-
Notifications
You must be signed in to change notification settings - Fork 2
/
aws_iam_load.cypher
96 lines (86 loc) · 3.43 KB
/
aws_iam_load.cypher
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// LOAD POLICIES
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.Policies[*]') YIELD value as row
MERGE(p:IAM_Policy {id:row.PolicyId, name:row.PolicyName, arn:row.Arn})
// LOAD GROUPS
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.GroupDetailList[*]') YIELD value as row
MERGE(p:IAM_Group {id:row.GroupId, name:row.GroupName, arn:row.Arn})
// Load User and relationship to Groups,Policies
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.UserDetailList[*]') YIELD value as row
UNWIND row.AttachedManagedPolicies as policy
UNWIND row.GroupList as group
CREATE (u:IAM_User {id:row.UserId,name:row.UserName,arn:row.Arn})
WITH u,policy, group
MATCH (p:IAM_Policy {name:policy.PolicyName})
CREATE (u)-[:HAS_POLICY]->(p)
WITH u,p, group
MATCH (g:IAM_Group {name:group})
CREATE (u)-[:MEMBER_OF]->(g)
// Load Roles and attached Policies to the Roles
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.RoleDetailList[*]') YIELD value as row
UNWIND row.AttachedManagedPolicies as policy
UNWIND policy as pol
WITH row.RoleName as role, row.Path as path, row.Arn as arn, pol
MERGE(r:IAM_Role {name:role, path:path, arn:arn})
MERGE(p:IAM_Policy {name:pol.PolicyName,arn:pol.PolicyArn})
MERGE(r)-[:HAS_POLICY]->(p)
// Create relationship btw Groups and Policies
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.GroupDetailList[*]') YIELD value as row
UNWIND row.AttachedManagedPolicies as policy
MATCH (g:IAM_Group {name:row.GroupName})
MATCH (p:IAM_Policy {name:policy.PolicyName})
CREATE (g)-[:HAS_POLICY]->(p)
// Create Policy Actions and relate it to the Policy
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json") YIELD value as row
UNWIND row.Policies as p
UNWIND p.PolicyVersionList as a
UNWIND a.Document as d
UNWIND d.Statement as s
UNWIND s.Action as act
WITH p.PolicyName as pol, act as action
MATCH (p1:IAM_Policy {name:pol})
MERGE(a1:IAM_Policy_Action {action:action})
MERGE(p1)-[:HAS_ACTION]->(a1)
// Create Policy Resources and relate it to the Policy
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json") YIELD value as row
UNWIND row.Policies as p
UNWIND p.PolicyVersionList as a
UNWIND a.Document as d
UNWIND d.Statement as s
UNWIND s.Resource as res
WITH p.PolicyName as pol, res as resource
MATCH (p1:IAM_Policy {name:pol})
MERGE(r1:IAM_Policy_Resource {name:resource})
MERGE(p1)-[:HAS_RESOURCE]->(r1)
// Load Services
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.RoleDetailList[*]') YIELD value as row
UNWIND row.AssumeRolePolicyDocument as arpd
UNWIND arpd.Statement as stmt
WITH stmt,row.RoleName as role
WHERE stmt.Effect = 'Allow'
UNWIND keys(stmt.Principal) AS key
WITH role,key, stmt.Principal as princ
WHERE key = 'Service'
MATCH(r:IAM_Role {name:role})
CREATE(s:AWS_Service {name: princ[key] })
CREATE (s)-[:CAN_ASSUME_ROLE]->(r)
// Load Principal and Roles that can Assume
CALL apoc.load.json("file:/Users/rnrbarbosa/Downloads/account_auth.json",
'.RoleDetailList[*]') YIELD value as row
UNWIND row.AssumeRolePolicyDocument as arpd
UNWIND arpd.Statement as stmt
WITH stmt,row.RoleName as role
WHERE stmt.Effect = 'Allow'
UNWIND keys(stmt.Principal) AS key
WITH role,key, stmt.Principal as princ
WHERE key = 'AWS'
MATCH(u:IAM_User {arn:princ[key]})
MERGE(u:IAM_User {name:princ[key], arn:princ[key]})
MERGE(r:IAM_Role {name:role})
MERGE (u)-[:CAN_ASSUME_ROLE]->(r)
RETURN u,r