Closed wilkej closed 3 years ago
Hey there.
Definitely a good idea to put together a "least-privilege" policy for this tool. I'll put one together for the next version (v1.1.0). Thank you for sharing what you saw in CloudTrail.
As per V1.1.0-Dev below are the minimum permissions required-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"lambda:ListFunctions",
"iam:GetPolicy",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListInstanceProfiles",
"cloudformation:DescribeStacks",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListUsers",
"iam:ListGroups",
"sts:GetCallerIdentity",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAccessKeys",
"iam:ListGroupPolicies",
"iam:ListAttachedGroupPolicies",
"iam:GetGroupPolicy",
"iam:ListAccountAliases",
"iam:GetAccountAuthorizationDetails",
"iam:ListVirtualMFADevices",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketPolicy"
],
"Resource": "*"
}
]
}
Thanks @pmadhyasta ! Just a heads up that I'll be putting in SQS/SNS eventually as well.
Hello PMapper Team,
As per the latest release, do we have some reference to the minimum IAM permission required to create a graph for an account, or do we have any flag to run the tool in a limited fashion just for trial how it captures data and represents a graph?
@dibyadhar , the ReadOnlyAccess
managed policy is a good starting point. From there, it should be possible to capture the API requests that PMapper makes via CloudTrail to pin down the least permissions necessary (as the author of this issue did).
Added required-permissions.json
to v1.1.2-dev
(652b6933d5a1abf3173aab588c4d734bf92c2e3b).
Closing this issue, noted file is now merged into master
as part of the v1.1.2 release.
Hello PMapper Team, I search in the documentation to find which IAM permissions are required to run PMapper. As I'm security concerned I use a own role and want to grant least privilge permissions to this role
I started with this policy
and PMapper didn't show any errors. I checked Cloudtrail and based on the events of this role I created this role.
Still, I see no errors. I wonder if you could confirm this policy and maybe add it to the documentation?