hotnops · August 14, 2024 03:20
diff --git a/UsefulApemanQueries.txt b/UsefulApemanQueries.txt
 // Find cognito vulenerable roles as specified in https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
 MATCH p=(r:AWSRole) <- [:AttachedTo] - (a:AWSAssumeRolePolicy) <- [:AttachedTo] - (s:AWSStatement {effect: "Allow"}) - [:Principal] -> (prin)
 WHERE prin.name CONTAINS "cognito"
 WITH s, p, r
 OPTIONAL MATCH p2=(s) <- [:AttachedTo] - (c:AWSCondition) <- [:AttachedTo] - (ck:AWSConditionKey)
 WHERE ck.name = "cognito-identity.amazonaws.com:aud"
 WITH p, p2, s,r, COLLECT(ck) AS matchedKeys
 WHERE SIZE(matchedKeys) = 0
 RETURN r.arn

 // Get all cross account role chains
 MATCH p=(a:UniqueArn) - [:IdentityTransform*] -> (b:AWSRole) WHERE NOT a.account_id = b.account_id
 RETURN p
	// Find cognito vulenerable roles as specified in https://securitylabs.datadoghq.com/articles/amplified-exposure-how-aws-flaws-made-amplify-iam-roles-vulnerable-to-takeover/
	MATCH p=(r:AWSRole) <- [:AttachedTo] - (a:AWSAssumeRolePolicy) <- [:AttachedTo] - (s:AWSStatement {effect: "Allow"}) - [:Principal] -> (prin)
	WHERE prin.name CONTAINS "cognito"
	WITH s, p, r
	OPTIONAL MATCH p2=(s) <- [:AttachedTo] - (c:AWSCondition) <- [:AttachedTo] - (ck:AWSConditionKey)
	WHERE ck.name = "cognito-identity.amazonaws.com:aud"
	WITH p, p2, s,r, COLLECT(ck) AS matchedKeys
	WHERE SIZE(matchedKeys) = 0
	RETURN r.arn

	// Get all cross account role chains
	MATCH p=(a:UniqueArn) - [:IdentityTransform*] -> (b:AWSRole) WHERE NOT a.account_id = b.account_id
	RETURN p