v1.1.5 Release

This is a minor update to PMapper. It should be compatible with graphs from v1.1.X, but we recommend creating new graphs to take advantage of additional checks and fixes.

Improvements

• Added the new preset query, wrongadmin: This query identifies principals that have admin-level permissions, but do not have the AdministratorAccess or equivalent inline policy attached to themselves. This covers risks where users/roles are unintentionally granted combinations of permissions that would allow them to give themselves unlimited permissions in the account.
• Policy Simulator Fixes: Fixed an issue where IAM Group Policies with Deny statements were not correctly handled (Thank you @RyanJarv !). Fixed an issue where AWSServiceRoleFor[...] principals were not handled correctly with SCPs.
• Admin Check Fix: Cut out a corner-case in the admin-check function to avoid false positives.

v1.1.4 Release

This is a minor update to PMapper. It should be compatible with graphs from v1.1.X, but we recommend creating new graphs to take advantage of additional checks and fixes.

Improvements

• Added serviceaccess preset query, reporting which services can access which roles (thanks @Kamerabuilt !)
• Added visualization support for service principals (thanks @Kamerabuilt !)
• Fixed orgs CLI command output (thanks @sethsec-bf !)
• Added SCP-support for Admin-checks (thanks @sethsec-bf !)
• Cut down on simulations for Lambda (thanks @Clete2 !)
• LocalStack support
• Implemented a fix for cloudformation:UpdateStack paths (thanks @sethsec-bf !)
• Updated support to check for Login Profiles (thanks @sethsec-bf !)

v1.1.3 Release

This is a minor update to Principal Mapper. All graphs generated in v1.1.0, v1.1.1, and v1.1.2 should be compatible with v1.1.3, but we recommend you recreate your graphs to take advantage of additional checks and fixes.

Improvements

• Fixed handling of NotPrincipal, and * for Principal in resource policies
• Fixed handling of tags for CodeBuild
• Fixed handling of Organizations that don't use SCPs
• Fixed handling of condition context keys (now case-insensitive)
• Fixed false negative for access via existing Lambda functions
• Updated handling of --with-resource-policy for (arg)query components with respect to IAM Role Trust Docs
• Updated messaging for various CLI outputs
• Updated Edge description output, using searchable_name method (from Node) instead of splitting ARNs
• Added Secrets Manager support for the Endgame preset query

Changes

• Updated CLI output for (arg)query by adding spaces between results

Regressions

• query_utils.pull_cached_resource_policy_by_arn now requires a Graph to be passed in the first argument instead of a list of Policy. This potentially breaking change had to be made to enable correct handling of resource policies for IAM Roles (trust docs).
• Various functions of local_policy_simulation now expect a CaseInsensitiveDict (defined in principalmapper.util.case_insensitive_dict) rather than a plain dict. This potentially breaking change had to be made to enable correct handling of condition context keys with case-insensitivity.
• The query_interface functions will now expect that you do not have duplicates of context keys in various condition_keys_to_check and related params. This is to enable correct handling of condition context keys with case-insensitivity. These functions may now throw ValueError if this is not done. All functions should have updated typing for the params to point to the expected input types. Note that the _UODict type is simply Union[dict, CaseInsensitiveDict] and indicates where both are allowed.

Thanks To

• @sethsec

v1.1.2 Release

This is a minor update to Principal Mapper. All graphs generated in v1.1.0 and v1.1.1 should be compatible with v1.1.2, but we recommend you recreate your graphs to take advantage of additional checks and caching.

Improvements

• Updated language for some findings
• Additional edges for SageMaker (#47)
• Added support for AWS Secrets Manager (#75)
• Added support for AWS CodeBuild (#83)
• Added support for Amazon EC2 Auto Scaling (#82)

v1.1.1 Release

This is a minor update to Principal Mapper. All graphs generated in v1.1.0 will be compatible with v1.1.1, but we recommend you re-graph all accounts from v1.1.0 (see below).

Improvements

• Fix for #76 - added language to clarify which command updated Organizations data, thanks @klauern !
• Fix for #77 - admins will no longer be reported as privesc vectors by analysis, thanks @Techbrunch !
• Fix for #78 - policies attached to groups will now be correctly included during policy simulation (thanks Tanner Prynn @ NCC Group!)

v1.1.0 Release

This is a major update to Principal Mapper. It contains new functionality and bugfixes. Graphs generated with v1.0.X will not be compatible with this version, and will need to be recreated.

Improvements

• Switched to pulling data via GetAccountAuthorizationDetails per ( #26 ), thanks @danieladams456 !
• Overhaul of outputs and logging ( #36 )
• Implementation of resource policies ( #45 ), permission boundaries ( #41 ), session policies, and service control policies ( #69 ).
• Gathering MFA information ( #49 )
• New visualization for only privilege escalation paths, GraphML generation ( #52 )
• New findings ( #53 )
• Tracking tags, added clusters preset query ( #61 )
• Cross-account Edge support ( #62 ), thanks @christophetd !
• Fix for #64 , thanks @jfrazee216 !
• Fix for #66
• Whipped together a dockerfile ( #67 )
• AWS Organizations support ( #69 )
• Fix for #71
• Addition of the Endgame query ( #72 )
• Fix for #73 , thanks @Rackme !
• IAM Group inclusion fix ( #60 ), thanks @pr454nn4kum4r and @prasanna2av !
• IAM Group gathering fix ( #50 ), thanks @yehudacohen !

Changes

• Converted graph subcommand options into more subcommands (I.E. graph --create is now graph create)
• Addition of several keyword (Optional) parameters throughout the codebase to support new features
• Moved offline components of "edge identification" code into a separate function, enables infrastructure-as-code use-cases
• Moved example scripts and visualizations into separate directory

Regressions

• Per the logging changes, several instances of debug and output parameters for the PMapper codebase were removed.

v1.0.1 Release

This is a micro update to Principal Mapper. It only contains bugfixes. It should be compatible with graphs created with the previous version (v1.0.0).

Improvements

• Fix for issue #39: Issue with gathering data from CloudFormation due to assumption about response contents.
• Incorporates pull request #37: Fix for an issue with gathering data for IAM Users with a path that's not just / (default). Includes additional test changes for IAM Users with non-default paths.
• Incorporates pull request #38: Fix to set the standard storage location for OpenBSD.

Thanks To

• @ancwatson
• @buzzdeee

v1.0.0 Release

This is a full update to Principal Mapper.

Improvements

• A new graphing system, which locally stores node information (IAM Users/Roles), edge information (which principals can access each other), policy information (policy docs, attachments), and group information (IAM User members).
• A new querying system that locally evaluates IAM policies rather than call the AWS IAM Policy Simulation APIs. The local simulation is backed with extensive testing.
• A new REPL, for quickly executing multiple queries.
• A new analysis module, which identifies and reports risks in an easy-to-read text (Markdown) format or an easy-to-automate JSON format.
• An overhaul of the modules and packages to make them easier to develop scripts with.
• Full Python 3.5+ support.
• Docstrings for most (if not all) modules, functions, classes, and methods.

Regressions

• Support for Python 2 completely dropped.
• Simulation with AWS IAM Policy Simulation API dropped (future versions may bring this back).
• Incompatible with graphs generated from previous versions of PMapper.