Merge pull request #84 from cloudgraphdev/fix/CG-1240

fix(services): Added encryption rules data to s3 service

Author: tyler-dunkel

README.md

@@ -133,7 +133,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iot                         |                                                                                                                                                                                                                                                                                                                                                                               |
 | kinesisFirehose             | kinesisStream, s3, iamRole                                                                                                                                                                                                                                                                                                                                                    |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                                                                                                                                                                                                               |
-| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster                                                                               |
+| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3                                                                               |
 | lambda                      | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole                                                                                                                                                                                                                                                                                        |
 | managedAirflow              | cloudwatchLog, iamRole, kms, securityGroups, subnet, s3                                                                                                                                                                                                                                                                                                                       |
 | managedPrefixList           |                                                                                                                                                                                                                                                                                                                        |
@@ -151,7 +151,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | sageMakerExperiment         |                                                                                                                                                                                                                                                                                                                                                                               |
 | sageMakerNotebookInstance   | iamRole, kms, networkInterface, subnet, securityGroup                                                                                                                                                                                                                                                                                                                         |
 | sageMakerProject            |                                                                                                                                                                                                                                                                                                                                                                               |
-| s3                          | cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, lambda, managedAirflow, sns, sqs                                                                                                                                                                                                                                                                                |
+| s3                          | cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, kms, lambda, managedAirflow, sns, sqs                                                                                                                                                                                                                                                                                |
 | secretsManager              | kms, lambda                                                                                                                                                                                                                                                                                                                                                                   |
 | securityGroup               | alb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint                                                                                                                                     |
 | ses                         |                                                                                                                                                                                                                                                                                                                                                                               |

src/services/kms/schema.graphql

@@ -51,4 +51,5 @@ type awsKms implements awsBaseService @key(fields: "id") {
   rdsCluster: [awsRdsCluster] @hasInverse(field: kms)
   rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: kms)
   managedAirflows: [awsManagedAirflow] @hasInverse(field: kms)
+  s3: [awsS3] @hasInverse(field: kms)
 }

src/services/s3/connections.ts

@@ -32,6 +32,7 @@ export default ({
         TopicConfigurations: topicConfigurations,
         QueueConfigurations: queueConfigurations,
       },
+      EncryptionInfo: encryptionInfo,
     },
   } = service
 
@@ -144,6 +145,31 @@ export default ({
     }
   }
 
+  /**
+   * Find KMS
+   * related to the S3
+   */
+  const kmsKeyIds = encryptionInfo?.Rules?.map(
+    r => r.ApplyServerSideEncryptionByDefault?.KMSMasterKeyID
+  )
+  const kmsKeys = data.find(({ name }) => name === services.kms)
+  if (kmsKeys?.data?.[region] && kmsKeyIds?.length > 0) {
+    const kmsKeyInRegion = kmsKeys.data[region].filter(kmsKey =>
+      kmsKeyIds.includes(kmsKey.Arn)
+    )
+
+    if (!isEmpty(kmsKeyInRegion)) {
+      for (const kms of kmsKeyInRegion) {
+        connections.push({
+          id: kms.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'kms',
+        })
+      }
+    }
+  }
+
   const s3Result = {
     [id]: connections,
   }

src/services/s3/format.ts

@@ -6,6 +6,7 @@ import {
   NotificationConfiguration,
   PolicyStatus,
   PublicAccessBlockConfiguration,
+  ServerSideEncryptionConfiguration,
 } from 'aws-sdk/clients/s3'
 
 import { AwsS3 } from '../../types/generated'
@@ -139,10 +140,19 @@ export default ({
     corsAdditions.corsConfiguration = t.yes
   }
 
-  const encryptionAdditions = { encrypted: t.no }
+  const encryptionAdditions = { encrypted: t.no, encryptionRules: [] }
 
   if (!isEmpty(encryptionInfo)) {
+    const { Rules } = encryptionInfo as ServerSideEncryptionConfiguration
     encryptionAdditions.encrypted = t.yes
+    encryptionAdditions.encryptionRules = Rules.map(r => ({
+      id: generateUniqueId({
+        arn,
+        ...r,
+      }),
+      sseAlgorithm: r.ApplyServerSideEncryptionByDefault?.SSEAlgorithm,
+      kmsMasterKeyID: r.ApplyServerSideEncryptionByDefault?.KMSMasterKeyID,
+    }))
   }
 
   const replicationAdditions = { crossRegionReplication: t.disabled }

src/services/s3/schema.graphql

@@ -65,6 +65,17 @@ type awsS3AclGrant
   permission: String @search(by: [hash])
 }
 
+type awsS3ServerSideEncryptionConfiguration
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+  id: String! @id
+  sseAlgorithm: String @search(by: [hash])
+  kmsMasterKeyID: String @search(by: [hash])
+}
+
 type awsS3 implements awsBaseService @key(fields: "arn") {
   access: String @search(by: [hash, regexp])
   bucketOwnerName: String @search(by: [hash, regexp])
@@ -74,6 +85,7 @@ type awsS3 implements awsBaseService @key(fields: "arn") {
   transferAcceleration: String @search(by: [hash, regexp])
   corsConfiguration: String @search(by: [hash, regexp])
   encrypted: String @search(by: [hash, regexp])
+  encryptionRules: [awsS3ServerSideEncryptionConfiguration]
   lifecycle: String @search(by: [hash, regexp])
   logging: String @search(by: [hash, regexp])
   blockPublicAcls: String @search(by: [hash, regexp])
@@ -98,4 +110,5 @@ type awsS3 implements awsBaseService @key(fields: "arn") {
   sns: [awsSns] @hasInverse(field: s3)
   sqs: [awsSqs] @hasInverse(field: s3)
   ecsCluster: [awsEcsCluster] @hasInverse(field: s3)
+  kms: [awsKms] @hasInverse(field: s3)
 }

src/types/generated.ts

@@ -3328,6 +3328,7 @@ export type AwsKms = AwsBaseService & {
   rdsClusterSnapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
   rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   redshiftCluster?: Maybe<Array<Maybe<AwsRedshiftCluster>>>;
+  s3?: Maybe<Array<Maybe<AwsS3>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
   secretsManager?: Maybe<Array<Maybe<AwsSecretsManager>>>;
   sns?: Maybe<Array<Maybe<AwsSns>>>;
@@ -3869,9 +3870,11 @@ export type AwsS3 = AwsBaseService & {
   crossRegionReplication?: Maybe<Scalars['String']>;
   ecsCluster?: Maybe<Array<Maybe<AwsEcsCluster>>>;
   encrypted?: Maybe<Scalars['String']>;
+  encryptionRules?: Maybe<Array<Maybe<AwsS3ServerSideEncryptionConfiguration>>>;
   iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   ignorePublicAcls?: Maybe<Scalars['String']>;
   kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
+  kms?: Maybe<Array<Maybe<AwsKms>>>;
   lambdas?: Maybe<Array<Maybe<AwsLambda>>>;
   lifecycle?: Maybe<Scalars['String']>;
   logging?: Maybe<Scalars['String']>;
@@ -3925,6 +3928,12 @@ export type AwsS3QueueConfiguration = AwsS3ConfigurationBase & {
   queueArn?: Maybe<Scalars['String']>;
 };
 
+export type AwsS3ServerSideEncryptionConfiguration = {
+  id: Scalars['String'];
+  kmsMasterKeyID?: Maybe<Scalars['String']>;
+  sseAlgorithm?: Maybe<Scalars['String']>;
+};
+
 export type AwsS3TopicConfiguration = AwsS3ConfigurationBase & {
   topicArn?: Maybe<Scalars['String']>;
 };