Tags: nccgroup/PMapper
Tags
Merge in v1.1.5 (#105) * added wrongadmin preset query, updated logging statement in sts_edges, added cross-account test cases, bumped version number to 1.1.5 * implemented change in the simulator: AWSServiceRoleFor... roles should be ignoring SCP restrictions Co-authored-by: Erik Steringer <[email protected]>
hotfix: client_args_map set to None caused errors
v1.1.4 (#99) * Added preset for service access * Added preset for service access * fix command line output in orgs subcommand * added SCP support to admin-checks * added SCP support to admin-checks * cutting down on Lambda authorization simulations * Initial work on resources and potential confused deputy risks * implemented support for botocore client generation with custom arguments, added localstack endpoint support for "graph create" subcommand * implemented a fix for #98 - cloudformation:UpdateStack risks * implemented a fix for #97 - checking for Login Profile for full password check * progress on datapipeline work * hotfix * pulling datapipeline until 1.1.5 Co-authored-by: Erik Steringer <[email protected]>
v1.1.3 (#87) bugfixes: * NotPrincipal in resource policies, '*' for matching principals * Codebuild tag handling fixed * Querying with cached resource policies fixed for IAM Role Trust Policies * SQS messaging on missing queue policy fixed * Orgs messaging on improper args fixed * Orgs without SCPs fixed * fixed handling for condition contexts, case-insensitive keys * fix for #86 - Did not include Edges for existing Lambda functions additions: * updated output of (arg)query, changed edge descriptions to use node searchable-names * add endgame support for Secrets Manager Co-authored-by: Erik Steringer <[email protected]>
v1.1.2 (#85) * Added Secrets Manager support. Cleaned up resource-policy handling from command line. * Adding minimum permissions policy doc. * implemented edge checks related to SageMaker: CreateTrainingJob and CreateProcessingJob * added codebuild support * added ec2 auto scaling support * update findings writing Co-authored-by: Erik Steringer <[email protected]>
v1.1.0 Release (#74) * Address #42, version bump * Major work on resource policies, adding specific internal functions to grab action/resource matches, added tests * Code removal: unused resource policy evaluation function * initial implementation of resource policy eval with query_interface * fixed bug in iam trust doc evaluation, backed up with testing * progress on grabbing resource policy by ARN * full implementation of (arg)query with resource policy * pulling, storing permission boundaries * permissions boundaries: added support in local evaluation methods, test cases * permissions boundaries: fix eval error caught by unit test due to allow vs None confusion * bugfix: arg-ordering in query subcommand from __main__.py * starting visualization update, service-policy retrieval updates * full implementation of gathering data with get_account_authorization_details, grabbing permission boundaries and mfa data (modified Nodes, unit tests have to be re-written again), fixed bug in SSM edge identification * Edge update: handle 'short_reason' field. Visualization update: option to only draw priv-esc risks. * query updates: added (arg)query arg to output for unauthorized principals, resource-policy queries now correctly handle admin scenarios * add example visualization * adding support for gathering and caching s3 bucket policies * query_result update before incorporating pull request * "invalid break disallowing multiple group_memberships for nodes in graph" (#60) * Fixed analysis bug (EC2 role assumption). Added MFA/Tag support to Nodes. Updated tests. * formatting fix, added clusters preset * added cycle detection + ssm finding, need to resolve import cycle issue * tested cycle detection, fixed and tested clusters * added support for grabbing+caching kms/sqs/sns resource policies * implemented on-demand resource policy retrieval for sns/sqs/kms/s3 (lib only) * overhauled logging, removed invocations of dprint, still need to tackle output/debug params * broadly removed debug/output params, or created "print" alternative functions to existing "write" functions. * added partial region support for the gathering process, added lack of MFA device finding * more progress in region-specification support for gathering: edge-gathering classes have allow/deny lists built in * moved argument generation to cli/frontend modules, still need to move argument handling * Started the shift from __main__ for CLI-related code * finished shifting code from __main__ into cli modules * implemented graphml visualization, reorganized visualization code * implemented session policy + SCP handling in simulation functions, still need to add tests and interface via (arg)query cli * added session policy handling to CLI * set up proper logs for unit tests * laying groundwork for AWS Organizations work * first crack at gathering and organizing aws orgs data * more orgs data compilation, cross-account edges * moved orgs front-end into separate module * added sagemaker edges. bugfixes. * fixed cross account edges * added handling for SNS/SQS resource policies * added organizations support to query CLI * added minimal tests for SCPs, added SCPs support to argquery * added Dockerfile * untested attempt at implementing multi-accounts earch * hotfixed search_authorization_across_accounts, initial tests are good * added support for PMAPPER_STORAGE env var * added initial version of the changelog * fix for #71 * fix for #73, start implementation of infra-as-code example * remove extra script * another fix for #73, more infra-as-code example progress * big shift in edge-gathering code: separated online/offline operations to enable infra-as-code analysis, optimized several passrole-based edge-checks * calling it good on the examples before v1.1.0 * initial implementation of endgame preset query (#72) * enabled SCP support for the graphing process * updated examples and readme * massive performance improvement by eliminating redundant regex compilation using an LRU cache (functools) * fix image linking for README * final quick fixes before 1.1.0