PMapper:助你在AWS中实现IAM权限快速安全评估

admin 2024年5月18日09:39:38评论3 views字数 9125阅读30分25秒阅读模式
PMapper:助你在AWS中实现IAM权限快速安全评估

PMapper是一款功能强大的脚本工具,该工具本质上是一个基于Python开发的脚本/代码库,可以帮助广大研究人员识别一个AWS账号或AWS组织中存在安全风险的IAM配置,并对IAM权限执行快速评估。

PMapper:助你在AWS中实现IAM权限快速安全评估

PMapper可以将目标AWS帐户中的不同IAM用户和角色建模为有向图,从而帮助广大研究人员检查权限提升以及攻击者访问AWS资源或操作所可能采取的替代路径。PMapper还提供了一种查询机制,该机制使用了AWS授权行为的本地模拟方法,当运行查询以确定主体是否有权访问某个操作/资源时,PMapper还会检查该用户或角色是否可以访问其他有权访问该操作/资源的用户或角色。

工具要求
PMapper基于Python 3.5+开发,并使用了botocore库构建项目功能。除此之外,PMapper还需要pydot和graphviz这两个依赖组件,其中pydot可以通过pip安装,graphviz可以访问下列地址获取Windows、macOS和Linux版本:
https://graphviz.org/
工具安装
由于该工具基于Python 3.5开发,因此我们首先需要在本地设备上安装并配置好Python 3.5+环境。接下来,广大研究人员可以使用下列方法完成工具的下载和安装。

Pip安装

pip install principalmapper

源码安装

首先,使用下列命令将该项目源码克隆至本地:
git clone [email protected]:nccgroup/PMapper.git
然后使用pip完成工具的安装:
cd PMapperpip install .

Docker使用

将项目源码克隆至本地之后,切换到项目目录中,并执行下列命令:
cd PMapperdocker build -t $TAG .docker run -it $TAG
我们可以在调用docker run ...命令时,使用-e|--env或--env-file传递AWS_*环境变量,或使用-v加载你的~/.aws/目录,并使用AWS_CONFIG_FILE和AWS_SHARED_CREDENTIALS_FILE环境变量。
工具使用
为目标账号创建一个有向图,并通过AWS CLI配置访问:
$ pmapper --profile skywalker graph create# [... graph-creation output goes here ...]
运行一个查询,并查看谁创建了IAM用户:
$ pmapper --profile skywalker query 'who can do iam:CreateUser'# [... query output goes here ...]
运行一个查询,并查看谁启动了一个消耗大量资源的EC2实例(排除admin用户):
$ pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'# [... query output goes here ...]
运行权限提升预设查询,跳过报告当前「admin」用户:
$ pmapper --account 000000000000 query -s 'preset privesc *'# [... privesc report goes here ...]
针对目标账号为创建一个SVG格式的可视化访问图:
$ pmapper --account 000000000000 visualize --filetype svg# [... information output goes here, file created ...]
下面给出的是可视化有向图的实例:
PMapper:助你在AWS中实现IAM权限快速安全评估
使用--only-privesc命令生成的结果如下:
PMapper:助你在AWS中实现IAM权限快速安全评估
输出样例
拉取一张图:
esteringer@ubuntu:~/Documents/projects/Skywalker$ python pmapper.py graphUsing profile: skywalkerPulling data for account [REDACTED]Using principal with ARN arn:aws:iam::[REDACTED]:user/TestingSkywalker[+] Starting EC2 checks.[+] Starting IAM checks.[+] Starting Lambda checks.[+] Starting CloudFormation checks.[+] Completed CloudFormation checks.[+] Completed EC2 checks.[+] Completed Lambda checks.[+] Completed IAM checks.Created an AWS Graph with 16 nodes and 53 edges[NODES]AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u'is_admin': True, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u'is_admin': False, u'rootstr': u'arn:aws:iam::[REDACTED]:root', u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u'is_admin': False, u'type': u'role', u'name': u'AssumableRole'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2-Fleet-Manager'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u'is_admin': True, u'type': u'role', u'name': u'EC2Role-Admin'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2WithS3ReadOnly'})AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u'is_admin': False, u'type': u'role', u'name': u'EMR-Service-Role'})AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'LambdaRole-S3ReadOnly'})AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u'is_admin': False, u'type': u'role', u'name': u'ReadOnlyWithLambda'})AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u'is_admin': False, u'type': u'role', u'name': u'UpdateCredentials'})[EDGES](0,1,'ADMIN','can use existing administrative privileges to access')(0,2,'ADMIN','can use existing administrative privileges to access')(0,3,'ADMIN','can use existing administrative privileges to access')(0,4,'ADMIN','can use existing administrative privileges to access')(0,5,'ADMIN','can use existing administrative privileges to access')(0,6,'ADMIN','can use existing administrative privileges to access')(0,7,'ADMIN','can use existing administrative privileges to access')(0,8,'ADMIN','can use existing administrative privileges to access')(0,9,'ADMIN','can use existing administrative privileges to access')(0,10,'ADMIN','can use existing administrative privileges to access')(0,11,'ADMIN','can use existing administrative privileges to access')(0,12,'ADMIN','can use existing administrative privileges to access')(0,13,'ADMIN','can use existing administrative privileges to access')(0,14,'ADMIN','can use existing administrative privileges to access')(0,15,'ADMIN','can use existing administrative privileges to access')(10,0,'ADMIN','can use existing administrative privileges to access')(10,1,'ADMIN','can use existing administrative privileges to access')(10,2,'ADMIN','can use existing administrative privileges to access')(10,3,'ADMIN','can use existing administrative privileges to access')(10,4,'ADMIN','can use existing administrative privileges to access')(10,5,'ADMIN','can use existing administrative privileges to access')(10,6,'ADMIN','can use existing administrative privileges to access')(10,7,'ADMIN','can use existing administrative privileges to access')(10,8,'ADMIN','can use existing administrative privileges to access')(10,9,'ADMIN','can use existing administrative privileges to access')(10,11,'ADMIN','can use existing administrative privileges to access')(10,12,'ADMIN','can use existing administrative privileges to access')(10,13,'ADMIN','can use existing administrative privileges to access')(10,14,'ADMIN','can use existing administrative privileges to access')(10,15,'ADMIN','can use existing administrative privileges to access')(1,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(1,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(1,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(3,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(3,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(3,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(9,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(9,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,8,'STS_ASSUMEROLE','can use STS to assume the role')(4,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(4,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(15,0,'IAM_CREATEKEY','can create access keys with IAM to access')(15,1,'IAM_CREATEKEY','can create access keys with IAM to access')(15,2,'IAM_CREATEKEY','can create access keys with IAM to access')(15,3,'IAM_CREATEKEY','can create access keys with IAM to access')(15,4,'IAM_CREATEKEY','can create access keys with IAM to access')(15,5,'IAM_CREATEKEY','can create access keys with IAM to access')(15,6,'IAM_CREATEKEY','can create access keys with IAM to access')(15,7,'IAM_CREATEKEY','can create access keys with IAM to access')
查询图信息:
esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "who can do s3:GetObject with *"user/AdminUser can do s3:GetObject with *user/EC2Manager can do s3:GetObject with * through role/EC2Role-Adminuser/EC2Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *user/LambdaFullAccess can do s3:GetObject with *user/PowerUser can do s3:GetObject with *user/S3ManagementUser can do s3:GetObject with *user/S3ReadOnly can do s3:GetObject with *user/TestingSkywalker can do s3:GetObject with *role/EC2-Fleet-Manager can do s3:GetObject with * through role/EC2Role-Adminrole/EC2-Fleet-Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *role/EC2Role-Admin can do s3:GetObject with *role/EC2WithS3ReadOnly can do s3:GetObject with *role/EMR-Service-Role can do s3:GetObject with *role/LambdaRole-S3ReadOnly can do s3:GetObject with *role/UpdateCredentials can do s3:GetObject with * through user/AdminUserrole/UpdateCredentials can create access keys with IAM to access user/AdminUseruser/AdminUser can do s3:GetObject with *
识别潜在的权限提升:
esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "preset priv_esc user/PowerUser"Discovered a potential path to change privileges:user/PowerUser can change privileges because:user/PowerUser can access role/EC2Role-Admin because: user/PowerUser can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminand role/EC2Role-Admin can change its own privileges.
许可证协议
本项目的开发与发布遵循AGPL-3.0开源许可协议。
项目地址
PMapper
https://github.com/nccgroup/PMapper

原文始发于微信公众号(FreeBuf):PMapper:助你在AWS中实现IAM权限快速安全评估

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年5月18日09:39:38
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PMapper:助你在AWS中实现IAM权限快速安全评估http://cn-sec.com/archives/2752859.html

发表评论

匿名网友 填写信息