search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.41k stars 169 forks source link

Required IAM permission to run pmapper #56

Closed wilkej closed 3 years ago

wilkej commented 4 years ago

Hello PMapper Team, I search in the documentation to find which IAM permissions are required to run PMapper. As I'm security concerned I use a own role and want to grant least privilge permissions to this role

I started with this policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Action": [
                "sts:Get*",
                "lambda:List*",
                "lambda:Get*",
                "iam:Simulate*",
                "iam:List*",
                "iam:Get*",
                "ec2:Get*",
                "ec2:Describe*",
                "cloudformation:List*",
                "cloudformation:Get*",
                "cloudformation:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

and PMapper didn't show any errors. I checked Cloudtrail and based on the events of this role I created this role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowRead",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity",
                "lambda:ListFunctions20150331",
                "lambda:ListFunctions",
                "iam:ListUsers",
                "iam:ListUserPolicies",
                "iam:ListRoles",
                "iam:ListRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListGroupsForUser",
                "iam:ListGroups",
                "iam:ListAttachedUserPolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListAccessKeys",
                "iam:GetRolePolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "cloudformation:DescribeStacks"
            ],
            "Resource": "*"
        }
    ]
}

Still, I see no errors. I wonder if you could confirm this policy and maybe add it to the documentation?

ncc-erik-steringer commented 4 years ago

Hey there.

Definitely a good idea to put together a "least-privilege" policy for this tool. I'll put one together for the next version (v1.1.0). Thank you for sharing what you saw in CloudTrail.

pmadhyasta commented 4 years ago

As per V1.1.0-Dev below are the minimum permissions required- 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "lambda:ListFunctions",
                "iam:GetPolicy",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListInstanceProfiles",
                "cloudformation:DescribeStacks",
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedRolePolicies",
                "iam:ListAttachedUserPolicies",
                "iam:ListUsers",
                "iam:ListGroups",
                "sts:GetCallerIdentity",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy",
                "iam:ListAccessKeys",
                "iam:ListGroupPolicies",
                "iam:ListAttachedGroupPolicies",
                "iam:GetGroupPolicy",
                "iam:ListAccountAliases",
                "iam:GetAccountAuthorizationDetails",
                "iam:ListVirtualMFADevices",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketPolicy"
            ],
            "Resource": "*"
        }
    ]
}
ncc-erik-steringer commented 4 years ago

Thanks @pmadhyasta ! Just a heads up that I'll be putting in SQS/SNS eventually as well.

dibyadhar commented 3 years ago

Hello PMapper Team,

As per the latest release, do we have some reference to the minimum IAM permission required to create a graph for an account, or do we have any flag to run the tool in a limited fashion just for trial how it captures data and represents a graph?

ncc-erik-steringer commented 3 years ago

@dibyadhar , the ReadOnlyAccess managed policy is a good starting point. From there, it should be possible to capture the API requests that PMapper makes via CloudTrail to pin down the least permissions necessary (as the author of this issue did).

ncc-erik-steringer commented 3 years ago

Added required-permissions.json to v1.1.2-dev (652b6933d5a1abf3173aab588c4d734bf92c2e3b).

ncc-erik-steringer commented 3 years ago

Closing this issue, noted file is now merged into master as part of the v1.1.2 release.