Tweet
Tool or Project Name: Principal Mapper (PMapper) - Mapping Privilege Escalation and More in AWS IAM
Short Abstract:
Principal Mapper (PMapper) is an open-source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.
The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may inadvertently grant to those principals.
Short Developer Bio:
Erik Steringer is a Senior Security Consultant with NCC Group.
URL to any additional information:
https://github.com/nccgroup/PMapper/wiki
Detailed Explanation of Tool:
PMapper is a free and open source project written in Python 3. The v1.1.X release added support for resource policies, SCPs, permission boundaries, and session policies, which means it now works for cross-account scenarios. Additionally, it can now map and handle AWS Organizations.
At a high level, the different operations of PMapper include gathering data (account or organization), querying, analysis, and visualization. All work typically starts with gathering data. When gathering an account's data, PMapper composes a graph to represent the account. The graph includes different IAM Users/Roles, represented as nodes. The graph also tracks how nodes can access each other, as edges. One example of an edge is when a principal can call sts:AssumeRole to access an IAM Role.
The account graph is used by the query component. During all queries, PMapper checks the specified principal and then other principals that can be pivoted to by the specified principal. This catches risks where a given user or role can bypass their own limited permissions with other users or roles. This is also the root of the privilege escalation detection. The different users and roles are marked as administrators if they can effectively call any API operation with any resource, and the privilege escalation detection finds non admins that can pivot to admins through an edge.
The authorization simulator of PMapper runs completely locally, with no calls to the AWS IAM Policy Simulation APIs. It can handle the most complex types of IAM Policies, and other types of policies that even the simulation APIs don’t include (SCPs, Session Policies).
The graph data, query component, and underlying authorization simulator enable PMapper to catch risks that other tools (ScoutSuite, awspx, Cartography, Aaia, CloudMapper, AWS IAM Access Analyzer) cannot. A lot of those risks are covered with the analysis component of PMapper. It can also be extended through the `principalmapper` package to check for even more specific needs.
Supporting Files, Code, etc:
https://github.com/nccgroup/PMapper
Target Audience:
Defense, Cloud
As a consultant, I’ve had the opportunity to work in a variety of AWS environments across a range of clients and requirements. I think PMapper reflects a lot of the lessons learned during these last few years. Some of the recent work I’ve put into PMapper helps show where I think the future is (infrastructure as code analysis) for tools in this space.
Short Abstract:
Principal Mapper (PMapper) is an open-source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.
The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may inadvertently grant to those principals.
Short Developer Bio:
Erik Steringer is a Senior Security Consultant with NCC Group.
URL to any additional information:
https://github.com/nccgroup/PMapper/wiki
Detailed Explanation of Tool:
PMapper is a free and open source project written in Python 3. The v1.1.X release added support for resource policies, SCPs, permission boundaries, and session policies, which means it now works for cross-account scenarios. Additionally, it can now map and handle AWS Organizations.
At a high level, the different operations of PMapper include gathering data (account or organization), querying, analysis, and visualization. All work typically starts with gathering data. When gathering an account's data, PMapper composes a graph to represent the account. The graph includes different IAM Users/Roles, represented as nodes. The graph also tracks how nodes can access each other, as edges. One example of an edge is when a principal can call sts:AssumeRole to access an IAM Role.
The account graph is used by the query component. During all queries, PMapper checks the specified principal and then other principals that can be pivoted to by the specified principal. This catches risks where a given user or role can bypass their own limited permissions with other users or roles. This is also the root of the privilege escalation detection. The different users and roles are marked as administrators if they can effectively call any API operation with any resource, and the privilege escalation detection finds non admins that can pivot to admins through an edge.
The authorization simulator of PMapper runs completely locally, with no calls to the AWS IAM Policy Simulation APIs. It can handle the most complex types of IAM Policies, and other types of policies that even the simulation APIs don’t include (SCPs, Session Policies).
The graph data, query component, and underlying authorization simulator enable PMapper to catch risks that other tools (ScoutSuite, awspx, Cartography, Aaia, CloudMapper, AWS IAM Access Analyzer) cannot. A lot of those risks are covered with the analysis component of PMapper. It can also be extended through the `principalmapper` package to check for even more specific needs.
Supporting Files, Code, etc:
https://github.com/nccgroup/PMapper
Target Audience:
Defense, Cloud
As a consultant, I’ve had the opportunity to work in a variety of AWS environments across a range of clients and requirements. I think PMapper reflects a lot of the lessons learned during these last few years. Some of the recent work I’ve put into PMapper helps show where I think the future is (infrastructure as code analysis) for tools in this space.