Local user who can assume an admin role not in graph

[Kamerabuilt]

I created a local IAM user, with the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::000000000000:role/Admin-Role" } ] }

The "Admin-Role" has an Administrator policy attached, and the following Trust-policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000000:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }

When generating an svg with pmapper --account 000000000000 visualize, the produced image does not include any links or arrows between that local IAM user, and the Admin-Role.

If you need further info, please let me know.

[ncc-erik-steringer]

Hello @Kamerabuilt ,

First look, I'm guessing it's the aws:MultiFactorAuthPresent condition that's tripping things up. The relevant source code is https://github.com/nccgroup/PMapper/blob/master/principalmapper/graphing/sts_edges.py#L84-L86 . If that's not working, then all the MFA stuff might be broken and that'd be a bigger problem.

Please confirm the following:

• Which version of PMapper are you're using?
• Is the user is able to assume the role (i.e. no mispellings in any of the policies)?
• Does the user has an MFA device configured?
• Is this for a live AWS account or a mock account on LocalStack?

[Kamerabuilt]

1. I am using the latest PMapper version (I reinstalled it from scratch today). Is there a way to confirm which version exactly? I tried running -v (version), but it does not seem to be supported.
2. Yes, user can assume the role and execute the admin privileges associated with that role (through MFA)
3. Yes, and it is needed to assume the role per the Trust policy
4. It is a live AWS account (my personal account)

[ncc-erik-steringer]

Added a fix in v1.2.0-dev with 06f1dc1ec8ac4c3c9c775aabf7efce2652cac6f3 . This issue actually extends to any edge-checks that involves resource policies that can be affected by MFA. Probably gonna have to do some more fixing here before releasing v1.2.0.

[Kamerabuilt]

Can I test the 1.2.0-dev (if so how)?

Is there a way to display the current version of PMapper?

[ncc-erik-steringer]

Sure can! Just clone the repo and checkout the 1.2.0-dev branch. Then do pip install . from the PMapper directory after you finish cloning. If you run pip show principalmapper it should show you the current version, and v1.2.0 will have a --version arg.

[Kamerabuilt]

Nice work!

Looks like its fixed :)