cyntrisec 0.1.7__py3-none-any.whl

cyntrisec/aws/normalizers/network.py

@@ -0,0 +1,225 @@
+"""Network Normalizer - Transform network data to canonical schema."""
+
+from __future__ import annotations
+
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class NetworkNormalizer:
+    """Normalize network data to canonical assets and relationships."""
+
+    def __init__(
+        self,
+        snapshot_id: uuid.UUID,
+        region: str,
+        account_id: str,
+    ):
+        self._snapshot_id = snapshot_id
+        self._region = region
+        self._account_id = account_id
+        self._asset_map: dict[str, Asset] = {}
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize network data."""
+        assets: list[Asset] = []
+        relationships: list[Relationship] = []
+        findings: list[Finding] = []
+
+        # VPCs
+        for vpc in data.get("vpcs", []):
+            asset = self._normalize_vpc(vpc)
+            assets.append(asset)
+            self._asset_map[vpc["VpcId"]] = asset
+
+        # Subnets
+        for subnet in data.get("subnets", []):
+            asset = self._normalize_subnet(subnet)
+            assets.append(asset)
+            self._asset_map[subnet["SubnetId"]] = asset
+
+            # Create VPC -> Subnet relationship
+            vpc_id = subnet.get("VpcId")
+            if vpc_id and vpc_id in self._asset_map:
+                relationships.append(
+                    Relationship(
+                        snapshot_id=self._snapshot_id,
+                        source_asset_id=self._asset_map[vpc_id].id,
+                        target_asset_id=asset.id,
+                        relationship_type="CONTAINS",
+                    )
+                )
+
+        # Security Groups
+        for sg in data.get("security_groups", []):
+            asset, sg_findings = self._normalize_security_group(sg)
+            assets.append(asset)
+            self._asset_map[sg["GroupId"]] = asset
+            findings.extend(sg_findings)
+
+        # Load Balancers
+        for lb in data.get("load_balancers", []):
+            asset = self._normalize_load_balancer(lb)
+            assets.append(asset)
+
+        return assets, relationships, findings
+
+    def _normalize_vpc(self, vpc: dict[str, Any]) -> Asset:
+        """Normalize a VPC."""
+        vpc_id = vpc["VpcId"]
+
+        name = vpc_id
+        for tag in vpc.get("Tags", []):
+            if tag["Key"] == "Name":
+                name = tag["Value"]
+                break
+
+        return Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="ec2:vpc",
+            aws_region=self._region,
+            aws_resource_id=vpc_id,
+            arn=f"arn:aws:ec2:{self._region}:{self._account_id}:vpc/{vpc_id}",
+            name=name,
+            properties={
+                "cidr_block": vpc.get("CidrBlock"),
+                "is_default": vpc.get("IsDefault", False),
+                "state": vpc.get("State"),
+            },
+        )
+
+    def _normalize_subnet(self, subnet: dict[str, Any]) -> Asset:
+        """Normalize a subnet."""
+        subnet_id = subnet["SubnetId"]
+
+        name = subnet_id
+        for tag in subnet.get("Tags", []):
+            if tag["Key"] == "Name":
+                name = tag["Value"]
+                break
+
+        # Determine if public (has auto-assign public IP)
+        is_public = subnet.get("MapPublicIpOnLaunch", False)
+
+        return Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="ec2:subnet",
+            aws_region=self._region,
+            aws_resource_id=subnet_id,
+            arn=f"arn:aws:ec2:{self._region}:{self._account_id}:subnet/{subnet_id}",
+            name=name,
+            properties={
+                "vpc_id": subnet.get("VpcId"),
+                "cidr_block": subnet.get("CidrBlock"),
+                "availability_zone": subnet.get("AvailabilityZone"),
+                "map_public_ip_on_launch": is_public,
+            },
+            is_internet_facing=is_public,
+        )
+
+    def _normalize_security_group(
+        self,
+        sg: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize a security group."""
+        sg_id = sg["GroupId"]
+        sg_name = sg.get("GroupName", sg_id)
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="ec2:security-group",
+            aws_region=self._region,
+            aws_resource_id=sg_id,
+            arn=f"arn:aws:ec2:{self._region}:{self._account_id}:security-group/{sg_id}",
+            name=sg_name,
+            properties={
+                "vpc_id": sg.get("VpcId"),
+                "description": sg.get("Description"),
+                "ingress_rules": sg.get("IpPermissions", []),
+                "egress_rules": sg.get("IpPermissionsEgress", []),
+            },
+        )
+
+        findings: list[Finding] = []
+
+        # Check for overly permissive ingress rules
+        for rule in sg.get("IpPermissions", []):
+            for ip_range in rule.get("IpRanges", []):
+                cidr = ip_range.get("CidrIp", "")
+                if cidr == "0.0.0.0/0":
+                    from_port = rule.get("FromPort", "all")
+                    to_port = rule.get("ToPort", "all")
+                    protocol = rule.get("IpProtocol", "all")
+                    severity = self._severity_for_open_rule(from_port, to_port, protocol)
+
+                    findings.append(
+                        Finding(
+                            snapshot_id=self._snapshot_id,
+                            asset_id=asset.id,
+                            finding_type="security-group-open-to-world",
+                            severity=severity,
+                            title=f"Security group {sg_name} allows inbound from 0.0.0.0/0",
+                            description=f"Ingress rule allows traffic from anywhere on port {from_port}-{to_port}",
+                            remediation="Restrict the source IP range to known addresses",
+                            evidence={"rule": rule, "cidr": cidr},
+                        )
+                    )
+            for ip_range in rule.get("Ipv6Ranges", []):
+                cidr = ip_range.get("CidrIpv6", "")
+                if cidr == "::/0":
+                    from_port = rule.get("FromPort", "all")
+                    to_port = rule.get("ToPort", "all")
+                    protocol = rule.get("IpProtocol", "all")
+                    severity = self._severity_for_open_rule(from_port, to_port, protocol)
+
+                    findings.append(
+                        Finding(
+                            snapshot_id=self._snapshot_id,
+                            asset_id=asset.id,
+                            finding_type="security-group-open-to-world",
+                            severity=severity,
+                            title=f"Security group {sg_name} allows inbound from ::/0",
+                            description=f"Ingress rule allows traffic from anywhere on port {from_port}-{to_port}",
+                            remediation="Restrict the source IP range to known addresses",
+                            evidence={"rule": rule, "cidr": cidr},
+                        )
+                    )
+
+        return asset, findings
+
+    @staticmethod
+    def _severity_for_open_rule(from_port, to_port, protocol) -> FindingSeverity:
+        """Determine severity for an open ingress rule."""
+        if from_port in [22, 3389] or to_port in [22, 3389]:
+            return FindingSeverity.critical
+        if protocol == "-1":
+            return FindingSeverity.critical
+        return FindingSeverity.high
+
+    def _normalize_load_balancer(self, lb: dict[str, Any]) -> Asset:
+        """Normalize a load balancer."""
+        lb_arn = lb["LoadBalancerArn"]
+        lb_name = lb.get("LoadBalancerName", lb_arn.split("/")[-1])
+        scheme = lb.get("Scheme", "internal")
+
+        return Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="elbv2:load-balancer",
+            aws_region=self._region,
+            aws_resource_id=lb_arn,
+            arn=lb_arn,
+            name=lb_name,
+            properties={
+                "type": lb.get("Type"),
+                "scheme": scheme,
+                "dns_name": lb.get("DNSName"),
+                "vpc_id": lb.get("VpcId"),
+                "security_groups": lb.get("SecurityGroups", []),
+            },
+            is_internet_facing=(scheme == "internet-facing"),
+        )

cyntrisec/aws/normalizers/rds.py

@@ -0,0 +1,130 @@
+"""RDS Normalizer - Transform RDS data to canonical schema."""
+
+from __future__ import annotations
+
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class RdsNormalizer:
+    """Normalize RDS data to canonical assets."""
+
+    def __init__(
+        self,
+        snapshot_id: uuid.UUID,
+        region: str,
+        account_id: str,
+    ):
+        self._snapshot_id = snapshot_id
+        self._region = region
+        self._account_id = account_id
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize RDS data."""
+        assets: list[Asset] = []
+        findings: list[Finding] = []
+
+        for instance in data.get("instances", []):
+            asset, instance_findings = self._normalize_instance(instance)
+            assets.append(asset)
+            findings.extend(instance_findings)
+
+        for cluster in data.get("clusters", []):
+            asset, cluster_findings = self._normalize_cluster(cluster)
+            assets.append(asset)
+            findings.extend(cluster_findings)
+
+        return assets, [], findings
+
+    def _normalize_instance(
+        self,
+        instance: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize an RDS DB instance."""
+        db_id = instance["DBInstanceIdentifier"]
+        db_arn = instance["DBInstanceArn"]
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="rds:db-instance",
+            aws_region=self._region,
+            aws_resource_id=db_arn,
+            arn=db_arn,
+            name=db_id,
+            properties={
+                "engine": instance.get("Engine"),
+                "engine_version": instance.get("EngineVersion"),
+                "instance_class": instance.get("DBInstanceClass"),
+                "storage_encrypted": instance.get("StorageEncrypted"),
+                "publicly_accessible": instance.get("PubliclyAccessible"),
+                "multi_az": instance.get("MultiAZ"),
+                "vpc_security_groups": [
+                    sg["VpcSecurityGroupId"] for sg in instance.get("VpcSecurityGroups", [])
+                ],
+            },
+            is_internet_facing=instance.get("PubliclyAccessible", False),
+            is_sensitive_target=True,  # Databases are sensitive
+        )
+
+        findings: list[Finding] = []
+
+        # Check for public accessibility
+        if instance.get("PubliclyAccessible"):
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="rds-publicly-accessible",
+                    severity=FindingSeverity.critical,
+                    title=f"RDS instance {db_id} is publicly accessible",
+                    description="Database is configured to be publicly accessible from the internet",
+                    remediation="Disable public accessibility and use VPC endpoints or bastion hosts",
+                )
+            )
+
+        # Check for encryption
+        if not instance.get("StorageEncrypted"):
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="rds-not-encrypted",
+                    severity=FindingSeverity.high,
+                    title=f"RDS instance {db_id} is not encrypted",
+                    description="Database storage is not encrypted at rest",
+                    remediation="Enable storage encryption (requires database recreation)",
+                )
+            )
+
+        return asset, findings
+
+    def _normalize_cluster(
+        self,
+        cluster: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize an RDS Aurora cluster."""
+        cluster_id = cluster["DBClusterIdentifier"]
+        cluster_arn = cluster["DBClusterArn"]
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="rds:db-cluster",
+            aws_region=self._region,
+            aws_resource_id=cluster_arn,
+            arn=cluster_arn,
+            name=cluster_id,
+            properties={
+                "engine": cluster.get("Engine"),
+                "engine_version": cluster.get("EngineVersion"),
+                "storage_encrypted": cluster.get("StorageEncrypted"),
+                "multi_az": cluster.get("MultiAZ"),
+            },
+            is_sensitive_target=True,
+        )
+
+        return asset, []

cyntrisec/aws/normalizers/s3.py

@@ -0,0 +1,184 @@
+"""S3 Normalizer - Transform S3 data to canonical schema."""
+
+from __future__ import annotations
+
+import json
+import uuid
+from typing import Any
+
+from cyntrisec.core.schema import Asset, Finding, FindingSeverity, Relationship
+
+
+class S3Normalizer:
+    """Normalize S3 data to canonical assets and findings."""
+
+    def __init__(self, snapshot_id: uuid.UUID):
+        self._snapshot_id = snapshot_id
+
+    def normalize(
+        self,
+        data: dict[str, Any],
+    ) -> tuple[list[Asset], list[Relationship], list[Finding]]:
+        """Normalize S3 data."""
+        assets: list[Asset] = []
+        findings: list[Finding] = []
+
+        for bucket in data.get("buckets", []):
+            asset, bucket_findings = self._normalize_bucket(bucket)
+            assets.append(asset)
+            findings.extend(bucket_findings)
+
+        return assets, [], findings
+
+    def _normalize_bucket(
+        self,
+        bucket: dict[str, Any],
+    ) -> tuple[Asset, list[Finding]]:
+        """Normalize an S3 bucket."""
+        bucket_name = bucket["Name"]
+        region = bucket.get("Location", "us-east-1")
+
+        # Check if this is a sensitive bucket (by name heuristic)
+        is_sensitive = any(
+            kw in bucket_name.lower()
+            for kw in ["backup", "secret", "credential", "key", "log", "audit"]
+        )
+
+        asset = Asset(
+            snapshot_id=self._snapshot_id,
+            asset_type="s3:bucket",
+            aws_region=region,
+            aws_resource_id=f"arn:aws:s3:::{bucket_name}",
+            arn=f"arn:aws:s3:::{bucket_name}",
+            name=bucket_name,
+            properties={
+                "creation_date": str(bucket.get("CreationDate")),
+                "region": region,
+                "has_policy": bucket.get("Policy") is not None,
+                "public_access_block": bucket.get("PublicAccessBlock"),
+            },
+            is_sensitive_target=is_sensitive,
+        )
+
+        findings: list[Finding] = []
+
+        # Check ACL for public access
+        acl = bucket.get("Acl", {})
+        for grant in acl.get("Grants", []):
+            grantee = grant.get("Grantee", {})
+            grantee_uri = grantee.get("URI", "")
+
+            if "AllUsers" in grantee_uri:
+                findings.append(
+                    Finding(
+                        snapshot_id=self._snapshot_id,
+                        asset_id=asset.id,
+                        finding_type="s3-bucket-public-acl",
+                        severity=FindingSeverity.critical,
+                        title=f"S3 bucket {bucket_name} has public ACL",
+                        description="Bucket ACL grants access to all users (public)",
+                        remediation="Remove public ACL grants and enable Block Public Access",
+                        evidence={"grant": grant},
+                    )
+                )
+            elif "AuthenticatedUsers" in grantee_uri:
+                findings.append(
+                    Finding(
+                        snapshot_id=self._snapshot_id,
+                        asset_id=asset.id,
+                        finding_type="s3-bucket-authenticated-users-acl",
+                        severity=FindingSeverity.high,
+                        title=f"S3 bucket {bucket_name} allows authenticated users",
+                        description="Bucket ACL grants access to any authenticated AWS user",
+                        remediation="Remove this grant - it allows any AWS account access",
+                        evidence={"grant": grant},
+                    )
+                )
+
+        # Check public access block
+        pab = bucket.get("PublicAccessBlock")
+        if not pab:
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="s3-bucket-no-public-access-block",
+                    severity=FindingSeverity.medium,
+                    title=f"S3 bucket {bucket_name} has no public access block",
+                    description="Block Public Access is not configured for this bucket",
+                    remediation="Enable Block Public Access at the bucket level",
+                )
+            )
+        elif not all(
+            [
+                pab.get("BlockPublicAcls"),
+                pab.get("IgnorePublicAcls"),
+                pab.get("BlockPublicPolicy"),
+                pab.get("RestrictPublicBuckets"),
+            ]
+        ):
+            findings.append(
+                Finding(
+                    snapshot_id=self._snapshot_id,
+                    asset_id=asset.id,
+                    finding_type="s3-bucket-partial-public-access-block",
+                    severity=FindingSeverity.low,
+                    title=f"S3 bucket {bucket_name} has partial public access block",
+                    description="Some Block Public Access settings are not enabled",
+                    evidence={"public_access_block": pab},
+                )
+            )
+
+        # Check bucket policy for public access
+        policy = bucket.get("Policy")
+        if policy:
+            findings.extend(self._analyze_bucket_policy(asset, bucket_name, policy))
+
+        return asset, findings
+
+    def _analyze_bucket_policy(
+        self,
+        asset: Asset,
+        bucket_name: str,
+        policy: Any,
+    ) -> list[Finding]:
+        """Analyze bucket policy for public access."""
+        try:
+            policy_doc = json.loads(policy) if isinstance(policy, str) else policy
+        except (json.JSONDecodeError, TypeError):
+            return []
+
+        statements = policy_doc.get("Statement", [])
+        findings: list[Finding] = []
+        for statement in statements if isinstance(statements, list) else [statements]:
+            effect = statement.get("Effect", "")
+            principal = statement.get("Principal", {})
+            if effect != "Allow":
+                continue
+            if self._is_public_principal(principal):
+                findings.append(
+                    Finding(
+                        snapshot_id=self._snapshot_id,
+                        asset_id=asset.id,
+                        finding_type="s3-bucket-public-policy",
+                        severity=FindingSeverity.critical,
+                        title=f"S3 bucket {bucket_name} has public bucket policy",
+                        description="Bucket policy allows public access via Principal: *",
+                        remediation="Review and restrict the bucket policy",
+                        evidence={"statement": statement},
+                    )
+                )
+        return findings
+
+    @staticmethod
+    def _is_public_principal(principal: Any) -> bool:
+        """Return True when Principal implies public access."""
+        if principal == "*":
+            return True
+        if isinstance(principal, dict):
+            aws_principal = principal.get("AWS")
+            if aws_principal == "*" or aws_principal == ["*"]:
+                return True
+            if isinstance(aws_principal, list) and "*" in aws_principal:
+                return True
+        return False