Principal Mapper, or PMapper, is a tool and library for in-depth analysis with AWS Identity and Access Management, as well as AWS Organizations. PMapper stores data about AWS accounts and organizations, then provides options to query, visualize, and analyze that data. The library, written in Python, enables users to extend PMapper’s functionality for other use-cases. The project is hosted on GitHub at: https://github.com/nccgroup/PMapper
PMapper’s key features include:
- IAM policy simulation. The simulation code handles all types of policies and is backed with several test cases. This code runs locally on your machine, without calling the IAM simulation APIs.
- Query interfaces to determine who can access which resources or call which AWS APIs within an account. Additionally, these interfaces follow IAM User/Role chains where one principal can obtain and use credentials to authenticate as another principal (such as with
- Built-in analysis for privilege escalation within an AWS account, overprivileged EC2 instance profile roles, overprivileged Lambda execution roles, and EC2 instance privilege escalation via SSM.
- Visualization of cross-principal access and privilege escalation chains.
Since v1.0.0, we have improved on Principal Mapper based on internal and external feedback. The v1.1.0 release includes the following features:
- AWS Organizations support:
- Local storage of an organization, its structure, and applicable SCPs.
- Incorporation of SCPs into the query/argquery command-line functions, as well as during the account graph creation process.
- A cache for inter-account access in an organization.
- Support for other types of policies:
- Service Control Policies (SCPs).
- Session Policies.
- Resource Policies, including caching policies for S3 buckets, KMS keys, SNS topics, and SQS queues.
- Permission Boundaries.
Please give this update a whirl and let us know if you have any feedback!
For information on how to use PMapper, see the updated wiki at: https://github.com/nccgroup/PMapper/wiki
For bugs or questions, don’t hesitate to leave an issue at: https://github.com/nccgroup/PMapper/issues/new/choose