S3 bucket writable has known false positives
Also, take into account account level public access blocks

remove console logs from access explorer page

• Access Explorer page
• Asset inventory page
• Describe telemetry and how to turn off

1. Follow the directions here to add the rule - https://docs.zeuscloud.io/contribute/add-security-rule

2. Right now, the EKSCluster node has only a field for audit_logging_enabled (https://lyft.github.io/cartography/modules/aws/schema.html#ekscluster). It's set in cartography here (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/eks.py#L53). This rule needs to test not just audit logging but 5 types: "api", "audit", "authenticator", "controllerManager", "scheduler". Consider creating a new field for each that is enabled. Or created one field of logging_types_enabled - that field would be a list of a subset of these 5 logging types.

3. The Neo4J query probably should check 5 fields you create (or 1 field if you put all enabled logging types in a list). The rule passes if all 5 are enabled. In the context portion of the query, you should list out which of the logging types are enabled and which aren't.

4. Create a cdk stack (https://github.com/Zeus-Labs/ZeusCloud/blob/main/cdk/bin/cdk.ts) with an EKS cluster that has some subset of the logging. Be sure to give no IAM permissions. Don't make it public facing.

5. Run ZeusCloud and check that the rule works correctly. You can speed up cartography running by commenting out intel modules that are run here: (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/resources.py)

• right now iamspy in prod version is using .compose, since volume is read only?
• make clean makes assumptions about which directory you're running stuff from...

When running on non-localhost, env variables should be changed from localhost

• Document this in dev docs
• Document this in the troubleshooting guide

1. Follow the directions here to add the rule - https://docs.zeuscloud.io/contribute/add-security-rule

2. Right now, the EKSCluster node doesn't have an encryptionConfig field. (https://lyft.github.io/cartography/modules/aws/schema.html#ekscluster). It should be set in cartography here (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/eks.py#L39). Test it w/ unit / integration tests

3. The Neo4J query probably should check if encryptionConfig is not null and nonempty.

4. Create a cdk stack (https://github.com/Zeus-Labs/ZeusCloud/blob/main/cdk/bin/cdk.ts) with an EKS cluster does / doesn't have encryption of secrets enabled. Be sure to give no IAM permissions. Don't make it public facing.

5. Run ZeusCloud and check that the rule works correctly. You can speed up cartography running by commenting out intel modules that are run here: (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/resources.py)

right now attack path graphs can have same pathway twice. We should dedup in backend if this is the case

Local deployment involves too many steps

• creating encryption key
• pulling the correct docker images

Make this simpler by bundling into one script.

Allow users to log to stdout or a file if they choose not to install neo4j.

Says In Progress
Then it just has an option to Scan again
Don't know if it completed or not
need to look at terminal logs

Since moving to the adjacency list representation, we don't need to do the hack of looking for an IpRange node. Instead, the attack path query itself can query for a path with nodes in the correct order.

Gets message authentication failed errors due to changing encryption keys

Workload Protection Planning

Broad overview of the proposed engine

1. Visibility: Determine running compute and the corresponding volumes to be snapshotted
   1. Much of this is done through cartography?
   2. TODO: Figure out what needs to be snapshotted for container/serverless based compute
2. Snapshot block storage for analysis
   1. Snapshots should be deleted when they are no longer needed
3. Mount snapshots onto an EC2 to do analysis
   1. Different file systems may need to be dealt with differently
   2. Container file systems may need to be reconstructed
   3. TODO: Figure out which filesystems and how you mount different filesystems
   4. TODO: Figure out for container/serverless how you reconstruct their filesystems
4. Workload analysis
   1. Many possible types of analysis
      1. Vulnerability scanning
      2. App configuration analysis
      3. Malware analysis
      4. Secrets / Access key / password analysis
      5. Sensitive data analysis
   2. Probably should do vuln analysis and / or secret analysis first?
   3. TODO: Which open source scanning tools should we use?
   4. TODO: Should we pickup container networking in this step? Or is that separate?
5. Add workload analysis findings to Neo4j db
6. Delete any ec2 / snapshots that were created

If 0 failed alerts, it is distracting to see the rule on the Alerts page

Some support for implementing this here: https://www.reddit.com/r/cloudsecurity/comments/11s1wn4/zeuscloud_an_open_source_cloud_security_platform/

Hey folks! Im Yevgeny Pats Founder @ CloudQuery - we are an open source high performance ELT framework with popular connectors to AWS, GCP, Azure and many other sources.

I stumbled upon your open source security platform and was curious if it will be interesting to collaborate and to use our open source ELT engine under the hood instead of your current home-grown connectors which should give more time to focus on the security and analysis layer?

If interesting, I'll be happy to discuss and help!

Right now we treat org account access as a finding.

This is a false positive.

We should exclude org account findings. This should also be updated in the demo environment

Currently the DockerHub images are created from M1 Mac so they don't work on e.g. an Ubuntu machine.

Fork it
Create a package on pypi
Check that it can be used as a dependency in cartography

• make color schemes work
• add ZeusCloud with logo (without flicker)

security group intel module runs before vpc

so https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/ec2/security_groups.py#L119

this line here does not end up creating the relationship.

Impact is the asset inventory on UI won't show the VPC the security group is associated with.

Fix is to not just match the vpc node but to create it if it's not already in the neo4j database

Make it look better

Add an attack path for publicly exposed S3 + RDS data sources

1. Follow the directions here to add the rule - https://docs.zeuscloud.io/contribute/add-security-rule

2. You will need to first update cartography to set environment variables in the ECSContainerDefinition node. Currently it does not set this. This should be a basic SET operation in https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/ecs.py#L294. Update an unit tests and/or integration tests in cartography appropriately. Open a PR in Zeus-Labs fork of cartography for this. Then include an update to the cartography submodule in this repo.

3. The Neo4J query probably should check if any of ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'] show up in the name field of the environment variables

4. Create a cdk stack (https://github.com/Zeus-Labs/ZeusCloud/blob/main/cdk/bin/cdk.ts) with an ECS cluster/task definition that violates / doesn't violate this condition. You could just include AWS_SECRET_ACCESS_KEY as an environment variable with some dummy values.

5. Run ZeusCloud and check that the rule works correctly. You can speed up cartography running by commenting out intel modules that are run here: (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/resources.py)

Endpoint: /api/getRuleGraph with 2 parameters: (rule_id and the resource_id)
(e.g. http://localhost:80/api/getRuleGraph?resource_id=i-042e15a09ebb96776&rule_id=attackpath/private_vm_admin_permissions)

Consider the following structs:

type DisplayNode struct {
  // Label will tell the type of the node
  NodeLabel string `json:"node_label"`
  // resourceId uniquely identifyin the node
  ResourceId string `json:"resource_id"`
  // displayId to show in visualization
  DisplayId string `json:"display_id"`
}

type DisplayPath struct {
  DisplayPath []DisplayNodes `json:"display_path"`
}

type DisplayGraph struct {
  CentralNode DisplayNode `json:"central_node"`
  LeftSidePaths []DisplayPath `json:"left_side_paths"`
  RightSidePaths []DisplayPath `json:"right_side_paths"`
}

The API will return a DisplayGraph struct.

The graph to be displayed revolves around a star model. You have the left side paths are the paths that are coming out of the central and forming a path to the left the central node. The RightSidePaths are coming out of the central node and forming a path to the right of the central node. LeftSidePaths and RightSidePaths include the CentralNode.

For each DisplayNode, the Label determines the icon and the color of the icon. We also show the Label and the DisplayId below the icon in the visualization. You should make a catalog of node label to node icon mappings. Initially, we care about the following node labels (ELBv2, Internet, EC2SecurityGroup, EC2Instance, IAMRole, IAMPolicy, IAMUser)

The resulting graph would a bit parabolic on the left and right sides. This way the delineation between right and left is more clear. The first path should be horizontal. Then each additional path you can draw a path on the upper or lower side. This way the graph is also balanced. Ideally the edges are colored - perhaps a gradient between the colors of the node they put together.

It’s possible that certain adjacent paths have overlapping sets of nodes. You should check if the existing node has been drawn. If so, use that existing node (in other words, don't duplicate a node with the same label and resource ID).

Rule spec's don't rely on Go in any way

But it makes it more confusing to add rules

Discussion in cartography Slack: https://lyftoss.slack.com/archives/CTZUQL0KX/p1678426666993079?thread_ts=1678403037.250069&cid=CTZUQL0KX

• logs in terminal
• frontend progress bar?
• description in docs?

DockerHub is being sunset mid-April

Make sure they are consistent across docs

• skip resource staging api part?

Fields like state aren't being set (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/lambda_function.py#L52)

Many of these fields are not available through the list_functions AWS call. You need to use get_function

Ran into this using iamspy in cartography

cartography_1  | INFO:iamspy.parse:Parsing policy document: policy_identity_arn:aws:iam::315957380126:user/userMFA_forceMfa
cartography_1  | ERROR:cartography.sync:Unhandled exception during sync stage 'aws'
cartography_1  | Traceback (most recent call last):
cartography_1  |   File "/srv/cartography/cartography/sync.py", line 89, in run
cartography_1  |     stage_func(neo4j_session, config)
cartography_1  |   File "/srv/cartography/cartography/util.py", line 133, in timed
cartography_1  |     return method(*args, **kwargs)
cartography_1  |   File "/srv/cartography/cartography/intel/aws/__init__.py", line 270, in start_aws_ingestion
cartography_1  |     sync_successful = _sync_multiple_accounts(
cartography_1  |   File "/srv/cartography/cartography/intel/aws/__init__.py", line 173, in _sync_multiple_accounts
cartography_1  |     _sync_one_account(
cartography_1  |   File "/srv/cartography/cartography/intel/aws/__init__.py", line 70, in _sync_one_account
cartography_1  |     RESOURCE_FUNCTIONS['permission_relationships'](**sync_args)
cartography_1  |   File "/srv/cartography/cartography/util.py", line 133, in timed
cartography_1  |     return method(*args, **kwargs)
cartography_1  |   File "/srv/cartography/cartography/intel/aws/permission_relationships.py", line 1243, in sync
cartography_1  |     sync_iamspy_relationships(
cartography_1  |   File "/srv/cartography/cartography/intel/aws/permission_relationships.py", line 1221, in sync_iamspy_relationships
cartography_1  |     model.load_gaad_json(gaad)
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/model.py", line 55, in load_gaad_json
cartography_1  |     conditions = parse.generate_model(auth_details)
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/parse.py", line 358, in generate_model
cartography_1  |     model.extend(_parse_user(data, user))
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/parse.py", line 281, in _parse_user
cartography_1  |     model.extend(_parse_document(inline_policy.PolicyDocument, identifier))
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/parse.py", line 173, in _parse_document
cartography_1  |     parsed = _parse_statement(stmt)
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/parse.py", line 151, in _parse_statement
cartography_1  |     conditions = _parse_condition(statement.Condition)
cartography_1  |   File "/usr/local/lib/python3.8/dist-packages/zeuscloud_iamspy/parse.py", line 70, in _parse_condition
cartography_1  |     test = test.removesuffix("IfExists")
cartography_1  | AttributeError: 'str' object has no attribute 'removesuffix'

quick temporary fix would be catch iamspy exceptions and proceed

If you rescan after a while, neo4j exits with:

Failed to read from defunct connection IPv4Address(('neo4j', 7687))

This seems related to neo4j/neo4j-python-driver#294

1. Follow the directions here to add the rule - https://docs.zeuscloud.io/contribute/add-security-rule

2. The Neo4J query probably needs to check the settings_container_insights field of the ECSCluster node (https://lyft.github.io/cartography/modules/aws/schema.html#ecscluster)

3. Create a cdk stack (https://github.com/Zeus-Labs/ZeusCloud/blob/main/cdk/bin/cdk.ts) with an ECSCluster with and/or without the correct container insights setting.

4. Run ZeusCloud and check that the rule works correctly. You can speed up cartography running by commenting out intel modules that are run here: (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/resources.py)

• Unused regions create alert noise / fatigue
• Would also help reduce scanning time

Fix Risk Color and Alignment on Rules and Alerts tables

Is there any option to create a profile with AWS Session Token? I have tried a lot and successfully setup this tool but because of this missing option, I won't be able to use this tool. Please let me know if this tool supports scanning with all 3 values such as access key, secret access key and session token?

• If git clone fails
• docker issues - port in use, memory issues, docker system prune

1. Follow the directions here to add the rule - https://docs.zeuscloud.io/contribute/add-security-rule

2. The Neo4J query probably should check the endpoint_public_access field of the EKSCluster node.

3. Create a cdk stack (https://github.com/Zeus-Labs/ZeusCloud/blob/main/cdk/bin/cdk.ts) with an EKS cluster that violates / doesn't violate this condition. Be sure to give no IAM permissions.

4. Run ZeusCloud and check that the rule works correctly. You can speed up cartography running by commenting out intel modules that are run here: (https://github.com/Zeus-Labs/cartography/blob/master/cartography/intel/aws/resources.py)

It can be cumbersome to spin up resources in AWS accounts and run cartography.

Instead we should have a way to run the proxy, frontend, backend, neo4j, and postgres containers. There should be options of datasets to load into Neo4j. Security rules should run on this data and everything should show up in the frontend appropriately.

One possible way to do this:

• Look at all instances where the backend container makes calls to cartography
• Have some environmental variable setting where backend container can run without making those calls
• Create some way of mocking the neo4j. Maybe this is a script with manual inserts? Maybe we have some neo4j data files that we commit to repo?
• Create another docker-compose dev setup where the backend container is run with the appropriate env variable, the cartography container is not run, and the neo4j data is hardcoded