Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exception When Policy is Only Used as Permission Boundary #121

Open
brandonstevens opened this issue Nov 1, 2022 · 1 comment
Open

Exception When Policy is Only Used as Permission Boundary #121

brandonstevens opened this issue Nov 1, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@brandonstevens
Copy link

Describe the bug
PMapper throws an exception and exits when attempting to graph an AWS Account that contains an IAM identity that includes a Permission Boundary that has not other usage. i.e. a managed policy is not attached to any identities and only used as a permission boundary.

$  pmapper graph create
2022-11-01 17:29:59+0000 | Obtaining IAM Users/Roles/Groups/Policies in the account.
2022-11-01 17:30:10+0000 | Sorting users, roles, groups, policies, and their relationships.
Traceback (most recent call last):
  File "/usr/local/bin/pmapper", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/site-packages/principalmapper/__main__.py", line 145, in main
    return graph_cli.process_arguments(parsed_args)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/graph_cli.py", line 179, in process_arguments
    graph = graph_actions.create_new_graph(session, service_list, parsed_args.include_regions,
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/graph_actions.py", line 39, in create_new_graph
    return gathering.create_graph(session, service_list, region_allow_list, region_deny_list, scps, client_args_map)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 75, in create_graph
    results = get_nodes_groups_and_policies(iamclient)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 187, in get_nodes_groups_and_policies
    boundary_policy = _get_policy_by_arn_or_raise(u['PermissionsBoundary']['PermissionsBoundaryArn'],
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 1005, in _get_policy_by_arn_or_raise
    raise ValueError('Could not locate policy {}.'.format(arn))
ValueError: Could not locate policy arn:aws:iam::aws:policy/<REDACTED>.

To Reproduce
Steps to reproduce the behavior, please include information on suspected users/roles that are the source of the issue when possible:

  1. Create a new IAM User. The user does not need any permissions.
  2. Attach an unused managed-policy as a permission boundary only. When viewing the policy in the Console, under "Policy usage", Permissions should be empty.
  3. Run PMapper

Expected behavior
PMapper successfully completes graphing the environment.

Note
For testing, I changed https://github.com/nccgroup/PMapper/blob/master/principalmapper/graphing/gathering.py#L187 to no longer raise an error if the policy isn't found in the graph data by swapping the function to _get_policy_by_arn (see below).

        if 'PermissionsBoundary' in u:
            boundary_policy = _get_policy_by_arn(u['PermissionsBoundary']['PermissionsBoundaryArn'],
                                                          result['policies'])

I don't know what side-effects this may have, but if this is acceptable, happy to create a PR with the change.

@brandonstevens brandonstevens added the bug Something isn't working label Nov 1, 2022
@Techbrunch
Copy link

Techbrunch commented Sep 19, 2023

I ran into a similar issue except that the error was raised line 184:

        for p in u['AttachedManagedPolicies']:
            user_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))

The problematic policy is attached as a permissions policy to an IAM user.

I used the same workaround as @brandonstevens but ran into another issue (not sure if linked):

# pmapper graph create
2023-09-19 14:57:32+0000 | Obtaining IAM Users/Roles/Groups/Policies in the account.
2023-09-19 14:57:56+0000 | Sorting users, roles, groups, policies, and their relationships.
2023-09-19 14:57:56+0000 | Obtaining Access Keys data for IAM users
2023-09-19 14:58:40+0000 | Gathering MFA virtual device information
2023-09-19 14:58:40+0000 | Gathering MFA physical device information
2023-09-19 14:59:05+0000 | Determining which principals have administrative privileges
Traceback (most recent call last):
  File "/usr/local/bin/pmapper", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.8/site-packages/principalmapper/__main__.py", line 145, in main
    return graph_cli.process_arguments(parsed_args)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/graph_cli.py", line 179, in process_arguments
    graph = graph_actions.create_new_graph(session, service_list, parsed_args.include_regions,
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/graph_actions.py", line 39, in create_new_graph
    return gathering.create_graph(session, service_list, region_allow_list, region_deny_list, scps, client_args_map)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 81, in create_graph
    update_admin_status(nodes_result, scps)
  File "/usr/local/lib/python3.8/site-packages/principalmapper/graphing/gathering.py", line 782, in update_admin_status
    if query_interface.local_check_authorization_handling_mfa(node, action, node.arn, {},
  File "/usr/local/lib/python3.8/site-packages/principalmapper/querying/query_interface.py", line 208, in local_check_authorization_handling_mfa
    if local_check_authorization_full(principal, action_to_check, resource_to_check, condition_keys_to_check, resource_policy, resource_owner, service_control_policy_groups, session_policy):
  File "/usr/local/lib/python3.8/site-packages/principalmapper/querying/query_interface.py", line 306, in local_check_authorization_full
    if policy_has_matching_statement(policy, 'Deny', action_to_check, resource_to_check, prepped_condition_keys):
  File "/usr/local/lib/python3.8/site-packages/principalmapper/querying/local_policy_simulation.py", line 68, in policy_has_matching_statement
    for statement in _listify_dictionary(base_obj['Statement']):
TypeError: 'NoneType' object is not subscriptable

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants