PMapper: quickly evaluating IAM permissions in AWS
A project to speed up the process of reviewing an AWS account’s IAM configuration.
The goal of the AWS IAM auth system is to apply and enforce access controls on actions and resources in AWS. This tool helps to identify if the policies in place will accomplish the intents of the account’s owners.
AWS already has tooling in place to check if policies attached to a resource will permit an action. This tool builds on that functionality to identify other potential paths for a user to get access to a resource. This means checking for access to other users, roles, and services as ways to pivot.
How to Use
- Download this repository (git clone https://github.com/nccgroup/PMapper.git) and install its dependencies with pip install -r requirements.txt.
- Ensure you have graphviz installed on your host.
- Setup an IAM user in your AWS account with a policy that grants the necessary permission to run this tool (see the file mapper-policy.json for an example). The ReadOnlyAccess managed policy works for this purpose. Grab the access keys created for this user.
- In the AWS CLI, set up a profile for that IAM user with the command: aws configure –profile <profile_name> where <profile_name> is a unique name.
- Run the command python pmapper.py –profile <profile_name> graph to begin pulling data about your account down to your computer.
Principal Mapper has a graph subcommand, which does the heavy work of going through each principal in an account and finding any other principals it can access. The results are stored at ~/.principalmap and used by other subcommands.
Principal Mapper has a query subcommand that runs a user-defined query. The queries can check if one or more principals can do a given action with a given resource. The supported queries are:
The first form checks if a principal, or any other principal accessible to it, could perform an action with a resource (default wildcard). The second form enumerates all principals that are able to perform an action with a resource.
Note the quotes around the full query, that’s so the argument parser knows to take the whole string.
Note that <Principal> can either be the full ARN of a principal or the last part of that ARN (user/… or role/…).
The existing preset is priv_esc or change_perms, which have the same function. They describe which principals have the ability to change their own permissions. If a principal is able to change their own perms, then it effectively has unlimited perms.
The visualize subcommand produces a DOT and SVG file that represent the nodes and edges that were graphed.
To create the DOT and SVG files, run the command: python pmapper.py visualize
Currently, the output is a directed graph, which collates all the edges with the same source and destination nodes. It does not draw edges where the source is an admin. Nodes for admins are coloured blue. Nodes for users with the ability to access admins are coloured red (potential priv-esc risk).
Copyright (C) 2018 ncc-erik-steringer