AWSSSOUser-[:ALLOWED_BY]-AWSRole relationship is incorrect #1788
Description
Observed behavaior
We have observed that AWS Permission Sets might be global aunique, meaning that the "AdministratorAccess" Permission Set has the same ARN across all AWS accounts. This means that In Cartography, we've observed that if we sync multiple AWS Identity Center instances, we may see AWSSSOUsers across different Identity Center instances attached to the same AWS Role via ALLOWED_BY. This is a bug.
Expected behavior
We instead expect users scoped to the current identity center instance to be attached to the role.
Investigation
The main query logic is here:
cartography/cartography/intel/aws/identitycenter.py
Lines 241 to 243 in 6b4ab69
we look for roles that are associated with a given AWSPermissionSet. Then, we use that data to attach AWSSSOUsers that have that permission set, to the AWSRole. This does not bound on users that are in the current identity center.
To Reproduce
Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.
Run cartography on one org on one identity center instance where the AdministratorAccess permission set is defined for some users
Run cartography on another org with another identity center instance where the AdministratorAccess permission set is also defined for other users.
You will observe that all of those users will now be attached to unexpected roles.
Please complete the following information::
- Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11]
0.110.0rc1