ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-04-13 05:17:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(attack-paths): replace basic query examples with graph traversal patterns (#10649)

Browse Source
This commit is contained in:
Josema Camacho
2026-04-10 12:23:02 +02:00
committed by GitHub
parent 0d7c5f6ac5
commit dad84f0ee2
1 changed files with 35 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
docs/user-guide/tutorials/prowler-app-attack-paths.mdx
View File

@@ -121,43 +121,58 @@ Custom queries are sandboxed to keep the graph database safe and responsive:
### Example Queries
The following examples are read-only and can be pasted directly into the editor.
The following examples are read-only and can be pasted directly into the editor. Each one demonstrates a different graph traversal pattern.
**List all S3 buckets in the scan:**
**Internet-exposed EC2 instances with their security group rules:**
```cypher
MATCH (b:S3Bucket)
RETURN b.name AS bucket, b.region AS region
LIMIT 50
```
**Find IAM roles that can be assumed from the internet:**
```cypher
MATCH (r:AWSRole)
WHERE r.trust_policy CONTAINS '"Principal":"*"'
RETURN r.arn AS role_arn, r.name AS role_name
MATCH (i:EC2Instance)--(sg:EC2SecurityGroup)--(rule:IpPermissionInbound)
WHERE i.exposed_internet = true
RETURN i.instanceid AS instance, sg.name AS security_group,
rule.fromport AS from_port, rule.toport AS to_port
LIMIT 25
```
**Find EC2 instances exposed to the internet with attached IAM roles:**
**EC2 instances that can assume IAM roles:**
```cypher
MATCH (i:EC2Instance)-[:STS_ASSUMEROLE_ALLOW]->(r:AWSRole)
WHERE i.exposed_internet = true
RETURN i.instanceid AS instance_id, r.arn AS role_arn
RETURN i.instanceid AS instance, r.name AS role_name, r.arn AS role_arn
LIMIT 25
```
**Inspect Prowler findings linked to a specific resource type:**
**IAM principals with wildcard Allow statements:**
```cypher
MATCH (b:S3Bucket)-[:HAS_FINDING]->(f:ProwlerFinding)
WHERE f.severity IN ['critical', 'high']
RETURN b.name AS bucket, f.check_id AS check, f.severity AS severity
MATCH (principal:AWSPrincipal)--(policy:AWSPolicy)--(stmt:AWSPolicyStatement)
WHERE stmt.effect = 'Allow'
AND ANY(action IN stmt.action WHERE action = '*')
RETURN principal.arn AS principal, policy.arn AS policy,
stmt.action AS actions, stmt.resource AS resources
LIMIT 25
```
**Critical findings on internet-exposed resources:**
```cypher
MATCH (i:EC2Instance)-[:HAS_FINDING]->(f:ProwlerFinding)
WHERE i.exposed_internet = true AND f.status = 'FAIL'
AND f.severity IN ['critical', 'high']
RETURN i.instanceid AS instance, f.check_id AS check,
f.severity AS severity, f.status AS status
LIMIT 50
```
**Roles trusting an AWS service (building block for PassRole escalation):**
```cypher
MATCH (r:AWSRole)-[:TRUSTS_AWS_PRINCIPAL]->(p:AWSPrincipal)
WHERE p.arn ENDS WITH '.amazonaws.com'
RETURN r.name AS role_name, r.arn AS role_arn, p.arn AS trusted_service
LIMIT 25
```
### Tips for Writing Queries
- Start small with `LIMIT` to inspect the shape of the data before broadening the pattern.
@@ -171,7 +186,7 @@ Attack Paths graphs are populated by [Cartography](https://github.com/cartograph
For the complete catalogue of node labels and relationships available in custom queries, refer to the official Cartography schema documentation:
- **AWS:** [Cartography AWS Schema](https://github.com/cartography-cncf/cartography/blob/master/docs/root/modules/aws/schema.md)
- **AWS:** [Cartography AWS Schema](https://cartography-cncf.github.io/cartography/modules/aws/schema.html)
In addition to the upstream schema, Prowler enriches the graph with: