Endgame Preset Query #72
Assignees
Milestone
Comments
ncc-erik-steringer
added this to the 1.1.0 - Resource Policies, Cross-Account Access milestone
|
Paging @kmcquade, would appreciate if you dropped a list of services/actions you looked for. |
ncc-erik-steringer
added a commit
that referenced
this issue
Mar 5, 2021
ncc-erik-steringer
added a commit
that referenced
this issue
Apr 1, 2021
* Address #42, version bump * Major work on resource policies, adding specific internal functions to grab action/resource matches, added tests * Code removal: unused resource policy evaluation function * initial implementation of resource policy eval with query_interface * fixed bug in iam trust doc evaluation, backed up with testing * progress on grabbing resource policy by ARN * full implementation of (arg)query with resource policy * pulling, storing permission boundaries * permissions boundaries: added support in local evaluation methods, test cases * permissions boundaries: fix eval error caught by unit test due to allow vs None confusion * bugfix: arg-ordering in query subcommand from __main__.py * starting visualization update, service-policy retrieval updates * full implementation of gathering data with get_account_authorization_details, grabbing permission boundaries and mfa data (modified Nodes, unit tests have to be re-written again), fixed bug in SSM edge identification * Edge update: handle 'short_reason' field. Visualization update: option to only draw priv-esc risks. * query updates: added (arg)query arg to output for unauthorized principals, resource-policy queries now correctly handle admin scenarios * add example visualization * adding support for gathering and caching s3 bucket policies * query_result update before incorporating pull request * "invalid break disallowing multiple group_memberships for nodes in graph" (#60) * Fixed analysis bug (EC2 role assumption). Added MFA/Tag support to Nodes. Updated tests. * formatting fix, added clusters preset * added cycle detection + ssm finding, need to resolve import cycle issue * tested cycle detection, fixed and tested clusters * added support for grabbing+caching kms/sqs/sns resource policies * implemented on-demand resource policy retrieval for sns/sqs/kms/s3 (lib only) * overhauled logging, removed invocations of dprint, still need to tackle output/debug params * broadly removed debug/output params, or created "print" alternative functions to existing "write" functions. * added partial region support for the gathering process, added lack of MFA device finding * more progress in region-specification support for gathering: edge-gathering classes have allow/deny lists built in * moved argument generation to cli/frontend modules, still need to move argument handling * Started the shift from __main__ for CLI-related code * finished shifting code from __main__ into cli modules * implemented graphml visualization, reorganized visualization code * implemented session policy + SCP handling in simulation functions, still need to add tests and interface via (arg)query cli * added session policy handling to CLI * set up proper logs for unit tests * laying groundwork for AWS Organizations work * first crack at gathering and organizing aws orgs data * more orgs data compilation, cross-account edges * moved orgs front-end into separate module * added sagemaker edges. bugfixes. * fixed cross account edges * added handling for SNS/SQS resource policies * added organizations support to query CLI * added minimal tests for SCPs, added SCPs support to argquery * added Dockerfile * untested attempt at implementing multi-accounts earch * hotfixed search_authorization_across_accounts, initial tests are good * added support for PMAPPER_STORAGE env var * added initial version of the changelog * fix for #71 * fix for #73, start implementation of infra-as-code example * remove extra script * another fix for #73, more infra-as-code example progress * big shift in edge-gathering code: separated online/offline operations to enable infra-as-code analysis, optimized several passrole-based edge-checks * calling it good on the examples before v1.1.0 * initial implementation of endgame preset query (#72) * enabled SCP support for the graphing process * updated examples and readme * massive performance improvement by eliminating redundant regex compilation using an LRU cache (functools) * fix image linking for README * final quick fixes before 1.1.0
wdahlenburg
pushed a commit
to wdahlenburg/PMapper
that referenced
this issue
Sep 5, 2022
…rce_iam_permissions Updated the Brute Force IAM Permissions article
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is/was a tool (Endgame) that made AWS API calls to open resources to world read/write access through the resource policies attached to those resources. Let's add a preset query that goes and searches the various cached resource policies and reports any users/roles that are able to open that resource to world read/write.
The text was updated successfully, but these errors were encountered: