-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Issue report]Misuse of iaminstanceprofile in aws_ec2_iaminstance.json due to missing EC2InstanceProfile object #1365
Comments
@xiaoen-liu - Thanks for reporting, this is a valid issue. To make sure I understand, the current model is
but it should be this instead:
Is this right? |
Yes, without having the IamInstanceProfile as a separate model, it's not possible to correctly establish the node relationships between EC2 Instances and IAM Roles. |
I would like to further clarify the cause of this confusion. The creation of an AWS Instance Profile and the binding of an Instance Profile to an IAM Role are two separate API calls: However, the AWS Console design makes it appear as though the instance profile name and the IAM role name are identical, which leads to confusion. This issue becomes more pronounced when using Infrastructure as Code (IaC) tools like Terraform, CloudFormation, or CDK, where instance profile names and IAM role names are often completely different. This discrepancy can cause significant issues in environments where IaC is used to manage AWS resources, making it important to properly model the distinction between instance profiles and IAM roles. |
From what I understand and also from looking at our
while
So not sure what the issue issue! @xiaoen-liu Are you able to provide an example please? |
Bumping up this issue and hoping to come to a fix soon.
Right, I can confirm this. If I run this cloudgoat scenario https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3 and then run cartography on it, the created role node is not attached to the EC2 instance even though it is the instance's iaminstanceprofile. This is because cartography assumes that the iaminstanceprofile has the same name as the associated role, but that cloudgoat scenario shows that this is not always the case. Relevant code:
I'm not sure if splitting out the profile to a separate node is necessary as long as we can correctly handle that the iaminstanceprofile name can be different from the role name. What do you think @xiaoen-liu? |
Another thing to consider: we need to call |
Title: Misuse of iaminstanceprofile in aws_ec2_iaminstance.json due to missing EC2InstanceProfile object
Description:
The misuse happens because Cartography does not currently create a separate EC2InstanceProfile object, leading to incorrect modeling of the relationship between EC2 Instances and IAM Roles.
Expected behavior:
A separate EC2InstanceProfile object should be created and properly linked to EC2 Instances.
The relationship between the EC2InstanceProfile and its associated IAM Role should be accurately represented, avoiding the incorrect assumption about the name correlation.
[optional Relevant Links:]
The text was updated successfully, but these errors were encountered: