Awspx Versions Save
A graph-based tool for visualizing effective access and resource relationships in AWS environments.
v1.3.4
2 years agoBug Fixes
- Fixes inoperable UI redact
selection
- Fixes UI database URI generation issue with non-standard ports
- Fixes UI search highlighting
- Fixes
profile --createcreation bug - Fixes unhandled IllegalLocationConstraintException and UnauthorizedOperation ingestion exceptions
- Fixes unhandled error when EC2 instance user data is unavailable (thanks @bytebutcher)
- Fixes inability to load multiline CSV data
- Fixes erroneous non-dependent source node attack exclusion
- Fixes Grants and CreateAction attack definition option interoperability
- Fixes attack computation off-by-one logic error
- Fixes ignored action conditions in attack definition Cypher values
- Fixes discovered attacks tally
- Fixes inadvertent Generic Policy deletion
- Fixes console message style overlap
Improvements
- Upgrades Neo4j from 3.5.13 to 4.3.2
- Adds Neo4j APOC support
- Updates Ingestor resource model logic
- Adds NatGateway EC2 ingestion support
- Adds EC2 PlacementGroup Instance associations
- Removes redundant RouteTable associations
- Adds explicit Admin relationship to all resources
- Adds UI search re-add and resource selection functionality
- Adds UI tag-based resource searching
- Adds UI PermissionsBoundary property resolution and edge stylization
- Updates dynamic graph stylization
- Adds AffectsGeneric attack definition option
- Adds ordering by
--only-attacksif specified - Adds support for list-based attack definition Descriptions
- Standardizes CreatePolicy attack logic
- Adds caching logic for attack definition translation
- Removes profile notice from
--verbose - Adds console tasklist support for function-based wait and done parameters
- Adds UI search visibility toggling using Ctrl + s
Other Changes
- Defaults ingestion to
--verbose(graphical output replaced with--pretty) - Updates UI graph defaults to display unknown nodes and edges
- Updates attack placeholder syntax from
${A}.Bto${A.B} - Updates attack pruning to remove patterns with outdegree 0
- Updates UI path searching to incorporate weight (deprecates some attack pruning logic)
- Removes Domain principal exclusion
- Removes legacy Grants option from CreateRole attack definition
- Removes User Depends from CreateGroup attack definition
- Updates attack definition placeholder regex
- Updates the ARN for Effective Admin
- Updates the hotkey for running an advanced query to Ctrl + enter
- Fixes spelling mistake in
cli.py(thanks @dmyates)
v1.3.3
3 years agoBug Fixes
- Fixes
KeyErrorarising from SessionClientWrapper empty result set - Fixes
--databaseingestion input validation - Fixes resource-based policy principal
IndexError(#41) - Fixes Bucket ACLs
Improvements
- Adds resource-based policy
OidcProviderPrincipal support - Adds
zlabel to docker volume mount options (#43) (thanks @unsubtleguy) - Adds ExternalID support to
--assume-roleingestion (thanks @dmyates) - Improve collection manager logic
- Add support for
?expressions in resource-level permissions
Other Changes
- Add support for
richv10 - Update action and resource definitions
- Update web action properties
v1.3.2
3 years agov1.3.1
3 years agoBug Fixes
- Fixes Neo4j occasionally failing to start during ingestion
- Fixes S3 error handling (client AccessDenied exceptions no longer fatal)
- Fixes Document modifications added during parsing
- Fixes critical log message truncation
- Fixes UpdateRole attack commands
Improvements
- Updates base ingestor resource model
- Adds
awspxcontainer checks - Defers node property deletion to Transitive creation
Other Changes
- Adds preliminary support for multiple ZIPs (#34)
- Allows new database names with
awspx ingest - Refactors
policy.py - Update filtered resource log messages
- Removes
list_user_mfa_devicesfrom IAM with--quick - Logs Policy/action resolution details
- Updates error, warning, and critical log styles
- Disables console task description line wrapping
v1.3.0
3 years agoNew Features
- Adds Dockerfile (#29)
- Adds UI Database options
- Adds IAM ingestion support for MFA devices
- Adds MFA support for CLI (#33) - thanks @dmyates!
Bug Fixes
- Fixes installation failure (#35)
- Fixes misidentified group relationships
- Fixes ARN and Resource Type filtering
- Fixes false positive node casts
- Fixes Ctrl event bug
- Fixes fallback Resource image
- Fixes redundant DescribeInstanceAttribute request
- Fixes Principal list index out of range error
Improvements
- Improves CLI aesthetics
- Adds attack pruning logic: retains the shortest paths only
- Updates attack edge creation logic: if an admin path exists in a set, don't create the others
- Adds
IngestionManager: decouplesIAMingestor - Rewrite base
Ingestor: skips disqualified collections in advance - Standardizes
IAM,S3,EC2, andLambdaclasses - Improves CLI logging
Other Changes
- Removes attacks affecting generic resources
- Adds
Profileclass (moved fromcli.py) - Converts
AttacksandNeo4jfrom static to dynamic classes - Adds
--verboseCLI option todbandattacks - Updates regions
v1.2.2
3 years agov1.2.0
3 years agoNew Features
- Adds Advanced Search
- Adds Graph Menu Options
- Adds support for actions that affect undocumented resource types (i.e. CatchAll).
- Adds
$PATHcheck and helper function toINSTALL. - Adds CLI options:
--update,--assume-role-duration, and--quick. - Adds Action
Condition KeysandDependent Actionsproperties. - Adds Wiki and updates
README.md.
Bug Fixes
- Fixes assume role duration exceeded exception (default reduced from 7200 to 3600 seconds).
- Fixes issue with policies comprising of multiple
Federatedprincipals - Fixes false positives for mutable actions affecting built-in managed policies.
Improvements
- Updates
awspxCLI output, argument names and descriptions. - Updates
ACTIONSandRESOURCESdictionaries. - Updates
ATTACKSdictionary formatting and execution steps. - Updates
nodejspackages. - Updates
sample.zipdataset. - Updates web interface cosmetics.
Other Changes
- Removes
update_actions.py,CONTRIBUTING.md, andimagesdirectory content.