Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SCP info not updating #92

Open
sethsec-bf opened this issue Aug 19, 2021 · 1 comment
Open

SCP info not updating #92

sethsec-bf opened this issue Aug 19, 2021 · 1 comment
Labels
bug Something isn't working

Comments

@sethsec-bf
Copy link

sethsec-bf commented Aug 19, 2021
edited
Loading

Describe the bug

Playing around with the SCP functionality, I noticed that when I make a change to an SCP at the org level, it does not get reflected in my query preset privesc unless i delete or re-create the org data. I expected the orgs update would do the trick but it doesn't seem to do what I thought it did.

To Reproduce

  1. There is 1 SCP, in playground account, attached to dev account. Let's say for example the SCP deny's iam:passrole.
  2. Using playground creds, run pmapper orgs create
  3. Using dev creds, run pmapper graph create --include-region us-east-1
  4. Using dev creds, run pmapper orgs update --org ID
  5. Using dev creds, run pmapper query --scps 'preset privesc *'
  6. All looks good
  7. Update SCP in playground account. Either change it, or even detatch it from the dev account
  8. Using playground creds, run pmapper orgs update --org ID
  9. Using dev creds, run pmapper graph create --include-region us-east-1
  10. Using dev creds, run pmapper orgs update --org ID
  11. Using dev creds, run pmapper query --scps 'preset privesc *'
  12. The changes are not applied.
  13. rm -rf ~/.local/share/principalmapper OR pmapper create org
  14. Do steps 2-5 again and this time the results map to the change made in step 7.

Expected behavior
I would have expected pmapper orgs update --org ID to grab the newest scp data use that moving forward.

Also, it took me a minute to figure out this right incantation of getting pmapper to work with multiple accounts. Really cool that you have added this functionality, but the wiki could really use a how-to on using it! Once you set me straight on the right process, let me know if you'd like me to add something to the wiki. Or if you'd like to update it yourself, you are free to use my notes above as a starting point.
@sethsec-bf sethsec-bf added the bug Something isn't working label Aug 19, 2021
@ncc-erik-steringer
Copy link
Collaborator

ncc-erik-steringer commented Aug 20, 2021
edited
Loading

Hey there!

pmapper orgs update is an offline operation I added for when someone pulls data on an AWS Organization before pulling Graphs for each account in that Org.

Also, for cross-account stuff, I have https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks for that. I'm thinking maybe shift from an FAQ to a "Frequent Use Case" thing instead?

wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this issue Sep 5, 2022
@Frichetten
Merge pull request nccgroup#92 from Hacking-the-Cloud/add_info_to_pas…
3d7004a 
…s_role_ec2_priv_esc

Added details to the Pass Role EC2 Priv Esc.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ncc-erik-steringer @sethsec-bf