The Wayback Machine - https://web.archive.org/web/20210402165742/https://github.com/nccgroup/PMapper
Skip to content

/ PMapper

A tool for quickly evaluating IAM permissions in AWS.

AGPL-3.0 License
505 stars 87 forks
Star
Notifications
master
Switch branches/tags
3 branches 3 tags
Go to file
Code
Clone

Use Git or checkout with SVN using the web URL.

Latest commit

@ncc-erik-steringer
ncc-erik-steringer v1.1.0 Release (#74)
25ddb89 Apr 1, 2021
v1.1.0 Release (#74) 
* Address #42, version bump

* Major work on resource policies, adding specific internal functions to grab action/resource matches, added tests

* Code removal: unused resource policy evaluation function

* initial implementation of resource policy eval with query_interface

* fixed bug in iam trust doc evaluation, backed up with testing

* progress on grabbing resource policy by ARN

* full implementation of (arg)query with resource policy

* pulling, storing permission boundaries

* permissions boundaries: added support in local evaluation methods, test cases

* permissions boundaries: fix eval error caught by unit test due to allow vs None confusion

* bugfix: arg-ordering in query subcommand from __main__.py

* starting visualization update, service-policy retrieval updates

* full implementation of gathering data with get_account_authorization_details, grabbing permission boundaries and mfa data (modified Nodes, unit tests have to be re-written again), fixed bug in SSM edge identification

* Edge update: handle 'short_reason' field. Visualization update: option to only draw priv-esc risks.

* query updates: added (arg)query arg to output for unauthorized principals, resource-policy queries now correctly handle admin scenarios

* add example visualization

* adding support for gathering and caching s3 bucket policies

* query_result update before incorporating pull request

* "invalid break disallowing multiple group_memberships for nodes in graph" (#60)

* Fixed analysis bug (EC2 role assumption). Added MFA/Tag support to Nodes. Updated tests.

* formatting fix, added clusters preset

* added cycle detection + ssm finding, need to resolve import cycle issue

* tested cycle detection, fixed and tested clusters

* added support for grabbing+caching kms/sqs/sns resource policies

* implemented on-demand resource policy retrieval for sns/sqs/kms/s3 (lib only)

* overhauled logging, removed invocations of dprint, still need to tackle output/debug params

* broadly removed debug/output params, or created "print" alternative functions to existing "write" functions.

* added partial region support for the gathering process, added lack of MFA device finding

* more progress in region-specification support for gathering: edge-gathering classes have allow/deny lists built in

* moved argument generation to cli/frontend modules, still need to move argument handling

* Started the shift from __main__ for CLI-related code

* finished shifting code from __main__ into cli modules

* implemented graphml visualization, reorganized visualization code

* implemented session policy + SCP handling in simulation functions, still need to add tests and interface via (arg)query cli

* added session policy handling to CLI

* set up proper logs for unit tests

* laying groundwork for AWS Organizations work

* first crack at gathering and organizing aws orgs data

* more orgs data compilation, cross-account edges

* moved orgs front-end into separate module

* added sagemaker edges. bugfixes.

* fixed cross account edges

* added handling for SNS/SQS resource policies

* added organizations support to query CLI

* added minimal tests for SCPs, added SCPs support to argquery

* added Dockerfile

* untested attempt at implementing multi-accounts earch

* hotfixed search_authorization_across_accounts, initial tests are good

* added support for PMAPPER_STORAGE env var

* added initial version of the changelog

* fix for #71

* fix for #73, start implementation of infra-as-code example

* remove extra script

* another fix for #73, more infra-as-code example progress

* big shift in edge-gathering code: separated online/offline operations to enable infra-as-code analysis, optimized several passrole-based edge-checks

* calling it good on the examples before v1.1.0

* initial implementation of endgame preset query (#72)

* enabled SCP support for the graphing process

* updated examples and readme

* massive performance improvement by eliminating redundant regex compilation using an LRU cache (functools)

* fix image linking for README

* final quick fixes before 1.1.0
25ddb89

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github/ISSUE_TEMPLATE
v1.1.0 Release (#74)
Apr 1, 2021
examples
v1.1.0 Release (#74)
Apr 1, 2021
principalmapper
v1.1.0 Release (#74)
Apr 1, 2021
tests
v1.1.0 Release (#74)
Apr 1, 2021
.gitignore
v1.1.0 Release (#74)
Apr 1, 2021
CHANGELOG.md
v1.1.0 Release (#74)
Apr 1, 2021
Dockerfile
v1.1.0 Release (#74)
Apr 1, 2021
LICENSE
Final stretch of v1.0.0, added license notifications and updated README
Aug 25, 2019
MANIFEST.in
Updated packaging.
Aug 25, 2019
README.md
v1.1.0 Release (#74)
Apr 1, 2021
pmapper.py
Final correction of license notifications
Aug 25, 2019
requirements.txt
v1.1.0 Release (#74)
Apr 1, 2021
setup.py
More documentation work.
Sep 17, 2019
Principal Mapper Installation Requirements Installation from Pip Installation From Source Code Using Docker Usage Contributions License

README.md

Principal Mapper

Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization. It models the different IAM Users and Roles in an account as a directed graph, which enables checks for privilege escalation and for alternate paths an attacker could take to gain access to a resource or action in AWS.

PMapper includes a querying mechanism that uses a local simulation of AWS's authorization behavior. When running a query to determine if a principal has access to a certain action/resource, PMapper also checks if the user or role could access other users or roles that have access to that action/resource. This catches scenarios such as when a user doesn't have permission to read an S3 object, but could launch an EC2 instance that can read the S3 object.

Additional information can be found in the project wiki.

Installation

Requirements

Principal Mapper is built using the botocore library and Python 3.5+. Principal Mapper also requires pydot (available on pip), and graphviz (available on Windows, macOS, and Linux from https://graphviz.org/ ).

Installation from Pip

pip install principalmapper

Installation From Source Code

Clone the repository:

git clone git@github.com:nccgroup/PMapper.git

Then install with Pip:

cd PMapper
pip install .

Using Docker

(After cloning from source)

cd PMapper
docker build -t $TAG .
docker run -it $TAG

You can use -e|--env or --env-file to pass the AWS_* environment variables for credentials when calling docker run ..., or use -v to mount your ~/.aws/ directory and use the AWS_CONFIG_FILE and AWS_SHARED_CREDENTIALS_FILE environment variables. The current Dockerfile should put you into a shell with pmapper -h ready to go as well as graphviz already installed.

Usage

See the Getting Started Page in the wiki for more information on how to use PMapper via command-line. There are also pages with full details on all command-line functions and the library code.

Here's a quick example:

# Create a graph for the account, accessed through AWS CLI profile "skywalker"
pmapper --profile skywalker graph create
# [... graph-creation output goes here ...]

# Run a query to see who can make IAM Users
$ pmapper --profile skywalker query 'who can do iam:CreateUser'
# [... query output goes here ...]

# Run a query to see who can launch a big expensive EC2 instance, aside from "admin" users
$ pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'
# [... query output goes here ...]

# Run the privilege escalation preset query, skip reporting current "admin" users
$ pmapper --account 000000000000 query -s 'preset privesc *'
# [... privesc report goes here ...]

# Create an SVG representation of the admins/privescs/inter-principal access
$ pmapper --account 000000000000 visualize --filetype svg
# [... information output goes here, file created ...]

Note the use of --profile, which should behave the same as the AWS CLI. Also, later calls with query/argquery/visualize use an --account arg which just shortcuts around checking which account to work with (otherwise PMapper makes an API call to determine that).

Here's an example of the visualization:

And again when using --only-privesc:

Contributions

100% welcome and appreciated. Please coordinate through issues before starting and target pull-requests at the current development branch (typically of the form vX.Y.Z-dev).

License

Copyright (c) NCC Group and Erik Steringer 2019. This file is part of Principal Mapper.

  Principal Mapper is free software: you can redistribute it and/or modify
  it under the terms of the GNU Affero General Public License as published by
  the Free Software Foundation, either version 3 of the License, or
  (at your option) any later version.

  Principal Mapper is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU Affero General Public License for more details.

  You should have received a copy of the GNU Affero General Public License
  along with Principal Mapper.  If not, see <https://www.gnu.org/licenses/>.

About

A tool for quickly evaluating IAM permissions in AWS.

Topics

python aws iam botocore cloudsecurity

Resources

Readme

License

AGPL-3.0 License

Releases 3

v1.1.0 Release Latest
Apr 1, 2021
+ 2 releases

Packages

No packages published

Contributors 3

Languages