Open Kamerabuilt opened 2 years ago
Hello @Kamerabuilt ,
First look, I'm guessing it's the aws:MultiFactorAuthPresent
condition that's tripping things up. The relevant source code is https://github.com/nccgroup/PMapper/blob/master/principalmapper/graphing/sts_edges.py#L84-L86 . If that's not working, then all the MFA stuff might be broken and that'd be a bigger problem.
Please confirm the following:
Added a fix in v1.2.0-dev
with 06f1dc1ec8ac4c3c9c775aabf7efce2652cac6f3 . This issue actually extends to any edge-checks that involves resource policies that can be affected by MFA. Probably gonna have to do some more fixing here before releasing v1.2.0.
Can I test the 1.2.0-dev (if so how)?
Is there a way to display the current version of PMapper?
Sure can! Just clone the repo and checkout the 1.2.0-dev
branch. Then do pip install .
from the PMapper directory after you finish cloning. If you run pip show principalmapper
it should show you the current version, and v1.2.0 will have a --version
arg.
Nice work!
Looks like its fixed :)
I created a local IAM user, with the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::000000000000:role/Admin-Role" } ] }
The "Admin-Role" has an Administrator policy attached, and the following Trust-policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000000:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
When generating an svg with pmapper --account 000000000000 visualize, the produced image does not include any links or arrows between that local IAM user, and the Admin-Role.
If you need further info, please let me know.