Brief Description
IAM roles blocking access without MFA return incorrect results when calling local_check_authorization_handling_mfa. These roles also fail to appear in the output of python ./pmapper.py --profile me query 'preset privesc *'.
IAM Action, Resource, and Condition Being Authorized
The principal needs to be a role with an identity policy enforcing MFA. The specific actions affected are the one's that apply to the MFA conditional in the policy.
Expected Behavior
The principalmapper.querying.query_interface.local_check_authorization_handling_mfa function should return (True, True) when passed any action without any explicitly passed condition keys (as it would if the principal was a User). The current behavior is to return (False, False).
I suspect the idea here is in some cases roles can't have MFA (if attached to EC2), so returning a (True, True) result in that case might be misleading if the calling function isn't taking into account the source.
Brief Description IAM roles blocking access without MFA return incorrect results when calling
local_check_authorization_handling_mfa. These roles also fail to appear in the output ofpython ./pmapper.py --profile me query 'preset privesc *'.IAM Action, Resource, and Condition Being Authorized The principal needs to be a role with an identity policy enforcing MFA. The specific actions affected are the one's that apply to the MFA conditional in the policy.
IAM Policies Attached to Principal
And a custom policy with the following:
Expected Behavior The
principalmapper.querying.query_interface.local_check_authorization_handling_mfafunction should return (True, True) when passed any action without any explicitly passed condition keys (as it would if the principal was a User). The current behavior is to return (False, False).Looks like the issue is here:
I suspect the idea here is in some cases roles can't have MFA (if attached to EC2), so returning a (True, True) result in that case might be misleading if the calling function isn't taking into account the source.