8000 Optimization: GetAccountAuthorizationDetails · Issue #26 · nccgroup/PMapper · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Optimization: GetAccountAuthorizationDetails #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
danieladams456 opened this issue Aug 12, 2019 · 5 comments
Closed

Optimization: GetAccountAuthorizationDetails #26

danieladams456 opened this issue Aug 12, 2019 · 5 comments
Assignees
@ncc-erik-steringer

Comments

@danieladams456
Copy link

From AWS blog:

With the GetAccountAuthorizationDetails API you can get a snapshot of your IAM entities with a single API call. Previously you had to use a combination of multiple API calls, some of which had to be called multiple times. With your IAM settings in one place you could use the output to monitor your intended IAM settings, store snapshots to understand differences in your IAM settings between points in time, and show IAM settings for auditing purposes.

Somehow I missed this for a long time, but it has made my code much easier. I don't have to paginate through getting roles and connected inline policies, just do a single 10 second API call that returns 3MB of JSON. I wonder if it would streamline things enough such that maybe enhancements like #25 would be less necessary.

It even includes instance profiles so a straight listing of ec2 describe-instances could be linked up without api call pivots. A similar situation would work for Lambda with list-functions.
@ncc-erik-steringer
Copy link
Collaborator

I hadn't noticed this API before. It definitely would knock out a bunch of the work that goes into the graphing portion. The only concern I have is scaling, but the API hints that pagination is available.

@danieladams456
Copy link
Author
danieladams456 commented Aug 12, 2019
edited
Loading

Yeah, I had just been using the CLI before. Trying it with the API it really was 13 pages. Still not bad for 600 roles and associated policies.

Not the most elegant, but easy to reason about. All these accumulate independently over the pages.

def do_pull():
    # temporary accumulator variables
    UserDetailList = []
    GroupDetailList = []
    RoleDetailList = []
    Policies = []

    for res in iam.get_paginator('get_account_authorization_details').paginate():
        UserDetailList.extend(res['UserDetailList'])
        GroupDetailList.extend(res['GroupDetailList'])
        RoleDetailList.extend(res['RoleDetailList'])
        Policies.extend(res['Policies'])

    return {
        'UserDetailList': UserDetailList,
        'GroupDetailList': GroupDetailList,
        'RoleDetailList': RoleDetailList,
        'Policies': Policies,
    }

@ncc-erik-steringer ncc-erik-steringer self-assigned this Sep 20, 2019
@ncc-erik-steringer
Copy link
Collaborator

Aiming to fix this with #36 and deploy the change in the next micro version.

@ncc-erik-steringer
Copy link
Collaborator

Looping back around here, I think I'm gonna aim to implement this now in v1.1.0 to address #41 since the iam:ListUsers API ain't gonna return it.

@ncc-erik-steringer
Copy link
Collaborator

Completed in 5828a87 for eventual release of v1.1.0.

689A
wdahlenburg pushed a commit to wdahlenburg/PMapper that referenced this issue Sep 5, 2022
@Frichetten
Merge pull request nccgroup#26 from Hacking-the-Cloud/enumerate_iam_u…
b357195 
…ser_role

Added article on unauthenticated iam enumeration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ncc-erik-steringer ncc-erik-steringer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danieladams456 @ncc-erik-steringer
0