A tool for quickly evaluating IAM permissions in AWS.
This is a minor update to PMapper. It should be compatible with graphs from v1.1.X, but we recommend creating new graphs to take advantage of additional checks and fixes.
wrongadmin
: This query identifies principals that have admin-level permissions, but do not have the AdministratorAccess or equivalent inline policy attached to themselves. This covers risks where users/roles are unintentionally granted combinations of permissions that would allow them to give themselves unlimited permissions in the account.This is a minor update to PMapper. It should be compatible with graphs from v1.1.X, but we recommend creating new graphs to take advantage of additional checks and fixes.
serviceaccess
preset query, reporting which services can access which roles (thanks @Kamerabuilt !)orgs
CLI command output (thanks @sethsec-bf !)cloudformation:UpdateStack
paths (thanks @sethsec-bf !)This is a minor update to Principal Mapper. All graphs generated in v1.1.0, v1.1.1, and v1.1.2 should be compatible with v1.1.3, but we recommend you recreate your graphs to take advantage of additional checks and fixes.
NotPrincipal
, and *
for Principal
in resource policies--with-resource-policy
for (arg)query components with respect to IAM Role Trust Docssearchable_name
method (from Node
) instead of splitting ARNsquery_utils.pull_cached_resource_policy_by_arn
now requires a Graph
to be passed in the first argument instead of a list of Policy
. This potentially breaking change had to be made to enable correct handling of resource policies for IAM Roles (trust docs).local_policy_simulation
now expect a CaseInsensitiveDict
(defined in principalmapper.util.case_insensitive_dict
) rather than a plain dict
. This potentially breaking change had to be made to enable correct handling of condition context keys with case-insensitivity.query_interface
functions will now expect that you do not have duplicates of context keys in various condition_keys_to_check
and related params. This is to enable correct handling of condition context keys with case-insensitivity. These functions may now throw ValueError
if this is not done. All functions should have updated typing for the params to point to the expected input types. Note that the _UODict
type is simply Union[dict, CaseInsensitiveDict]
and indicates where both are allowed.This is a minor update to Principal Mapper. All graphs generated in v1.1.0 and v1.1.1 should be compatible with v1.1.2, but we recommend you recreate your graphs to take advantage of additional checks and caching.
This is a minor update to Principal Mapper. All graphs generated in v1.1.0 will be compatible with v1.1.1, but we recommend you re-graph all accounts from v1.1.0 (see below).
analysis
, thanks @Techbrunch !This is a major update to Principal Mapper. It contains new functionality and bugfixes. Graphs generated with v1.0.X will not be compatible with this version, and will need to be recreated.
GetAccountAuthorizationDetails
per ( #26 ), thanks @danieladams456 !clusters
preset query ( #61 )graph
subcommand options into more subcommands (I.E. graph --create
is now graph create
)This is a micro update to Principal Mapper. It only contains bugfixes. It should be compatible with graphs created with the previous version (v1.0.0).
path
that's not just /
(default). Includes additional test changes for IAM Users with non-default paths.This is a full update to Principal Mapper.