Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Check for single node sts:AssumeRole cycles #113

Closed
wants to merge 1 commit into from
Closed

[WIP] Check for single node sts:AssumeRole cycles #113

wants to merge 1 commit into from

Conversation

RyanJarv
Copy link

@RyanJarv RyanJarv commented Apr 7, 2022
edited
Loading

When a role attempts to assume it self an explicit allow in the trust policy is not strictly necessary for access. An explicit
allow in the identity policy is sufficient.

This applies to the circular access check because role revocations do not effect very recently refreshed credentials. When a role can assume it self, a bash loop calling aws sts assume-role and exporting the new credentials to the environment will bypass a revocation triggered through the web UI.

I still need to add tests, etc.. just wanted to open this in the mean time in case anyone has any thoughts on this.

Edit: Ok, just read the contributing section, I'll need to change the base and open an issue as well.

@RyanJarv
Check for single node sts:AssumeRole cycles
4be50d6 
When a role attempts to assume it self an explicit allow in the
trust policy is not strictly necessary for access. An explicit
allow in the identity policy is sufficient.

This applies to the circular access check because role revocations
do not effect very recently refreshed credentials. When a role can
assume it self, a bash loop calling sts assume-role and exporting
the new credentials to the environment will bypass a revocation
triggered through the web UI.
@RyanJarv RyanJarv changed the title Check for single node sts:AssumeRole cycles [WIP] Check for single node sts:AssumeRole cycles Apr 7, 2022
@RyanJarv RyanJarv changed the base branch from master to v1.2.0-dev April 7, 2022 04:41
@RyanJarv RyanJarv changed the base branch from v1.2.0-dev to master April 7, 2022 04:41
@ncc-erik-steringer
Copy link
Collaborator

In general we do not track edges where the source and destination Node are the same, which helps simplify other algorithms and eliminates redundancy for identifying effective permissions.

However, I think this would be a great idea for a new preset query. Right now the only real persistence check we have is for 2+ Node objects with edges that create a cycle between them (circular access finding from analysis):

PMapper/principalmapper/analysis/find_risks.py

Line 364 in 91d2e60

def gen_circular_access_finding(graph: Graph) -> List[Finding]:

It might be nice to create a persistence preset query that goes through one or more Node objects in a Graph to identify things like when someone can reassume a role (does this drop session policies?) or chains of Edge that go back to the source Node, etc.

@RyanJarv
Copy link
Author

RyanJarv commented Apr 7, 2022

Ok let me think about this for a bit.

Another thought I had, to avoid tracking these kind of edges, is to redo the policy checking in the circular access finding.

It might be slightly redundant, but at least it would be O(n) since you only need to check against the current node.

@RyanJarv
Copy link
Author

Sorry for the delay on this. I do plan on plan on addressing your concerns as I'd like to get this merged.

I am a bit busy at the moment though, so if you'd like to close it for now just to clean up outstanding PR's I can reopen it when I've dug into this more.

@RyanJarv RyanJarv closed this Jun 2, 2022
wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this pull request Sep 5, 2022
@Frichetten
Merge pull request nccgroup#113 from Hacking-the-Cloud/update_ec2_cre…
c22d828 
…dential_exfiltration

Update nccgroup#109: Updated the credential exfiltration article
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RyanJarv @ncc-erik-steringer