Comments (4)
ncc-erik-steringer
commented on May 27, 2024
I want to fully support this in the next iteration of PMapper. It's mostly ready in the v1.1.0-dev branch, you'll want to use search_authorization_with_resource_policy_for in principalmapper.query_interface which will consider both the calling principal's authorization and the resource policy (trust doc) of the assumed role.
from pmapper.
christophetd
commented on May 27, 2024
Sounds good! But how does that play with data collection? Do I need to create one graph per account, and then query the proper principal in the correct graph?
from pmapper.
ncc-erik-steringer
commented on May 27, 2024
You'd need one graph per account, then query against account1/user while pulling in the trust doc from account2/role.
from pmapper.
ncc-erik-steringer
commented on May 27, 2024
Branch v1.1.0-dev has a new module principalmapper.graphing.cross_account_edges with a function named get_edges_between_graphs that does all the legwork of building all Edge objects when given two Graph objects. Closing this issue.
from pmapper.
Related Issues (20)
- PMapper 1.1.5 builds edges that include role/AWSServiceRoleForSupport when performing authorization checks HOT 10
- Terraform Plans HOT 2
- Graph Deletion HOT 1
- Local user who can assume an admin role not in graph HOT 6
- Stuck at Generating Edges based on lambda data HOT 1
- MFA requirements in roles can lead to misleading results
- can_privesc() method only returns one edge_list ?
- Traceback when doing connected query for role that does not exist
- FileNotFoundError in graph_cli
- Exception When Policy is Only Used as Permission Boundary HOT 1
- Permission boundaries not considered when querying
- Python 3.10 fails to run HOT 1
- Does not run in 3.11 due to mapping import error HOT 1
- iam:ListAccessKeys denied exception in gathering.py
- Stack trace on incorrect PMAPPER_STORAGE environment variable
- Stack trace on missing credentials
- Crash while scanning principals that use deprecated permission policies HOT 3
- Performance issues scanning large accounts HOT 8
- AWS Policy with minimal permissions
- Collections Module issue in Python 3.10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pmapper.