if not best_edge_id or not best_coverage:
+                break
+
+            # Add remediation
+            used_edges.add(best_edge_id)
+            remaining_paths -= best_coverage
+
+            rel = relationship_lookup[best_edge_id]
+            remediation = self._create_remediation(
+                graph, rel, best_coverage
+            )
+            remediations.append(remediation)
+
+        total_paths = len(paths)
+        blocked = total_paths - len(remaining_paths)
+
+        # Sort final list by ROI just to be sure presentation is optimal
+        remediations.sort(key=lambda x: x.roi_score, reverse=True)
+
+        return CutResult(
+            remediations=remediations,
+            total_paths=total_paths,
+            paths_blocked=blocked,
+            coverage=blocked / total_paths if total_paths > 0 else 1.0,
+        )
+
+    def _build_indexes(
+        self, graph: AwsGraph, paths: list[AttackPath]
+    ) -> tuple[dict[uuid.UUID, set[uuid.UUID]], dict[uuid.UUID, Relationship]]:
+        """Build lookup indexes for edges and relationships."""
+        edge_to_paths: dict[uuid.UUID, set[uuid.UUID]] = defaultdict(set)
+        relationship_lookup: dict[uuid.UUID, Relationship] = {}
+
+        for path in paths:
+            for rel_id in path.path_relationship_ids:
+                edge_to_paths[rel_id].add(path.id)
+
+        for rel in graph.all_relationships():
+            relationship_lookup[rel.id] = rel
+
+        return edge_to_paths, relationship_lookup
+
+    def _find_best_edge_roi(
+        self,
+        graph: AwsGraph,
+        edge_to_paths: dict[uuid.UUID, set[uuid.UUID]],
+        relationship_lookup: dict[uuid.UUID, Relationship],
+        used_edges: set[uuid.UUID],
+        remaining_paths: set[uuid.UUID],
+        relationship_types: set[str] | None,
+    ) -> tuple[uuid.UUID | None, set[uuid.UUID]]:
+        """Find the edge with best ROI (Coverage + Cost)."""
+
+        best_edge_id: uuid.UUID | None = None
+        best_coverage: set[uuid.UUID] = set()
+        best_score: float = -1.0 # ROI score
+
+        for edge_id, covered_paths in edge_to_paths.items():
+            if edge_id in used_edges or edge_id not in relationship_lookup:
+                continue
+
+            rel = relationship_lookup[edge_id]
+
+            if relationship_types and rel.relationship_type not in relationship_types:
+                continue
+
+            coverage = covered_paths & remaining_paths
+            if not coverage:
+                continue
+
+            # Calculate Score
+            security_score = len(coverage)
+
+            # Cost Savings
+            # We assume cutting an edge might allow removing the Target Asset?
+            # Or is the edge associated with a cost (e.g. NAT Gateway)?
+            # Simplification: If we isolate a target, we count its cost as potential savings.
+            target = graph.asset(rel.target_asset_id)
+            savings = Decimal("0")
+            if target:
+                est = self.cost_estimator.estimate(target)
+                if est:
+                    savings = est.monthly_cost_usd_estimate
+
+            # ROI Formula: Paths + (Savings * 0.1)
+            # e.g. 5 paths + $50 * 0.1 = 10 score
+            # e.g. 1 path + $100 * 0.1 = 11 score (Cost wins)
+            roi = float(security_score) + (float(savings) * 0.05)
+
+            if roi > best_score:
+                best_edge_id = edge_id
+                best_coverage = coverage
+                best_score = roi
+
+        return best_edge_id, best_coverage
+
+    def _create_remediation(
+        self, graph: AwsGraph, rel: Relationship, paths_blocked: set[uuid.UUID]
+    ) -> Remediation:
+        """Create a Remediation object from a relationship."""
+        source = graph.asset(rel.source_asset_id)
+        target = graph.asset(rel.target_asset_id)
+
+        savings = Decimal("0")
+        if target:
+            est = self.cost_estimator.estimate(target)
+            if est:
+                savings = est.monthly_cost_usd_estimate
+
+        roi = float(len(paths_blocked)) + (float(savings) * 0.05)
+
+        return Remediation(
+            relationship=rel,
+            action=self._determine_action(rel),
+            description=self._build_description(rel, source, target),
+            paths_blocked=list(paths_blocked),
+            priority=len(paths_blocked),
+            cost_savings=savings,
+            roi_score=roi,
+            source_name=source.name if source else "unknown",
+            target_name=target.name if target else "unknown",
+            relationship_type=rel.relationship_type,
+        )
+
+    def _determine_action(self, rel: Relationship) -> str:
+        """Determine the remediation action based on relationship type."""
+        action_map = {
+            "ALLOWS_TRAFFIC_TO": "restrict",
+            "MAY_ACCESS": "restrict_policy",
+            "CAN_ASSUME": "remove_trust",
+            "CONTAINS": "isolate",
+            "USES": "remove",
+        }
+        return action_map.get(rel.relationship_type, "review")
+
+    def _build_description(
+        self,
+        rel: Relationship,
+        source: object | None,
+        target: object | None,
+    ) -> str:
+        """Build human-readable remediation description."""
+        source_name = getattr(source, "name", "unknown") if source else "unknown"
+        target_name = getattr(target, "name", "unknown") if target else "unknown"
+        getattr(source, "asset_type", "unknown") if source else "unknown"
+
+        if rel.relationship_type == "ALLOWS_TRAFFIC_TO":
+            # Check if it's 0.0.0.0/0
+            if rel.properties.get("open_to_world"):
+                return f"Remove 0.0.0.0/0 ingress from {source_name}"
+            return f"Restrict traffic from {source_name} to {target_name}"
+
+        elif rel.relationship_type == "MAY_ACCESS":
+            return f"Restrict {source_name} access to {target_name}"
+
+        elif rel.relationship_type == "CAN_ASSUME":
+            via = rel.properties.get("via", "")
+            if via == "instance_profile":
+                return f"Remove instance profile from {source_name} or restrict role {target_name}"
+            return f"Remove trust relationship: {source_name} → {target_name}"
+
+        elif rel.relationship_type == "CONTAINS":
+            return f"Isolate {target_name} from {source_name}"
+
+        else:
+            return f"Review {rel.relationship_type}: {source_name} → {target_name}"
+
+    def to_cost_cut_candidates(
+        self,
+        cut_result: CutResult,
+        snapshot_id: uuid.UUID,
+        graph: AwsGraph,
+    ) -> list[CostCutCandidate]:
+        """
+        Convert CutResult to CostCutCandidate models for storage.
+        """
+        candidates: list[CostCutCandidate] = []
+
+        for rem in cut_result.remediations:
+            # Calculate risk reduction based on paths blocked
+            risk_reduction = (
+                Decimal(str(len(rem.paths_blocked) / cut_result.total_paths))
+                if cut_result.total_paths > 0
+                else Decimal("0")
+            )
+
+            candidate = CostCutCandidate(
+                snapshot_id=snapshot_id,
+                asset_id=rem.relationship.target_asset_id,
+                reason=rem.description,
+                action=rem.action,
+                confidence=Decimal("0.8"),  # Greedy algorithm confidence
+                paths_blocked=len(rem.paths_blocked),
+                risk_reduction=risk_reduction,
+                monthly_savings_usd=rem.cost_savings,
+                proof={
+                    "relationship_id": str(rem.relationship.id),
+                    "relationship_type": rem.relationship_type,
+                    "source": rem.source_name,
+                    "target": rem.target_name,
+                    "paths_blocked": [str(p) for p in rem.paths_blocked],
+                    "roi_score": rem.roi_score
+                },
+            )
+            candidates.append(candidate)
+
+        return candidates