Fix S3 ACL analysis rules

`acl.uri` and `acl.granteeid` are mutually exclusive as per https://github.com/lyft/cartography/blob/f613c32959f4bbdab53f83b2a03532c62e180e8d/cartography/intel/aws/s3.py#L554-L578. So the "WRITE" rule would never trigger. And as these rules are all about detecting _anonymous_ access permissions, there shouldn't be any clauses checking that the grantee is the owner. And as per AWS' documentation, the `WRITE` permission allows the `s3:PutObject` action, so that should be added to `anonymous_actions`. (`s3:DeleteObjectVersion` is only ever granted to bucket owners.) For the "READ_ACP" rule the granted anonymous actions are incorrect.
cartography-cncf · Feb 23, 2023 · 13feb15 · 13feb15
1 parent af1d39b
commit 13feb15
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cartography/data/jobs/analysis/aws_s3acl_analysis.json b/cartography/data/jobs/analysis/aws_s3acl_analysis.json
@@ -5,11 +5,11 @@
       "iterative": false
     },
     {
-      "query": "MATCH (acl:S3Acl)-[:APPLIES_TO]->(bucket:S3Bucket)<-[:RESOURCE]-(aws:AWSAccount{id: $AWS_ID})\nWHERE acl.uri IN ['http://acs.amazonaws.com/groups/global/AllUsers', 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'] AND acl.permission = 'WRITE'\nAND (acl.ownerid = acl.granteeid)\nSET bucket.anonymous_access = true, bucket.anonymous_actions = coalesce(bucket.anonymous_actions, []) + ['s3:DeleteObjectVersion']",
+      "query": "MATCH (acl:S3Acl)-[:APPLIES_TO]->(bucket:S3Bucket)<-[:RESOURCE]-(aws:AWSAccount{id: $AWS_ID})\nWHERE acl.uri IN ['http://acs.amazonaws.com/groups/global/AllUsers', 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'] AND acl.permission = 'WRITE'\nSET bucket.anonymous_access = true, bucket.anonymous_actions = coalesce(bucket.anonymous_actions, []) + ['s3:PutObject']",
       "iterative": false
     },
     {
-      "query": "MATCH (acl:S3Acl)-[:APPLIES_TO]->(bucket:S3Bucket)<-[:RESOURCE]-(aws:AWSAccount{id: $AWS_ID})\nWHERE acl.uri IN ['http://acs.amazonaws.com/groups/global/AllUsers', 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'] AND acl.permission = 'READ_ACP'\nSET bucket.anonymous_access = true, bucket.anonymous_actions = coalesce(bucket.anonymous_actions, []) + ['s3:DeleteObjectVersion']",
+      "query": "MATCH (acl:S3Acl)-[:APPLIES_TO]->(bucket:S3Bucket)<-[:RESOURCE]-(aws:AWSAccount{id: $AWS_ID})\nWHERE acl.uri IN ['http://acs.amazonaws.com/groups/global/AllUsers', 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers'] AND acl.permission = 'READ_ACP'\nSET bucket.anonymous_access = true, bucket.anonymous_actions = coalesce(bucket.anonymous_actions, []) + ['s3:GetBucketAcl']",
       "iterative": false
     },
     {