PMapper icon indicating copy to clipboard operation
PMapper copied to clipboard
verified publisher icon nccgroup

SCP info not updating

Open sethsec-bf opened this issue 4 years ago • 1 comments

Describe the bug

Playing around with the SCP functionality, I noticed that when I make a change to an SCP at the org level, it does not get reflected in my query preset privesc unless i delete or re-create the org data. I expected the orgs update would do the trick but it doesn't seem to do what I thought it did.

To Reproduce

  1. There is 1 SCP, in playground account, attached to dev account. Let's say for example the SCP deny's iam:passrole.
  2. Using playground creds, run pmapper orgs create
  3. Using dev creds, run pmapper graph create --include-region us-east-1
  4. Using dev creds, run pmapper orgs update --org ID
  5. Using dev creds, run pmapper query --scps 'preset privesc *'
  6. All looks good
  7. Update SCP in playground account. Either change it, or even detatch it from the dev account
  8. Using playground creds, run pmapper orgs update --org ID
  9. Using dev creds, run pmapper graph create --include-region us-east-1
  10. Using dev creds, run pmapper orgs update --org ID
  11. Using dev creds, run pmapper query --scps 'preset privesc *'
  12. The changes are not applied.
  13. rm -rf ~/.local/share/principalmapper OR pmapper create org
  14. Do steps 2-5 again and this time the results map to the change made in step 7.

Expected behavior I would have expected pmapper orgs update --org ID to grab the newest scp data use that moving forward.

Also, it took me a minute to figure out this right incantation of getting pmapper to work with multiple accounts. Really cool that you have added this functionality, but the wiki could really use a how-to on using it! Once you set me straight on the right process, let me know if you'd like me to add something to the wiki. Or if you'd like to update it yourself, you are free to use my notes above as a starting point.

sethsec-bf avatar Aug 19 '21 17:08 sethsec-bf

Hey there!

pmapper orgs update is an offline operation I added for when someone pulls data on an AWS Organization before pulling Graphs for each account in that Org.

Also, for cross-account stuff, I have https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks for that. I'm thinking maybe shift from an FAQ to a "Frequent Use Case" thing instead?

ncc-erik-steringer avatar Aug 20 '21 03:08 ncc-erik-steringer