PMapper – A Tool For Quickly Evaluating IAM Permissions In AWS

0
22
PMapper – A Tool For Quickly Evaluating IAM Permissions In AWS

A mission to hurry up the method of reviewing an AWS account’s IAM configuration.

Purpose

The aim of the AWS IAM auth system is to use and implement entry controls on actions and assets in AWS. This software helps establish if the insurance policies in place will accomplish the intents of the account’s homeowners.

AWS already has tooling in place to examine if insurance policies hooked up to a useful resource will allow an motion. This software builds on that performance to establish different potential paths for a person to get entry to a useful resource. This means checking for entry to different customers, roles, and companies as methods to pivot.


How to Use

  1. Download this repository and set up its dependencies with pip set up -r necessities.txt .
  2. Ensure you have got graphviz put in in your host.
  3. Setup an IAM person in your AWS account with a coverage that grants the mandatory permission to run this software (see the file mapper-coverage.json for an instance). The ReadOnlyAccess managed coverage works for this objective. Grab the entry keys created for this person.
  4. In the AWS CLI, arrange a profile for that IAM person with the command: aws configure --profile <profile_name> the place <profile_name> is a singular title.
  5. Run the command python pmapper.py --profile <profile_name> graph to start pulling knowledge about your account all the way down to your laptop.

Graphing
Principal Mapper has a graph subcommand, which does the heavy work of going via every principal in an account and discovering another principals it could entry. The outcomes are saved at ~/.principalmap and utilized by different subcommands.

Querying
Principal Mapper has a question subcommand that runs a person-outlined question. The queries can examine if a number of principals can do a given motion with a given useful resource. The supported queries are:

"can <Principal> do <Action> [with <Resource>]"
"who can do <Action> [with <Resource>]"
"preset <preset_query_name> <preset_query_args>"

The first kind checks if a principal, or another principal accessible to it, might carry out an motion with a useful resource (default wildcard). The second kind enumerates all principals which are in a position to carry out an motion with a useful resource.
Note the quotes across the full question, that is so the argument parser is aware of to take the entire string.
Note that <Principal> can both be the total ARN of a principal or the final a part of that ARN (person/… or function/…).

Presets
The present preset is priv_esc or change_perms, which have the identical perform. They describe which principals have the flexibility to alter their very own permissions. If a principal is ready to change their very own perms, then it successfully has limitless perms.

Visualizing
The visualize subcommand produces a DOT and SVG file that symbolize the nodes and edges that have been graphed.
To create the DOT and SVG recordsdata, run the command: python pmapper.py visualize
Currently the output is a directed graph, which collates all the perimeters with the identical supply and vacation spot nodes. It doesn’t draw edges the place the supply is an admin. Nodes for admins are coloured blue. Nodes for customers with the flexibility to entry admins are coloured crimson (potential priv-esc danger).

Sample Output

Pulling a graph

[email protected]:~/Documents/tasks/Skywalker$ python pmapper.py graph
Using profile: skywalker
Pulling knowledge for account [REDACTED]
Using principal with ARN arn:aws:iam::[REDACTED]:person/TestingSkywalker
[+] Starting EC2 checks.
[+] Starting IAM checks.
[+] Starting Lambda checks.
[+] Starting CloudFormation checks.
[+] Completed CloudFormation checks.
[+] Completed EC2 checks.
[+] Completed Lambda checks.
[+] Completed IAM checks.
Created an AWS Graph with 16 nodes and 53 edges
[NODES]
AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u'is_admin': True, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u'is_admin': False, u'rootstr': u'arn:aws:iam::[REDACTED]:root', u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u'is_admin': False, u'kind': u'person'})
AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u'is_admin': False, u'kind': u'function', u'title': u'AssumableRole'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u'is_admin': False, u'kind': u'function', u'title': u'EC2-Fleet-Manager'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u'is_admin': True, u'kind': u'function', u'title': u'EC2Role-Admin'})
AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u'is_admin': False, u'kind': u'function', u'title': u'EC2WithS3ReadOnly'})
AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u'is_admin': False, u'kind': u'function', u'title': u'EMR-Service-Role'})
AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u'is_admin': False, u'kind': u'function', u'title': u'LambdaRole-S3ReadOnly'})
AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u'is_admin': False, u'kind': u'function', u'title': u'ReadOnlyWithLambda'})
AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u'is_admin': False, u'kind': u'function', u'title': u'UpdateCredentials'})
[EDGES]
(0,1,'ADMIN','can use present administrative privileges to entry')
(0,2,'ADMIN','can use present administrative privileges to entry')
(0,3,'ADMIN','can use present administrative privileges to entry')
(0,4,'ADMIN','can use present administrative privileges to entry')
(0,5,'ADMIN','can use present administrative privileges to entry')
(0,6,'ADMIN','can use present administrative privileges to entry')
(0,7,'ADMIN','can use present administrative privileges to entry')
(0,8,'ADMIN','can use present administrative privileges to entry')
(0,9,'ADMIN','can use present administrative privileges to entry')
(0,10,'ADMIN','can use present administrative privileges to entry')
(0,11,'ADMIN','can use present administrative privileges to entry')
(0,12,'ADMIN','can use present administrative privileges to entry')
(0,13,'ADMIN','can use present administrative privileges to entry')
(0,14,'ADMIN','can use present administrative privileges to entry')
(0,15,'ADMIN','can use present administrative privileges to entry')
(10,0,'ADMIN','can use present administrative privileges to entry')
(10,1,'ADMIN','can use present administrative privileges to entry')
(10,2,'ADMIN','can use present administrative privileges to entry')
(10,3,'ADMIN','can use present administrative privileges to entry')
(10,4,'ADMIN','can use present administrative privileges to entry')
(10,5,'ADMIN','can use present administrative privileges to entry')
(10,6,'ADMIN','can use present administrative privileges to entry')
(10,7,'ADMIN','can use present administrative privileges to entry')
(10,8,'ADMIN','can use present administrative privileges to entry')
(10,9,'ADMIN','can use present administrative privileges to entry')
(10,11,'ADMIN','can use present administrative privileges to entry')
(10,12,'ADMIN','can use present administrative privileges to entry')
(10,13,'ADMIN','can use present administrative privileges to entry')
(10,14,'ADMIN','can use present administrative privileges to entry')
(10,15,'ADMIN','can use present administrative privileges to entry')
(1,9,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(1,10,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(1,11,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(4,9,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(4,10,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(4,11,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(3,13,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(3,14,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(3,15,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(9,10,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(4,13,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(9,11,'EC2_USEPROFILE','can create an EC2 occasion and use an present occasion profile to entry')
(4,8,'STS_ASSUMEROLE','can use STS to imagine the function')
(4,14,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(4,15,'LAMBDA_CREATEFUNCTION','can create a Lambda perform and cross an execution function to entry')
(15,0,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,1,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,2,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,3,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,4,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,5,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,6,'IAM_CREATEKEY','can create entry keys with IAM to entry')
(15,7,'IAM_CREATEKEY','can create entry keys with IAM to entry')

Querying with the graph

[email protected]:~/Documents/tasks/Skywalker$ ./pmapper.py --profile skywalker question "who can do s3:GetObject with *"
person/AdminUser can do s3:GetObject with *
person/EC2Manager can do s3:GetObject with * via function/EC2Role-Admin
   person/EC2Manager can create an EC2 occasion and use an present occasion profile to entry function/EC2Role-Admin
function/EC2Role-Admin can do s3:GetObject with *
person/LambdaFullAccess can do s3:GetObject with *
person/EnergyUser can do s3:GetObject with *
person/S3ManagementUser can do s3:GetObject with *
person/S3ReadOnly can do s3:GetObject with *
person/TestingSkywalker can do s3:GetObject with *
function/EC2-Fleet-Manager can do s3:GetObject with * via function/EC2Role-Admin
 function/EC2-Fleet-Manager can create an EC2 occasion and use an present occasion profile to entry function/EC2Role-Admin
function/EC2Role-Admin can do s3:GetObject with *
function/EC2Role-Admin can do s3:GetObject with *
function/EC2WithS3ReadOnly can do s3:GetObject with *
function/EMR-Service-Role can do s3:GetObject with *
function/LambdaRole-S3ReadOnly can do s3:GetObject with *
function/UpdateCredentials can do s3:GetObject with * via person/AdminUser
 function/UpdateCredentials can create entry keys with IAM to entry person/AdminUser
person/AdminUser can do s3:GetObject with *

Identifying Potential Privilege Escalation

[email protected]:~/Documents/tasks/Skywalker$ ./pmapper.py --profile skywalker question "preset priv_esc user/PowerUser"
Discovered a possible path to alter privileges:
person/EnergyUser can change privileges as a result of:
 person/EnergyUser can entry function/EC2Role-Admin as a result of: 
  person/EnergyUser can create an EC2 occasion and use an present occasion profile to entry function/EC2Role-Admin
 and function/EC2Role-Admin can change its personal privileges.



Planned TODOs

  • Complete and confirm Python Three assist.
  • Smarter control over charge of API requests (Queue, managing throttles).
  • Better progress reporting.
  • Validate and add extra checks for acquiring credentials. Several companies use service roles that grant the service permission to do an motion inside a person’s account. This might probably enable a person to acquire entry to further privileges.
  • Improving simulate calls (international circumstances).
  • Completing priv esc checks (enhancing hooked up insurance policies, attaching to a gaggle).
  • Adding choices for visualization (output kind, edge collation).
  • Adding extra caching.
  • Local coverage analysis?
  • Cross-account subcommand(s).
  • A preset to examine if one principal is related to a different.
  • Handling insurance policies for buckets or keys with companies like S3 or KMS when querying.

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.