PMapper

A tool for quickly evaluating IAM permissions in AWS.

AWS Open Source Self Hosted Only
Category Identity & Access Management
GitHub Stars 1443
Last Commit 2 years ago
This page updated a month ago
Pricing Details Free and open-source under the GNU Affero General Public License v3.0.
Target Audience Cloud security professionals, AWS administrators, and DevOps engineers.

Principal Mapper (PMapper) addresses the complex challenge of evaluating and visualizing the intricate relationships within AWS Identity and Access Management (IAM) configurations. This tool models IAM users and roles as a directed graph, enabling detailed analyses of privilege escalation paths and indirect access routes that an attacker could exploit.

Technically, PMapper leverages the botocore library and Python 3.5+ to simulate AWS's authorization behavior locally. It checks not only direct permissions but also indirect access paths, such as a user launching an EC2 instance that can read an S3 object, even if the user lacks direct S3 read permissions. The tool uses pydot and graphviz to create visual representations of these access graphs, facilitating a clearer understanding of the IAM landscape.

Operationally, PMapper requires careful configuration, including setting up AWS credentials either through environment variables or by mounting the ~/.aws/ directory in a Docker container. The tool supports various command-line functions for querying and visualizing access paths, with options to filter results based on specific criteria, such as privilege escalation scenarios. However, the performance and complexity of the graph can become significant as the number of IAM entities and permissions grows, potentially impacting query times and visualization clarity.

From a technical standpoint, PMapper's queries can be granular, such as determining who can perform a specific action like s3:GetObject with wildcard resources. The visualization output can be generated in SVG format, providing a detailed graphical representation of the access relationships. While PMapper is powerful, it requires a good understanding of IAM principles and the specific AWS environment being analyzed to fully leverage its capabilities.

Improve this page