CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
Bug fixes.
api_endpoints
command as that hasn't been working due to the needed data for it not existing.Various bug fixes. Allows web hosting to use a relative path.
Thanks to:
public
a single json array as opposed to individual json blobs (#504)Adds ability to find_admins
to look for arbitrary privileges. For example, to find users and roles that can list what S3 buckets exist in an account or list the contents of S3 buckets use:
python cloudmapper.py find_admins --account test --privs s3:ListAllMyBuckets,s3:ListBucket
Also adds a json output flag --json
. This is not too useful now, one day I'd like to include extra info, such as which of the actions have been granted and what policies granted it.
Also adds a flag --include_restricted
to include principals that have one of the privileges, but with a resource other than *
or a condition set. The default is not to show principals with these restrictions. IAM policies are complicated so both techniques potentially have false positives based on your interests. For example, if iam:*
is only allowed when MFA is enabled, an IAM user with this policy would not show up by default, but would if --include_restricted
was passed.
find_unused now leverages some aspects of the network graph in order to better determine what Security Groups are actually unused. This was necessary for identifying Lambdas specifically as discussed in #486.
New command find_unused
returns json to identify the unused security groups, elastic IPs, network interfaces, and volumes.
Also trying to view the network graph without running prepare
now shows an error. Thanks @yoava333 !
Bug fixes for #307, #410, #447, #442, and #444
Ran python/black on it to set the formatting: https://github.com/python/black
report