CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
The main improvement is to update the packages and hopefully fix some of the package issues on install. As a result of updating botocore, CloudMapper now recognizes that ap-northeast-3 is a valid region to collect from.
Since the last release, some of the biggest changes are:
Lot's of smaller bug fixes and improvements by a number of folks.
Major features:
Bug fixes and other:
Major changes:
Other changes
Upgrades the CDK to avoid AWS warnings about using an old Lambda run-time, which was being used by the CDK helper functions.
Upgrades Parliament.
Adds access_check command, a proof-of-concept feature that I don't have time to work much more on right now. The concept is that given a resource (such as an S3 bucket), identify all of the IAM users and roles that have access to that resource. This can use wildcards for the ARN. This takes both IAM policies and IAM boundaries into consideration of the principals. It does not consider resource policies or SCPs. You can further scope this to a specific IAM privilege. It also takes the principal tags into consideration in IAM conditions.
This ends up not doing exactly the type of things you might want, because if you specify an S3 bucket, it identifies only those privileges that act on S3 buckets, not S3 objects. Further, if you specify an EC2, it doesn't consider the Security Groups, VPCs, etc. that are also very relevant to the question of who can impact that EC2.
The concepts around IAM conditions are also fairly incomplete, especially because it doesn't consider the resource tags or any resource specific variables.
Adds parliament (https://github.com/duo-labs/parliament) for linting.
Also minor updates for the following:
Minor version bump to fix issue that showed essentially the same findings twice when an EC2 role had admin privileges, it was also being listed as an S3 exfiller. Also white-listed macie to avoid being listed as an s3 exfiller.
When an admin is identified that can be assumed by an a service, such as EC2, this is now it's own finding (High severity).
Similarly, if a principal can list the S3 buckets in the account and exfil data from them, and this is an EC2, this is now it's own finding (High severity). This could create high severity alerts more often than I think it should.
It is checking for s3:ListAllMyBuckets
and s3:GetObject
. Please let me know if it does flag things you have legit reasons for and what the situation is where this is ok.
There is also now an ability to filter findings by severity, so if you only wanted to send High severity alerts to Slack, but still have your nightly auditor generate a report with any Medium, Low, or Info level alerts, you can do that now.
Ability to run as a nightly auditor added in #562.
Blog post: https://duo.com/blog/continuous-auditing-with-cloudmapper
Description of how to use at https://github.com/duo-labs/cloudmapper/blob/master/auditor/README.md
find_unused
(#558)sg_ips
command (#530)sts:AssumeRoleWithWebIdentity
is seen (#553)