cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/aws/credentials.py

@@ -0,0 +1,153 @@
+"""
+AWS Credential Provider - Handle role assumption and profiles.
+
+Supports:
+- AssumeRole with optional external ID
+- AWS CLI profiles
+- Default credential chain (env vars, instance metadata)
+"""
+
+from __future__ import annotations
+
+import logging
+from dataclasses import dataclass
+from datetime import datetime
+
+import boto3
+from botocore.exceptions import ClientError
+
+log = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class RoleCredentials:
+    """Temporary credentials from AssumeRole."""
+
+    access_key_id: str
+    secret_access_key: str
+    session_token: str
+    expiration: datetime
+    assumed_role_arn: str
+
+
+class CredentialProvider:
+    """
+    AWS credential provider for CLI mode.
+
+    Example:
+        provider = CredentialProvider(profile="my-profile")
+        session = provider.assume_role(
+            role_arn="arn:aws:iam::123456789012:role/ReadOnly",
+            external_id="my-external-id"
+        )
+    """
+
+    def __init__(
+        self,
+        *,
+        profile: str | None = None,
+        region: str = "us-east-1",
+    ):
+        self._profile = profile
+        self._region = region
+        self._base_session: boto3.Session | None = None
+
+    def _get_base_session(self) -> boto3.Session:
+        """Get or create the base boto3 session."""
+        if self._base_session is None:
+            self._base_session = boto3.Session(
+                profile_name=self._profile,
+                region_name=self._region,
+            )
+        return self._base_session
+
+    def default_session(self) -> boto3.Session:
+        """
+        Return the base boto3 session (default credentials).
+
+        Uses the profile and region configured at initialization.
+        """
+        return self._get_base_session()
+
+    def assume_role(
+        self,
+        role_arn: str,
+        *,
+        external_id: str | None = None,
+        session_name: str = "cyntrisec-cli",
+        duration_seconds: int = 3600,
+    ) -> boto3.Session:
+        """
+        Assume an IAM role and return a configured boto3 session.
+
+        Args:
+            role_arn: ARN of the role to assume
+            external_id: External ID for the role (optional)
+            session_name: Name for the assumed role session
+            duration_seconds: How long the credentials are valid
+
+        Returns:
+            boto3.Session configured with temporary credentials
+        """
+        base = self._get_base_session()
+        sts = base.client("sts")
+
+        assume_kwargs = {
+            "RoleArn": role_arn,
+            "RoleSessionName": session_name,
+            "DurationSeconds": duration_seconds,
+        }
+        if external_id:
+            assume_kwargs["ExternalId"] = external_id
+
+        log.info("Assuming role: %s", role_arn)
+
+        try:
+            response = sts.assume_role(**assume_kwargs)
+        except ClientError as e:
+            error_code = e.response.get("Error", {}).get("Code", "Unknown")
+            if error_code == "AccessDenied":
+                raise PermissionError(
+                    f"Access denied when assuming role {role_arn}. "
+                    "Check that your credentials can assume this role."
+                ) from e
+            raise
+
+        creds = response["Credentials"]
+
+        return boto3.Session(
+            aws_access_key_id=creds["AccessKeyId"],
+            aws_secret_access_key=creds["SecretAccessKey"],
+            aws_session_token=creds["SessionToken"],
+            region_name=self._region,
+        )
+
+    def get_caller_identity(self) -> dict:
+        """Get the identity of the current credentials."""
+        session = self._get_base_session()
+        sts = session.client("sts")
+        return sts.get_caller_identity()
+
+    def validate_role(
+        self,
+        role_arn: str,
+        *,
+        external_id: str | None = None,
+    ) -> bool:
+        """
+        Validate that a role can be assumed.
+
+        Returns True if role assumption succeeds.
+        """
+        try:
+            session = self.assume_role(
+                role_arn,
+                external_id=external_id,
+                duration_seconds=900,  # Minimum
+            )
+            # Verify we can make a call
+            session.client("sts").get_caller_identity()
+            return True
+        except Exception as e:
+            log.warning("Role validation failed for %s: %s", role_arn, e)
+            return False

cyntrisec/aws/normalizers/__init__.py

@@ -0,0 +1,17 @@
+"""AWS resource normalizers - transform raw data to canonical schema."""
+
+from cyntrisec.aws.normalizers.ec2 import Ec2Normalizer
+from cyntrisec.aws.normalizers.iam import IamNormalizer
+from cyntrisec.aws.normalizers.lambda_ import LambdaNormalizer
+from cyntrisec.aws.normalizers.network import NetworkNormalizer
+from cyntrisec.aws.normalizers.rds import RdsNormalizer
+from cyntrisec.aws.normalizers.s3 import S3Normalizer
+
+__all__ = [
+    "Ec2Normalizer",
+    "IamNormalizer",
+    "S3Normalizer",
+    "LambdaNormalizer",
+    "RdsNormalizer",
+    "NetworkNormalizer",
+]

cyntrisec/aws/normalizers/ec2.py

@@ -0,0 +1,115 @@
+"""EC2 Normalizer - Transform EC2 data to canonical schema."""
+
+from __future__ import annotations
+
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class Ec2Normalizer:
+    """Normalize EC2 data to canonical assets, relationships, and findings."""
+
+    def __init__(
+        self,
+        snapshot_id: uuid.UUID,
+        region: str,
+        account_id: str,
+    ):
+        self._snapshot_id = snapshot_id
+        self._region = region
+        self._account_id = account_id
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize EC2 data."""
+        assets: list[Asset] = []
+        relationships: list[Relationship] = []
+        findings: list[Finding] = []
+
+        for instance in data.get("instances", []):
+            asset, rels, findings_list = self._normalize_instance(instance)
+            assets.append(asset)
+            relationships.extend(rels)
+            findings.extend(findings_list)
+
+        return assets, relationships, findings
+
+    def _normalize_instance(
+        self,
+        instance: dict[str, Any],
+    ) -> tuple[Asset, list[Relationship], list[Finding]]:
+        """Normalize a single EC2 instance."""
+        instance_id = instance["InstanceId"]
+        instance_type = instance.get("InstanceType", "unknown")
+        state = instance.get("State", {}).get("Name", "unknown")
+
+        # Get name from tags
+        name = instance_id
+        tags = {}
+        for tag in instance.get("Tags", []):
+            tags[tag["Key"]] = tag["Value"]
+            if tag["Key"] == "Name":
+                name = tag["Value"]
+
+        # Determine if internet-facing
+        public_ip = instance.get("PublicIpAddress")
+        is_internet_facing = bool(public_ip)
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="ec2:instance",
+            aws_region=self._region,
+            aws_resource_id=instance_id,
+            arn=f"arn:aws:ec2:{self._region}:{self._account_id}:instance/{instance_id}",
+            name=name,
+            properties={
+                "instance_type": instance_type,
+                "state": state,
+                "vpc_id": instance.get("VpcId"),
+                "subnet_id": instance.get("SubnetId"),
+                "public_ip": public_ip,
+                "private_ip": instance.get("PrivateIpAddress"),
+                "security_groups": [sg["GroupId"] for sg in instance.get("SecurityGroups", [])],
+                "iam_instance_profile": instance.get("IamInstanceProfile", {}).get("Arn"),
+            },
+            tags=tags,
+            is_internet_facing=is_internet_facing,
+        )
+
+        findings: list[Finding] = []
+
+        # Check for public IP
+        if public_ip:
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="ec2-public-ip",
+                    severity=FindingSeverity.info,
+                    title=f"EC2 instance {instance_id} has public IP",
+                    description=f"Instance has public IP address {public_ip}",
+                    evidence={"public_ip": public_ip},
+                )
+            )
+
+        # Check for missing IMDSv2
+        metadata_options = instance.get("MetadataOptions", {})
+        if metadata_options.get("HttpTokens") != "required":
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="ec2-imdsv1-enabled",
+                    severity=FindingSeverity.medium,
+                    title=f"EC2 instance {instance_id} allows IMDSv1",
+                    description="Instance Metadata Service v1 is enabled, which is vulnerable to SSRF attacks",
+                    remediation="Require IMDSv2 by setting HttpTokens to 'required'",
+                    evidence={"metadata_options": metadata_options},
+                )
+            )
+
+        return asset, [], findings

cyntrisec/aws/normalizers/iam.py

@@ -0,0 +1,182 @@
+"""IAM Normalizer - Transform IAM data to canonical schema."""
+
+from __future__ import annotations
+
+import json
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class IamNormalizer:
+    """Normalize IAM data to canonical assets and relationships."""
+
+    def __init__(self, snapshot_id: uuid.UUID):
+        self._snapshot_id = snapshot_id
+        self._role_assets: dict[str, Asset] = {}
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize IAM data."""
+        assets: list[Asset] = []
+        relationships: list[Relationship] = []
+        findings: list[Finding] = []
+
+        # Normalize users
+        for user in data.get("users", []):
+            asset, user_findings = self._normalize_user(user)
+            assets.append(asset)
+            findings.extend(user_findings)
+
+        # Normalize roles
+        for role in data.get("roles", []):
+            asset, rels, role_findings = self._normalize_role(role)
+            assets.append(asset)
+            self._role_assets[role["RoleName"]] = asset
+            relationships.extend(rels)
+            findings.extend(role_findings)
+
+        # Normalize instance profiles
+        for profile in data.get("instance_profiles", []):
+            asset = self._normalize_instance_profile(profile)
+            assets.append(asset)
+
+        return assets, relationships, findings
+
+    def _normalize_user(
+        self,
+        user: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize an IAM user."""
+        user_name = user["UserName"]
+        user_arn = user["Arn"]
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="iam:user",
+            aws_resource_id=user_arn,
+            arn=user_arn,
+            name=user_name,
+            properties={
+                "user_id": user.get("UserId"),
+                "created_date": str(user.get("CreateDate")),
+                "password_last_used": str(user.get("PasswordLastUsed"))
+                if user.get("PasswordLastUsed")
+                else None,
+            },
+        )
+
+        findings: list[Finding] = []
+
+        # Check for root user
+        if user_name == "root":
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="iam-root-user",
+                    severity=FindingSeverity.info,
+                    title="Root user exists",
+                    description="The AWS root user should only be used for account management tasks",
+                )
+            )
+
+        return asset, findings
+
+    def _normalize_role(
+        self,
+        role: dict[str, Any],
+    ) -> tuple[Asset, list[Relationship], list[Finding]]:
+        """Normalize an IAM role with trust relationships."""
+        role_name = role["RoleName"]
+        role_arn = role["Arn"]
+
+        # Check if this is a sensitive/admin role
+        is_sensitive = any(
+            kw in role_name.lower() for kw in ["admin", "root", "power", "full-access"]
+        )
+
+        attached_policies = role.get("AttachedPolicies", []) or []
+        inline_policies = role.get("InlinePolicies", []) or []
+        policy_documents = [
+            p.get("Document") for p in attached_policies if p.get("Document")
+        ] + [
+            p.get("Document") for p in inline_policies if p.get("Document")
+        ]
+
+        # Parse and store trust policy
+        trust_policy = role.get("AssumeRolePolicyDocument")
+        if trust_policy and isinstance(trust_policy, str):
+            trust_policy = json.loads(trust_policy)
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="iam:role",
+            aws_resource_id=role_arn,
+            arn=role_arn,
+            name=role_name,
+            properties={
+                "role_id": role.get("RoleId"),
+                "created_date": str(role.get("CreateDate")),
+                "max_session_duration": role.get("MaxSessionDuration"),
+                "description": role.get("Description"),
+                "attached_policies": attached_policies,
+                "inline_policies": inline_policies,
+                "policy_documents": policy_documents,
+                "trust_policy": trust_policy,
+            },
+            is_sensitive_target=is_sensitive,
+        )
+
+        relationships: list[Relationship] = []
+        findings: list[Finding] = []
+
+        # Check trust policy for security issues (already parsed above)
+        if trust_policy:
+            for statement in trust_policy.get("Statement", []):
+                if statement.get("Effect") != "Allow":
+                    continue
+
+                principal = statement.get("Principal", {})
+
+                # Check for overly permissive trust
+                if principal == "*" or principal.get("AWS") == "*":
+                    findings.append(
+                        Finding(
+                            snapshot_id=self._snapshot_id,
+                            asset_id=asset.id,
+                            finding_type="iam-role-trust-any-principal",
+                            severity=FindingSeverity.critical,
+                            title=f"IAM role {role_name} trusts any principal",
+                            description="Role trust policy allows any AWS principal to assume it",
+                            remediation="Restrict the Principal to specific AWS accounts or roles",
+                            evidence={"trust_policy": trust_policy},
+                        )
+                    )
+
+        return asset, relationships, findings
+
+    def _normalize_instance_profile(self, profile: dict[str, Any]) -> Asset:
+        """Normalize an IAM instance profile."""
+        profile_name = profile.get("InstanceProfileName")
+        profile_arn = profile.get("Arn")
+        roles = profile.get("Roles", [])
+        role_arns = [r.get("Arn") for r in roles if r.get("Arn")]
+        role_arn = role_arns[0] if role_arns else None
+
+        return Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="iam:instance-profile",
+            aws_resource_id=profile_arn or profile_name,
+            arn=profile_arn,
+            name=profile_name or profile_arn or "instance-profile",
+            properties={
+                "instance_profile_id": profile.get("InstanceProfileId"),
+                "created_date": str(profile.get("CreateDate")),
+                "role_arn": role_arn,
+                "role_arns": role_arns,
+            },
+        )

cyntrisec/aws/normalizers/lambda_.py

@@ -0,0 +1,83 @@
+"""Lambda Normalizer - Transform Lambda data to canonical schema."""
+
+from __future__ import annotations
+
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class LambdaNormalizer:
+    """Normalize Lambda data to canonical assets."""
+
+    def __init__(
+        self,
+        snapshot_id: uuid.UUID,
+        region: str,
+        account_id: str,
+    ):
+        self._snapshot_id = snapshot_id
+        self._region = region
+        self._account_id = account_id
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize Lambda data."""
+        assets: list[Asset] = []
+        findings: list[Finding] = []
+
+        for func in data.get("functions", []):
+            asset, func_findings = self._normalize_function(func)
+            assets.append(asset)
+            findings.extend(func_findings)
+
+        return assets, [], findings
+
+    def _normalize_function(
+        self,
+        func: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize a Lambda function."""
+        func_name = func["FunctionName"]
+        func_arn = func["FunctionArn"]
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="lambda:function",
+            aws_region=self._region,
+            aws_resource_id=func_arn,
+            arn=func_arn,
+            name=func_name,
+            properties={
+                "runtime": func.get("Runtime"),
+                "handler": func.get("Handler"),
+                "memory_size": func.get("MemorySize"),
+                "timeout": func.get("Timeout"),
+                "role": func.get("Role"),
+                "vpc_config": func.get("VpcConfig"),
+                "last_modified": func.get("LastModified"),
+            },
+        )
+
+        findings: list[Finding] = []
+
+        # Check for deprecated runtime
+        runtime = func.get("Runtime", "")
+        deprecated_runtimes = ["python2.7", "python3.6", "nodejs10.x", "nodejs12.x", "ruby2.5"]
+        if any(runtime.startswith(dr) for dr in deprecated_runtimes):
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="lambda-deprecated-runtime",
+                    severity=FindingSeverity.medium,
+                    title=f"Lambda function {func_name} uses deprecated runtime",
+                    description=f"Function uses runtime {runtime} which is deprecated or EOL",
+                    remediation="Upgrade to a supported runtime version",
+                )
+            )
+
+        return asset, findings