Replies: 1 comment 2 replies
-
Beta Was this translation helpful? Give feedback.
-
|
Hey there! I just saw this Discussion thread. somehow I'm not getting notifications for this, and I suspect many others are not. Can you open this as a Github Issue, please? I looked through your files attached and I suspect the relationship-building would require more info from your internal identity provider, but I'm not sure yet. Let's continue the discussion in the github issue you create. |
Beta Was this translation helpful? Give feedback.
-
|
I'm currently working on the permissions to describe group and user to find the relationships. I was hoping to have all this information prior to opening as an issue. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
AWS has released an update to AWS SSO (now IAM Identity Center) that exposes access to users using SSO for AWS access.
https://docs.aws.amazon.com/singlesignon/latest/userguide/identities.html
These users and groups are not included in the normal AWS Security Audit permissions and are not pulled through the current cartography code. In my case, most of the relationships I'm interested in analyzing are tied to the SSO users and groups. I have pulled a list of users and a list of groups from our AWS SSO. I do not see anything in the fields to create or tie relationships. I've attached a sanitized copy of a user record and a group record
I had to have permissions added to my sp to allow read access to users and groups in the identity store (unique from the normal identity store.) From AWSCLI, the command is "aws identitystore list-users --identity-store-id d-*******" There are other list options including groups and group membership.
I don't think integrating the pulls would be a challenge, but finding the relationships is where I'm having challenges.
Beta Was this translation helpful? Give feedback.
All reactions