@infrascan/aws-s3-scanner
Version:
Infrascan scanner definition for AWS S3
498 lines (492 loc) • 13.7 kB
JavaScript
// src/index.ts
import { S3Client as S3Client3 } from "@aws-sdk/client-s3";
// src/generated/getters.ts
import { resolveFunctionCallParameters } from "@infrascan/core";
import {
S3ServiceException,
ListBucketsCommand,
GetBucketTaggingCommand,
GetBucketNotificationConfigurationCommand,
GetBucketWebsiteCommand,
GetBucketAclCommand
} from "@aws-sdk/client-s3";
import debug from "debug";
async function ListBuckets(client, stateConnector, context) {
const getterDebug = debug("s3:ListBuckets");
const state = [];
getterDebug("ListBuckets");
const preparedParams = {};
try {
const cmd = new ListBucketsCommand(preparedParams);
const result = await client.send(cmd);
state.push({
_metadata: {
account: context.account,
region: context.region,
timestamp: Date.now()
},
_parameters: preparedParams,
_result: result
});
} catch (err) {
if (err instanceof S3ServiceException) {
if (err?.$retryable) {
console.log("Encountered retryable error", err);
} else {
console.log("Encountered unretryable error", err);
}
} else {
console.log("Encountered unexpected error", err);
}
}
getterDebug("Recording state");
await stateConnector.onServiceScanCompleteCallback(
context.account,
context.region,
"S3",
"ListBuckets",
state
);
}
async function GetBucketTagging(client, stateConnector, context) {
const getterDebug = debug("s3:GetBucketTagging");
const state = [];
getterDebug("Fetching state");
const resolvers = [
{ Key: "Bucket", Selector: "S3|ListBuckets|[]._result.Buckets[].Name" }
];
const parameterQueue = await resolveFunctionCallParameters(
context.account,
context.region,
resolvers,
stateConnector
);
for (const parameters of parameterQueue) {
const preparedParams = parameters;
try {
const cmd = new GetBucketTaggingCommand(preparedParams);
const result = await client.send(cmd);
state.push({
_metadata: {
account: context.account,
region: context.region,
timestamp: Date.now()
},
_parameters: preparedParams,
_result: result
});
} catch (err) {
if (err instanceof S3ServiceException) {
if (err?.$retryable) {
console.log("Encountered retryable error", err);
} else {
console.log("Encountered unretryable error", err);
}
} else {
console.log("Encountered unexpected error", err);
}
}
}
getterDebug("Recording state");
await stateConnector.onServiceScanCompleteCallback(
context.account,
context.region,
"S3",
"GetBucketTagging",
state
);
}
async function GetBucketNotificationConfiguration(client, stateConnector, context) {
const getterDebug = debug("s3:GetBucketNotificationConfiguration");
const state = [];
getterDebug("Fetching state");
const resolvers = [
{ Key: "Bucket", Selector: "S3|ListBuckets|[]._result.Buckets[].Name" }
];
const parameterQueue = await resolveFunctionCallParameters(
context.account,
context.region,
resolvers,
stateConnector
);
for (const parameters of parameterQueue) {
const preparedParams = parameters;
try {
const cmd = new GetBucketNotificationConfigurationCommand(preparedParams);
const result = await client.send(cmd);
state.push({
_metadata: {
account: context.account,
region: context.region,
timestamp: Date.now()
},
_parameters: preparedParams,
_result: result
});
} catch (err) {
if (err instanceof S3ServiceException) {
if (err?.$retryable) {
console.log("Encountered retryable error", err);
} else {
console.log("Encountered unretryable error", err);
}
} else {
console.log("Encountered unexpected error", err);
}
}
}
getterDebug("Recording state");
await stateConnector.onServiceScanCompleteCallback(
context.account,
context.region,
"S3",
"GetBucketNotificationConfiguration",
state
);
}
async function GetBucketWebsite(client, stateConnector, context) {
const getterDebug = debug("s3:GetBucketWebsite");
const state = [];
getterDebug("Fetching state");
const resolvers = [
{ Key: "Bucket", Selector: "S3|ListBuckets|[]._result.Buckets[].Name" }
];
const parameterQueue = await resolveFunctionCallParameters(
context.account,
context.region,
resolvers,
stateConnector
);
for (const parameters of parameterQueue) {
const preparedParams = parameters;
try {
const cmd = new GetBucketWebsiteCommand(preparedParams);
const result = await client.send(cmd);
state.push({
_metadata: {
account: context.account,
region: context.region,
timestamp: Date.now()
},
_parameters: preparedParams,
_result: result
});
} catch (err) {
if (err instanceof S3ServiceException) {
if (err?.$retryable) {
console.log("Encountered retryable error", err);
} else {
console.log("Encountered unretryable error", err);
}
} else {
console.log("Encountered unexpected error", err);
}
}
}
getterDebug("Recording state");
await stateConnector.onServiceScanCompleteCallback(
context.account,
context.region,
"S3",
"GetBucketWebsite",
state
);
}
async function GetBucketAcl(client, stateConnector, context) {
const getterDebug = debug("s3:GetBucketAcl");
const state = [];
getterDebug("Fetching state");
const resolvers = [
{ Key: "Bucket", Selector: "S3|ListBuckets|[]._result.Buckets[].Name" }
];
const parameterQueue = await resolveFunctionCallParameters(
context.account,
context.region,
resolvers,
stateConnector
);
for (const parameters of parameterQueue) {
const preparedParams = parameters;
try {
const cmd = new GetBucketAclCommand(preparedParams);
const result = await client.send(cmd);
state.push({
_metadata: {
account: context.account,
region: context.region,
timestamp: Date.now()
},
_parameters: preparedParams,
_result: result
});
} catch (err) {
if (err instanceof S3ServiceException) {
if (err?.$retryable) {
console.log("Encountered retryable error", err);
} else {
console.log("Encountered unretryable error", err);
}
} else {
console.log("Encountered unexpected error", err);
}
}
}
getterDebug("Recording state");
await stateConnector.onServiceScanCompleteCallback(
context.account,
context.region,
"S3",
"GetBucketAcl",
state
);
}
// src/generated/graph.ts
import {
evaluateSelectorGlobally,
filterState,
formatEdge
} from "@infrascan/core";
import debug2 from "debug";
var edgesDebug = debug2("s3:edges");
async function getEdges(stateConnector) {
edgesDebug("Fetching edges");
const edges = [];
edgesDebug("Evaluating S3|GetBucketNotificationConfiguration|[]");
const GetBucketNotificationConfigurationState1 = await evaluateSelectorGlobally(
"S3|GetBucketNotificationConfiguration|[]",
stateConnector
);
const GetBucketNotificationConfigurationEdges1 = GetBucketNotificationConfigurationState1.flatMap((state) => {
const source = filterState(
state,
"_parameters.Bucket | [`arn:aws:s3:::`,@] | join('',@)"
);
const target = filterState(
state,
"_result.TopicConfigurations | [].{target:TopicArn,name:Id}"
);
if (!target || !source) {
return [];
}
if (Array.isArray(target)) {
return target.map((edgeTarget) => formatEdge(source, edgeTarget));
}
return formatEdge(source, target);
});
edgesDebug(
`Evaluated S3|GetBucketNotificationConfiguration|[]: ${GetBucketNotificationConfigurationEdges1.length} Edges found`
);
edges.push(...GetBucketNotificationConfigurationEdges1);
edgesDebug("Evaluating S3|GetBucketNotificationConfiguration|[]");
const GetBucketNotificationConfigurationState2 = await evaluateSelectorGlobally(
"S3|GetBucketNotificationConfiguration|[]",
stateConnector
);
const GetBucketNotificationConfigurationEdges2 = GetBucketNotificationConfigurationState2.flatMap((state) => {
const source = filterState(
state,
"_parameters.Bucket | [`arn:aws:s3:::`,@] | join('',@)"
);
const target = filterState(
state,
"_result.QueueConfigurations | [].{target:QueueArn,name:Id}"
);
if (!target || !source) {
return [];
}
if (Array.isArray(target)) {
return target.map((edgeTarget) => formatEdge(source, edgeTarget));
}
return formatEdge(source, target);
});
edgesDebug(
`Evaluated S3|GetBucketNotificationConfiguration|[]: ${GetBucketNotificationConfigurationEdges2.length} Edges found`
);
edges.push(...GetBucketNotificationConfigurationEdges2);
edgesDebug("Evaluating S3|GetBucketNotificationConfiguration|[]");
const GetBucketNotificationConfigurationState3 = await evaluateSelectorGlobally(
"S3|GetBucketNotificationConfiguration|[]",
stateConnector
);
const GetBucketNotificationConfigurationEdges3 = GetBucketNotificationConfigurationState3.flatMap((state) => {
const source = filterState(
state,
"_parameters.Bucket | [`arn:aws:s3:::`,@] | join('',@)"
);
const target = filterState(
state,
"_result.LambdaFunctionConfigurations | [].{target:LambdaFunctionArn,name:Id}"
);
if (!target || !source) {
return [];
}
if (Array.isArray(target)) {
return target.map((edgeTarget) => formatEdge(source, edgeTarget));
}
return formatEdge(source, target);
});
edgesDebug(
`Evaluated S3|GetBucketNotificationConfiguration|[]: ${GetBucketNotificationConfigurationEdges3.length} Edges found`
);
edges.push(...GetBucketNotificationConfigurationEdges3);
return edges;
}
// src/middleware.ts
import {
S3ServiceException as S3ServiceException2
} from "@aws-sdk/client-s3";
function isRichError(err) {
return err.Code != null;
}
function mapNotFoundErrorToEmptyResponse(context, err) {
const isRichS3Err = err instanceof S3ServiceException2 && isRichError(err);
if (!isRichS3Err) {
return void 0;
}
if (context.commandName === "GetBucketTaggingCommand" && err.Code === "NoSuchTagSet") {
return {
output: {
$metadata: {},
TagSet: []
},
response: err
};
}
if (context.commandName === "GetBucketWebsiteCommand" && err.Code === "NoSuchWebsiteConfiguration") {
return {
output: {
$metadata: {}
},
response: err
};
}
return void 0;
}
function ignoreS3ConfigNotFoundMiddleware(next, context) {
return async function mapNotFoundErrors(args) {
try {
return await next(args);
} catch (err) {
const mappedResponse = mapNotFoundErrorToEmptyResponse(context, err);
if (mappedResponse != null) {
return mappedResponse;
}
throw err;
}
};
}
function registerMiddleware(client) {
client.middlewareStack.add(ignoreS3ConfigNotFoundMiddleware, {
step: "finalizeRequest",
name: "ignoreS3ConfigNotFoundErrors",
tags: ["ErrorHandling"],
priority: "high"
});
}
// src/graph.ts
import { evaluateSelector } from "@infrascan/core";
var S3Entity = {
version: "0.1.1",
debugLabel: "s3-bucket",
provider: "aws",
command: "ListBuckets",
category: "s3",
subcategory: "bucket",
nodeType: "s3-bucket",
selector: "S3|ListBuckets|[]",
getState(state, context) {
return evaluateSelector(
context.account,
context.region,
S3Entity.selector,
state
);
},
translate(val) {
return (val._result.Buckets ?? []).map((bucket) => ({
...bucket,
$metadata: val._metadata,
$parameters: val._parameters
}));
},
components: {
$metadata(val) {
return {
version: S3Entity.version,
timestamp: val.$metadata.timestamp
};
},
$graph(val) {
return {
id: `arn:aws:s3:::${val.Name}`,
label: val.Name,
nodeClass: "visual",
nodeType: S3Entity.nodeType,
parent: val.$metadata.account
};
},
$source(val) {
return {
command: S3Entity.command,
parameters: val.$parameters
};
},
tenant(val) {
return {
tenantId: val.$metadata.account,
provider: S3Entity.provider,
partition: val.$metadata.partition
};
},
location(val) {
return {
code: val.$metadata.region
};
},
resource(val) {
return {
id: `arn:aws:s3:::${val.Name}`,
name: val.Name,
category: S3Entity.category,
subcategory: S3Entity.subcategory
};
},
audit(val) {
return {
createdAt: val.CreationDate
};
}
}
};
// src/index.ts
function getClient(credentials, context, retryStrategy) {
const s3Client = new S3Client3({
credentials,
region: context.region,
followRegionRedirects: true,
retryStrategy
});
registerMiddleware(s3Client);
return s3Client;
}
var S3Scanner = {
provider: "aws",
service: "s3",
key: "S3",
getClient,
callPerRegion: false,
getters: [
ListBuckets,
GetBucketTagging,
GetBucketNotificationConfiguration,
GetBucketWebsite,
GetBucketAcl
],
getEdges,
entities: [S3Entity]
};
var index_default = S3Scanner;
export {
index_default as default,
getClient
};