Community
Questions Library
Docs
Blog
Events
Swag
Github
Slack
JupiterOne
Discussions
Release Notes
Contact Us
JupiterOne 2021.73 Release - AskJ1 Community
<main> <article class="userContent"> <p>2021-06-16</p> <h2 data-id="new-features-and-improvements">New Features and Improvements</h2> <ul><li><p>Performance improvement: Mapped relationship operations are processed separately from other operations</p></li> <li><p>AWS Resource Policy <strong>Net Permissions Analysis</strong>: this determines the effectiveness of your resource policy<br> permissions in AWS by analyzing if the permissions are negated by deny statements and if the deny statements<br> contain any exceptions (e.g. <code class="code codeInline" spellcheck="false" tabindex="0">NotResource</code>, <code class="code codeInline" spellcheck="false" tabindex="0">StringNotEquals</code>) throughout the configuration. Since AWS access<br> policies can be long and complex, automating this saves time for the user and ensures there isn’t manual error<br> in understanding if their controls are effective or have been overridden.</p> <p>See more details below in the <strong>Integrations > AWS</strong> section.</p> <p>Example query:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">/* identify allow statements that have been negated by a deny */ find aws_vpc_endpoint that allows * where allows.effective = false return TREE </pre></li> <li><p>A lot more additional Azure and GCP support added. See below.</p></li> </ul><h2 data-id="integrations">Integrations</h2> <h3 data-id="aws">AWS</h3> <ul><li><p>Fix mapped relationship for <code class="code codeInline" spellcheck="false" tabindex="0">aws_route53_record</code> <code class="code codeInline" spellcheck="false" tabindex="0">CONNECTS</code><br><code class="code codeInline" spellcheck="false" tabindex="0">aws_elb|aws_nlb|aws_alb</code> that had a record dns name prepended with<br><code class="code codeInline" spellcheck="false" tabindex="0">dualstack</code></p></li> <li><p>Fix relationship from ACL to Cloudfront Distributions and Load Balancers.</p></li> <li><p>Fix relationship from Cloudfront Distribution to Load Balancers</p></li> <li><p>Added support for ingesting the following <strong>new</strong> resources:</p></li> </ul><table><thead><tr><th>Service</th> <th>Resource / Entity</th> </tr></thead><tbody><tr><td>ELB Listener</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> </tr><tr><td>ELB Listener Rule</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener_rule</code></td> </tr></tbody></table><ul><li>Added support for ingesting the following <strong>new</strong> relationships:</li> </ul><table><thead><tr><th>Source</th> <th>_class</th> <th>Target</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_ecr_repository</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ALLOWS</code></td> <td>principal</td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_ecr_repository</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">DENIES</code></td> <td>principal</td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_elb</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">CONNECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">CONNECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_nlb</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">CONNECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_alb</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">CONNECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">aws_lb_listener_rule</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_shield_protection_group</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">PROTECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">resource</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">aws_shield_protection</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">PROTECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">resource</code></td> </tr></tbody></table><ul><li><p>(BETA) Analyze Allow and Deny statements on resource policy permissions to<br> derive the net effectiveness on the Allow permissions. This results in the<br> following flags to be set on the permission relationships:</p> <ul><li><p><code class="code codeInline" spellcheck="false" tabindex="0">effective</code>: <code class="code codeInline" spellcheck="false" tabindex="0">true</code> if the permission is fully or partially effective (that<br> is, not fully negated by a Deny statement)</p></li> <li><p><code class="code codeInline" spellcheck="false" tabindex="0">partial</code>: <code class="code codeInline" spellcheck="false" tabindex="0">true</code> if the permission is partially negated by a Deny statement<br> (this is <code class="code codeInline" spellcheck="false" tabindex="0">undefined</code> when the permission is fully effective)</p></li> <li><p><code class="code codeInline" spellcheck="false" tabindex="0">negatedActions</code>: if <code class="code codeInline" spellcheck="false" tabindex="0">partial</code> is <code class="code codeInline" spellcheck="false" tabindex="0">true</code>, this property contains a<br> stringified array of actions that are negated by Deny statements</p></li> </ul></li> <li><p>(BETA) Parse <code class="code codeInline" spellcheck="false" tabindex="0">NotResource</code> property and <code class="code codeInline" spellcheck="false" tabindex="0">StringNotEquals</code><br> [<code class="code codeInline" spellcheck="false" tabindex="0">aws:ResourceAccount</code> or <code class="code codeInline" spellcheck="false" tabindex="0">aws:SourceAccount</code>] values from Deny statements,<br> and create Allow permission relationships if covered by an Allow statement.</p></li> <li><p>Update ARN regular expressions to include <code class="code codeInline" spellcheck="false" tabindex="0">aws-cn</code> and <code class="code codeInline" spellcheck="false" tabindex="0">aws-us-gov</code> partitions</p></li> </ul><h3 data-id="azure">Azure</h3> <ul><li>Added support for ingesting the following <strong>new</strong> resources:</li> </ul><table><thead><tr><th>Service</th> <th>Resource / Entity</th> </tr></thead><tbody><tr><td>Gallery Image Version</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr></tbody></table><ul><li>Added support for ingesting the following <strong>new</strong> relationships:</li> </ul><table><thead><tr><th>Source</th> <th>_class</th> <th>Target</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">USES</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_vm</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">GENERATED</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_keyvault_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ALLOWS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">ANY_PRINCIPAL</code></td> </tr></tbody></table><ul><li>New properties added to resources:</li> </ul><table><thead><tr><th>Entity</th> <th>Properties</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> <td>Automatically convert <code class="code codeInline" spellcheck="false" tabindex="0">metadata</code> to J1 tags</td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_policy_definition</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">accountEnabled</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_role_assignment</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">actions</code>, <code class="code codeInline" spellcheck="false" tabindex="0">dataActions</code>, <code class="code codeInline" spellcheck="false" tabindex="0">notActions</code>, <code class="code codeInline" spellcheck="false" tabindex="0">notDataActions</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_version</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">publishedDate</code>, <code class="code codeInline" spellcheck="false" tabindex="0">createdOn</code></td> </tr></tbody></table><ul><li><p>Fixed a bug where the compute galleries execution handler was not invoked, and<br> instead the VM images execution handler was invoked twice. This caused<br> DuplicateKeyErrors in either the compute galleries step or the VM images step.</p></li> <li><p>Changed the type <code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image</code> to <code class="code codeInline" spellcheck="false" tabindex="0">azure_shared_image_definition</code>,<br> because shared images have both a <em>definition</em>, representing top-level<br> metadata, and a number of <em>versions</em>, representing discrete images.</p></li> <li><p>Changed the <code class="code codeInline" spellcheck="false" tabindex="0">_class</code> of <code class="code codeInline" spellcheck="false" tabindex="0">azure_gallery</code> from <code class="code codeInline" spellcheck="false" tabindex="0">DataStore</code> to <code class="code codeInline" spellcheck="false" tabindex="0">Repository</code>.</p></li> </ul><h3 data-id="google-cloud">Google Cloud</h3> <ul><li>Added support for ingesting the following <strong>new</strong> resources:</li> </ul><table><thead><tr><th>Service</th> <th>Resource / Entity</th> </tr></thead><tbody><tr><td>IAM Binding</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_iam_binding</code></td> </tr><tr><td>Google Cloud</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_organization</code></td> </tr><tr><td>BigQuery</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_bigquery_model</code></td> </tr><tr><td>Cloud Resource Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_folder</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_access_policy</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_access_level</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_egress_policy</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_ingress_policy</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_api_operation</code></td> </tr><tr><td>Access Context Manager</td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_method_selector</code></td> </tr></tbody></table><ul><li>Added support for ingesting the following <strong>new</strong> relationships:</li> </ul><table><thead><tr><th>Source</th> <th>_class</th> <th>Target</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_bigquery_dataset</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_bigquery_model</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_organization</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_folder</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_folder</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_folder</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_organization</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_project</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_folder</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_project</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_access_policy</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_access_level</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_access_policy</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_egress_policy</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_ingress_policy</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_egress_policy</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_api_operation</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_ingress_policy</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_api_operation</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_api_operation</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">HAS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter_method_selector</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">PROTECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_project</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_access_context_manager_service_perimeter</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">PROTECTS</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_api_service</code></td> </tr></tbody></table><ul><li>New properties added to resources:</li> </ul><table><thead><tr><th>Entity</th> <th>Properties</th> </tr></thead><tbody><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_project</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">id</code>, <code class="code codeInline" spellcheck="false" tabindex="0">projectId</code>, <code class="code codeInline" spellcheck="false" tabindex="0">webLink</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_api_gateway_api</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_app_engine_version</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_run_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_compute_health_check</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_compute_backend_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_privateca_certificate_authority</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_pubsub_subscription</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr><tr><td><code class="code codeInline" spellcheck="false" tabindex="0">google_cloud_api_service</code></td> <td><code class="code codeInline" spellcheck="false" tabindex="0">function</code></td> </tr></tbody></table><ul><li><p><a rel="nofollow" href="https://github.com/JupiterOne/graph-google-cloud/issues/208">#208</a> - <br> Fixed incorrect <code class="code codeInline" spellcheck="false" tabindex="0">projectId</code> property being applied to entities when <code class="code codeInline" spellcheck="false" tabindex="0">projectId</code> is<br> supplied in integration config</p></li> <li><p><a rel="nofollow" href="https://github.com/JupiterOne/graph-google-cloud/issues/239">#239</a> -<br><code class="code codeInline" spellcheck="false" tabindex="0">google_iam_role</code> should assign the actual target project <code class="code codeInline" spellcheck="false" tabindex="0">projectId</code> instead<br> of the org project</p></li> <li><p><a rel="nofollow" href="https://github.com/JupiterOne/graph-google-cloud/issues/237">#237</a> - Prevent<br> duplicate <code class="code codeInline" spellcheck="false" tabindex="0">google_iam_binding</code> <code class="code codeInline" spellcheck="false" tabindex="0">_key</code> values</p></li> </ul><h2 data-id="bug-fixes">Bug Fixes</h2> <ul><li>Fixed bug in mapper that caused some network security group rules in Azure to not be ingested</li> </ul> </article> </main>