PMapper Incorrectly Handling Users With Passwords

ncc-erik-steringer commented 2 years ago

Describe the bug

PMapper creates/tracks edges related to passwords where the source accesses the destination through iam:CreateLoginProfile or iam:UpdateLoginProfile. Part of this work requires detecting if a user has a password or not. Currently this is detected by pulling the PasswordLastUsed field from calling get_account_authorization_details. This has two potential issues:

The password isn't used, thus it has no "Last Used" time despite still existing.
This info doesn't get updated by the API before PMapper runs.

Expected behavior

We need to look at calling iam:GetLoginProfile to actually get the information.

https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_login_profile

ncc-erik-steringer commented 2 years ago

Fix is implemented in e56502e for v1.1.4

ncc-erik-steringer commented 2 years ago

v1.1.4 is out, closing.

nccgroup / PMapper

PMapper Incorrectly Handling Users With Passwords #97