search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.43k stars 171 forks source link

Crash while scanning principals that use deprecated permission policies #136

Open rdegraaf opened 1 year ago

rdegraaf commented 1 year ago

Describe the bug AWS has deprecated a few of its more broken AWS-managed Policies, including arn:aws:iam::aws:policy/AWSCodePipelineFullAccess. When I try to scan an account containing a principal with this Policy attached, I get a crash with the following stack trace:

$ scout-venv-5.12.0/bin/pmapper graph create2023-10-03 15:19:37-0700 | Obtaining IAM Users/Roles/Groups/Policies in the account.
2023-10-03 15:20:28-0700 | Sorting users, roles, groups, policies, and their relationships.
Traceback (most recent call last):
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/bin/pmapper", line 8, in <module>
    sys.exit(main())
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/__main__.py", line 145, in main
    return graph_cli.process_arguments(parsed_args)
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/graphing/graph_cli.py", line 179, in process_arguments
    graph = graph_actions.create_new_graph(session, service_list, parsed_args.include_regions,
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/graphing/graph_actions.py", line 39, in create_new_graph
    return gathering.create_graph(session, service_list, region_allow_list, region_deny_list, scps, client_args_map)
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 75, in create_graph
    results = get_nodes_groups_and_policies(iamclient)
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 226, in get_nodes_groups_and_policies
    role_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))
  File "/home/rdegraaf/MIO/scout-venv-5.12.0/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 1005, in _get_policy_by_arn_or_raise
    raise ValueError('Could not locate policy {}.'.format(arn))
ValueError: Could not locate policy arn:aws:iam::aws:policy/AWSCodePipelineFullAccess.

When I look up this specific principal in AWS Console and follow the link to AWSCodePipelineFullAccess, I get a page with the warning "[DEPRECATED] this policy has been removed -- please use [AWSCodePipeline_FullAccess] instead.". It does still list permissions, so maybe there is still a way to retrieve the permissions through the API?

I'm not sure what other deprecated AWS-managed Policies there are.

To Reproduce I'm not sure if it's still possible to attach this Policy to a new principal. You might need to find an existing Principal that already has it attached. Assuming that it's still possible:

  1. Create a principal with the Policy "AWSCodePipelineFullAccess" attached.
  2. Run pmapper graph create against the account.
  3. Crash.

Expected behavior If possible, look up the details of the deprecated Policy. If not, catch the exception and move on.

rdegraaf commented 1 year ago

For the moment, I'm working around the issue. In principalmapper/graphing/gathering.py, I replaced

    for p in u['AttachedManagedPolicies']:
        user_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))

with

    for p in u['AttachedManagedPolicies']:
        try:
            user_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))
        except ValueError as e:
            logger.warning('Unable to retrieve attached Policy {} for User {}.'.format(p['PolicyArn'], u['Arn']))

and

    for p in r['AttachedManagedPolicies']:
        role_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))

with 

    for p in r['AttachedManagedPolicies']:
        try:
            role_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))
        except ValueError as e:
            logger.warning('Unable to retrieve attached Policy {} for Role {}.'.format(p['PolicyArn'], r['Arn']))
CoryFaris-NCC commented 1 year ago

The same issue is present for the deprecated policy arn:aws:iam::aws:policy/service-role/AWSConfigRole.
https://aws.amazon.com/blogs/mt/service-notice-upcoming-changes-required-for-aws-config/

2023-10-05 16:47:12-0400 | Sorting users, roles, groups, policies, and their relationships.
Traceback (most recent call last):
  File "/home/k25044/pmapper/bin/pmapper", line 8, in <module>
    sys.exit(main())
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/__main__.py", line 145, in main
    return graph_cli.process_arguments(parsed_args)
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/graphing/graph_cli.py", line 179, in process_arguments
    graph = graph_actions.create_new_graph(session, service_list, parsed_args.include_regions,
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/graphing/graph_actions.py", line 39, in create_new_graph
    return gathering.create_graph(session, service_list, region_allow_list, region_deny_list, scps, client_args_map)
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 75, in create_graph
    results = get_nodes_groups_and_policies(iamclient)
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 226, in get_nodes_groups_and_policies
    role_policies.append(_get_policy_by_arn_or_raise(p['PolicyArn'], result['policies']))
  File "/home/k25044/pmapper/lib/python3.10/site-packages/principalmapper/graphing/gathering.py", line 1005, in _get_policy_by_arn_or_raise
    raise ValueError('Could not locate policy {}.'.format(arn))
ValueError: Could not locate policy arn:aws:iam::aws:policy/service-role/AWSConfigRole.
rdegraaf commented 1 year ago

Related: https://github.com/nccgroup/ScoutSuite/issues/1573