PMapper creates/tracks edges related to passwords where the source accesses the destination through iam:CreateLoginProfile or iam:UpdateLoginProfile. Part of this work requires detecting if a user has a password or not. Currently this is detected by pulling the PasswordLastUsed field from calling get_account_authorization_details. This has two potential issues:
The password isn't used, thus it has no "Last Used" time despite still existing.
This info doesn't get updated by the API before PMapper runs.
Expected behavior
We need to look at calling iam:GetLoginProfile to actually get the information.
Describe the bug
PMapper creates/tracks edges related to passwords where the source accesses the destination through
iam:CreateLoginProfile
oriam:UpdateLoginProfile
. Part of this work requires detecting if a user has a password or not. Currently this is detected by pulling thePasswordLastUsed
field from callingget_account_authorization_details
. This has two potential issues:Expected behavior
We need to look at calling
iam:GetLoginProfile
to actually get the information.https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_login_profile