How do I assess IAM permissions on AWS ?

If you use Amazon services and in particular AWS, you are surely using IAM to manage identities and access related to your organization.

To reduce the risk, NCC Group has put online Principal Manager (PMapper), a script (+ a lib) which makes it possible to identify risks by analyzing the IAM configuration. For this, the tool models the different users and the roles assigned to them in the form of a graph.

This then allows you to check if it is then possible to escalate privileges or take other paths to access a reserved resource or action on AWS. PMapper also checks if the user or role of this one can access other users or roles who will have their own access to this action or resource.

Using PMapper, you could thus detect scenarios where a user would not have permission to read an S3 object, but could hijack that by launching an Amazon EC2 instance that could read that S3 object.

In short, a very clever little script whose lib you can easily integrate into your own tools.

Further documentation here.

5/5 - (2 votes)

Newsletter Updates

Enter your email address below to subscribe to our newsletter

Leave a Reply