Open sethsec-bf opened 2 years ago
Hey there!
pmapper orgs update
is an offline operation I added for when someone pulls data on an AWS Organization before pulling Graphs for each account in that Org.
Also, for cross-account stuff, I have https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks for that. I'm thinking maybe shift from an FAQ to a "Frequent Use Case" thing instead?
Describe the bug
Playing around with the SCP functionality, I noticed that when I make a change to an SCP at the org level, it does not get reflected in my
query preset privesc
unless i delete or re-create the org data. I expected the orgs update would do the trick but it doesn't seem to do what I thought it did.To Reproduce
playground
account, attached todev
account. Let's say for example the SCP deny'siam:passrole
.playground
creds, runpmapper orgs create
dev
creds, runpmapper graph create --include-region us-east-1
dev
creds, runpmapper orgs update --org ID
dev
creds, runpmapper query --scps 'preset privesc *'
playground
account. Either change it, or even detatch it from thedev
accountplayground
creds, runpmapper orgs update --org ID
dev
creds, runpmapper graph create --include-region us-east-1
dev
creds, runpmapper orgs update --org ID
dev
creds, runpmapper query --scps 'preset privesc *'
rm -rf ~/.local/share/principalmapper
ORpmapper create org
Expected behavior I would have expected
pmapper orgs update --org ID
to grab the newest scp data use that moving forward.Also, it took me a minute to figure out this right incantation of getting pmapper to work with multiple accounts. Really cool that you have added this functionality, but the wiki could really use a how-to on using it! Once you set me straight on the right process, let me know if you'd like me to add something to the wiki. Or if you'd like to update it yourself, you are free to use my notes above as a starting point.