Fork me on GitHub
Drew Verlee05:11:04

Here is some example code of querying ssm using datalog.

;; get all the ssm parameters
;; => [{:LastModifiedDate #inst "2022-11-04T03:57:44.000-00:00",
;;      :Value "mi-woot",
;;      :ARN
;;      "arn:aws:ssm:us-east-1:595680822218:parameter/state/michigan/zip/123/password",
;;      :Name "/state/michigan/zip/123/password",
;;      :Type "String",
;;      :Version 1,
;;      :DataType "text"}
;;     {:LastModifiedDate #inst "2022-11-04T03:58:12.000-00:00",
;;      :Value "mi-nope",
;;      :ARN
;;      "arn:aws:ssm:us-east-1:595680822218:parameter/state/michigan/zip/981/password",
;;      :Name "/state/michigan/zip/981/password",
;;      :Type "String",
;;      :Version 1,
;;      :DataType "text"}]

;; are all our params with a zip code in the 981 area secure?
(let [ssm-params (get-all-ssm-params!)
      schema (ssm-params->schema ssm-params)
      conn   (d/create-conn schema)]
  (d/transact! conn (mapcat param->txts ssm-params))
  (d/q '[:find ?type
         [?e :zip "981"]
         [?e :password ?v]
         [?v :Type ?type]]
;; => #{["String"]}

;; oh no, there all strings! Not SecureStings!

👀 1
Drew Verlee05:11:51

I have found that a lot of places i have worked at use ssm and end up copying a set param keys per something (sometimes customer or env). And it quickly becomes really hard to get views over various parts of the trees. E.g all the passwords for a common thing all the customers have. Idk let me know if you think this sounds useful or if you see some issue with it. I'll try to get the rest of the code in a git hub repo if ppl are interested.


I heard a story from a customer that they do this kind of data extraction from client AWS accounts, by extracting bunch of data from the AWS account, tucking it into Datahike (I think?) and then making all sorts of queries to analyse security aspects


So yeah, I think tucking the data into a queryable database for analysis is a thing


Does anyone have a work around for invoking lambdas using ARNs with cognitect/aws lib see ( ?

Drew Verlee00:11:44

Never ran into it :(


I ended up just biting the bullet and using the aws java sdk package (not nearly as good UX wise as the cognitect package unfortunately). It looks like the issue with ARN is not restricted to just invocation but really all uses (for example I tried just retrieving the function using the ARN in Getfunction op and failed for same reason). Which makes sense given the underlying problem.

👀 1