PMapper：助你在AWS中实现IAM权限快速安全评估

https://graphviz.org/

pip install principalmapper

git clone [email protected]:nccgroup/PMapper.git

cd PMapperpip install .

cd PMapperdocker build -t $TAG .docker run -it $TAG

$ pmapper --profile skywalker graph create# [... graph-creation output goes here ...]

$ pmapper --profile skywalker query 'who can do iam:CreateUser'# [... query output goes here ...]

$ pmapper --account 000000000000 argquery -s --action 'ec2:RunInstances' --condition 'ec2:InstanceType=c6gd.16xlarge'# [... query output goes here ...]

$ pmapper --account 000000000000 query -s 'preset privesc *'# [... privesc report goes here ...]

$ pmapper --account 000000000000 visualize --filetype svg# [... information output goes here, file created ...]

esteringer@ubuntu:~/Documents/projects/Skywalker$ python pmapper.py graphUsing profile: skywalkerPulling data for account [REDACTED]Using principal with ARN arn:aws:iam::[REDACTED]:user/TestingSkywalker[+] Starting EC2 checks.[+] Starting IAM checks.[+] Starting Lambda checks.[+] Starting CloudFormation checks.[+] Completed CloudFormation checks.[+] Completed EC2 checks.[+] Completed Lambda checks.[+] Completed IAM checks.Created an AWS Graph with 16 nodes and 53 edges[NODES]AWSNode("arn:aws:iam::[REDACTED]:user/AdminUser", properties={u'is_admin': True, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/EC2Manager", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaDeveloper", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/LambdaFullAccess", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/PowerUser", properties={u'is_admin': False, u'rootstr': u'arn:aws:iam::[REDACTED]:root', u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/S3ManagementUser", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/S3ReadOnly", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:user/TestingSkywalker", properties={u'is_admin': False, u'type': u'user'})AWSNode("arn:aws:iam::[REDACTED]:role/AssumableRole", properties={u'is_admin': False, u'type': u'role', u'name': u'AssumableRole'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2-Fleet-Manager", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2-Fleet-Manager'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2Role-Admin", properties={u'is_admin': True, u'type': u'role', u'name': u'EC2Role-Admin'})AWSNode("arn:aws:iam::[REDACTED]:role/EC2WithS3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'EC2WithS3ReadOnly'})AWSNode("arn:aws:iam::[REDACTED]:role/EMR-Service-Role", properties={u'is_admin': False, u'type': u'role', u'name': u'EMR-Service-Role'})AWSNode("arn:aws:iam::[REDACTED]:role/LambdaRole-S3ReadOnly", properties={u'is_admin': False, u'type': u'role', u'name': u'LambdaRole-S3ReadOnly'})AWSNode("arn:aws:iam::[REDACTED]:role/ReadOnlyWithLambda", properties={u'is_admin': False, u'type': u'role', u'name': u'ReadOnlyWithLambda'})AWSNode("arn:aws:iam::[REDACTED]:role/UpdateCredentials", properties={u'is_admin': False, u'type': u'role', u'name': u'UpdateCredentials'})[EDGES](0,1,'ADMIN','can use existing administrative privileges to access')(0,2,'ADMIN','can use existing administrative privileges to access')(0,3,'ADMIN','can use existing administrative privileges to access')(0,4,'ADMIN','can use existing administrative privileges to access')(0,5,'ADMIN','can use existing administrative privileges to access')(0,6,'ADMIN','can use existing administrative privileges to access')(0,7,'ADMIN','can use existing administrative privileges to access')(0,8,'ADMIN','can use existing administrative privileges to access')(0,9,'ADMIN','can use existing administrative privileges to access')(0,10,'ADMIN','can use existing administrative privileges to access')(0,11,'ADMIN','can use existing administrative privileges to access')(0,12,'ADMIN','can use existing administrative privileges to access')(0,13,'ADMIN','can use existing administrative privileges to access')(0,14,'ADMIN','can use existing administrative privileges to access')(0,15,'ADMIN','can use existing administrative privileges to access')(10,0,'ADMIN','can use existing administrative privileges to access')(10,1,'ADMIN','can use existing administrative privileges to access')(10,2,'ADMIN','can use existing administrative privileges to access')(10,3,'ADMIN','can use existing administrative privileges to access')(10,4,'ADMIN','can use existing administrative privileges to access')(10,5,'ADMIN','can use existing administrative privileges to access')(10,6,'ADMIN','can use existing administrative privileges to access')(10,7,'ADMIN','can use existing administrative privileges to access')(10,8,'ADMIN','can use existing administrative privileges to access')(10,9,'ADMIN','can use existing administrative privileges to access')(10,11,'ADMIN','can use existing administrative privileges to access')(10,12,'ADMIN','can use existing administrative privileges to access')(10,13,'ADMIN','can use existing administrative privileges to access')(10,14,'ADMIN','can use existing administrative privileges to access')(10,15,'ADMIN','can use existing administrative privileges to access')(1,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(1,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(1,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,9,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(3,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(3,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(3,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(9,10,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,13,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(9,11,'EC2_USEPROFILE','can create an EC2 instance and use an existing instance profile to access')(4,8,'STS_ASSUMEROLE','can use STS to assume the role')(4,14,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(4,15,'LAMBDA_CREATEFUNCTION','can create a Lambda function and pass an execution role to access')(15,0,'IAM_CREATEKEY','can create access keys with IAM to access')(15,1,'IAM_CREATEKEY','can create access keys with IAM to access')(15,2,'IAM_CREATEKEY','can create access keys with IAM to access')(15,3,'IAM_CREATEKEY','can create access keys with IAM to access')(15,4,'IAM_CREATEKEY','can create access keys with IAM to access')(15,5,'IAM_CREATEKEY','can create access keys with IAM to access')(15,6,'IAM_CREATEKEY','can create access keys with IAM to access')(15,7,'IAM_CREATEKEY','can create access keys with IAM to access')

esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "who can do s3:GetObject with *"user/AdminUser can do s3:GetObject with *user/EC2Manager can do s3:GetObject with * through role/EC2Role-Adminuser/EC2Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *user/LambdaFullAccess can do s3:GetObject with *user/PowerUser can do s3:GetObject with *user/S3ManagementUser can do s3:GetObject with *user/S3ReadOnly can do s3:GetObject with *user/TestingSkywalker can do s3:GetObject with *role/EC2-Fleet-Manager can do s3:GetObject with * through role/EC2Role-Adminrole/EC2-Fleet-Manager can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminrole/EC2Role-Admin can do s3:GetObject with *role/EC2Role-Admin can do s3:GetObject with *role/EC2WithS3ReadOnly can do s3:GetObject with *role/EMR-Service-Role can do s3:GetObject with *role/LambdaRole-S3ReadOnly can do s3:GetObject with *role/UpdateCredentials can do s3:GetObject with * through user/AdminUserrole/UpdateCredentials can create access keys with IAM to access user/AdminUseruser/AdminUser can do s3:GetObject with *

esteringer@ubuntu:~/Documents/projects/Skywalker$ ./pmapper.py --profile skywalker query "preset priv_esc user/PowerUser"Discovered a potential path to change privileges:user/PowerUser can change privileges because:user/PowerUser can access role/EC2Role-Admin because: user/PowerUser can create an EC2 instance and use an existing instance profile to access role/EC2Role-Adminand role/EC2Role-Admin can change its own privileges.