search

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.
GNU Affero General Public License v3.0
1.37k stars 169 forks source link

SQS - Policy attribute is missing #71

Closed Rackme closed 3 years ago

Rackme commented 3 years ago

Describe the bug I was not able to test the "v1.1.0-dev" version with an account with no SQS resources.

To Reproduce

I used :

python3 pmapper.py --profile prod-kms graph create

The application crash with the following stack trace :

2021-02-01 18:24:12+0100 | Unable to search SQS in region af-south-1 for queues. The region may be disabled, or the current principal may not be authorized to access the service. Continuing.
2021-02-01 18:24:13+0100 | Unable to search SQS in region ap-east-1 for queues. The region may be disabled, or the current principal may not be authorized to access the service. Continuing.
Traceback (most recent call last):
  File "/AWS/PMapper/pmapper.py", line 28, in <module>
    sys.exit(main())
  File "/AWS/PMapper/principalmapper/__main__.py", line 145, in main
    return graph_cli.process_arguments(parsed_args)
  File "/AWS/PMapper/principalmapper/graphing/graph_cli.py", line 123, in process_arguments
    graph = graph_actions.create_new_graph(session, service_list, parsed_args.include_regions, parsed_args.exclude_regions)
  File "/AWS/PMapper/principalmapper/graphing/graph_actions.py", line 37, in create_new_graph
    return gathering.create_graph(session, service_list, region_allow_list, region_deny_list)
  File "/AWS/PMapper/principalmapper/graphing/gathering.py", line 71, in create_graph
    policies_result.extend(get_sqs_queue_policies(session, caller_identity['Account'], region_allow_list, region_deny_list))
  File "/AWS/PMapper/principalmapper/graphing/gathering.py", line 378, in get_sqs_queue_policies
    policy_str = sqsclient.get_queue_attributes(QueueUrl=queue_url, AttributeNames=['Policy'])['Policy']
KeyError: 'Policy'
ncc-erik-steringer commented 3 years ago

Line of code in question: https://github.com/nccgroup/PMapper/blob/v1.1.0-dev/principalmapper/graphing/gathering.py#L378

I made the assumption that sqs:GetQueueAttributes would always return a response with a Policy field when I called it: https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/sqs.html#SQS.Client.get_queue_attributes

You can hotfix by storing the response in a variable and doing something like if 'Policy' in var: ... . I'll commit a fix this week.

ncc-erik-steringer commented 3 years ago

Added a fix in e74636a . Would you be willing to test and verify the fix?

Rackme commented 3 years ago

It's working like a charm, thanks !