AWS SSO support? - Githubissues

nccgroup / PMapper

A tool for quickly evaluating IAM permissions in AWS.

GNU Affero General Public License v3.0

1.41k stars 169 forks source link

AWS SSO support? #80

Open nxtof opened 3 years ago

nxtof commented 3 years ago

Hello,

Do you have any plans to support AWS SSO? e.g. to be able to map back a specific AWS SSO-managed role (AWSSSOReserved_AdminAccess_xxxx) to a list of users assigned with this role

Thanks!

ncc-erik-steringer commented 3 years ago

To answer your question, we currently don't have plans to add AWS SSO support. I think it would be reasonable to include in 1.2.0. I took a quick look at the work it would take, lemme know if you think it's a reasonable summary:

Find a way to grab the user -> role mapping (would need to put in gathering.py and maybe guard it with a --with-sso flag/param)
Find a way to stash the mapping data
Add something in the query/argquery to let people query by SSO user (maybe something like sso/user_one for the principal component).

michaeldavie-amzn commented 2 years ago

Find a way to grab the user -> role mapping

I've been doing some work on this, and my current approach has been:

organizations.list_accounts
sso-admin.list_instances
sso-admin.list_permission_sets
For each permission set, sso-admin.list_accounts_for_provisioned_permission_sets
For each permission set/account pair, sso-admin.list_account_assignments
For each SSO GUID (user/group), identitystore.describe_user or identitystore.describe_group

Graph-wise, it would probably make sense to and the permission sets as nodes with edges to the corresponding roles in IAM.

Note that accessing SSO and the identity store will require additional permissions.