Releases: duo-labs/cloudmapper
2.10.0
The main improvement is to update the packages and hopefully fix some of the package issues on install. As a result of updating botocore, CloudMapper now recognizes that ap-northeast-3 is a valid region to collect from.
Since the last release, some of the biggest changes are:
- Lot's of new vendors added by @kbroughton in #820
- Desync mitigation checked for in ELBv1 by @cbeltranbird in #807
Lot's of smaller bug fixes and improvements by a number of folks.
2.9.1
Major features:
- #726 Checks ALBs to see if they've disabled the functionality that allows HTTP request smuggling. See https://portswigger.net/web-security/request-smuggling for more.
- #724 Check if Access Analyzer is enabled
- #722 Checks IMDSv2 is enabled
- #719 Checks if route53:ListHostedZonesByVPC to see if there are hosted zones from other accounts in the VPC
Bug fixes and other:
2.9.0
Major changes:
- #696 Switch from using pipenv to pip with requirements.txt by me
- #704 Add missing dependencies from that switch by @jaywon
- #669 Bug fix for identifying resources that are open on all ports. I wasn't finding those previously. That is a bad bug. Fixed by me.
- #698 Region filter added by @tgrushka so if you have an SCP restricting you to certain regions (or if you just don't want to waste time collecting from all regions), it'll only collect from the ones you specify.
Other changes
- #638 IAM report can be output as json thanks to @nimrodkor
- #640 bug fix from @maestretti for a wrong key being looked for in some json
- #643 bug fixes and additional SAML providers by @nimrodkor
- #646 show inline policies correctly, from @nimrodkor
- #653 Added vendors CloudZero, PAN & Workato by @nimrodkor
- #665 Bug fix for IAM report by @nimrodkor
- #664 Typo fix in the docs by @kpauwel
- #659 Silently pass over OpenID connections by @nimrodkor. Need to add a warning, ticketed in #660
- #658 Adds google auth to weboftrust by @nimrodkor
- #654 Adds flag to not include node data in network visualization to make that faster, by @schosterbarak
- #675 Hide the policyuniverse warnings by @andrewkrug
- #703 access_check now prints json, by me
- #671 Fixes KMS exceptions in collect by @andrewkrug
2.8.2
Upgrades the CDK to avoid AWS warnings about using an old Lambda run-time, which was being used by the CDK helper functions.
Upgrades Parliament.
2.8.1
Adds access_check command, a proof-of-concept feature that I don't have time to work much more on right now. The concept is that given a resource (such as an S3 bucket), identify all of the IAM users and roles that have access to that resource. This can use wildcards for the ARN. This takes both IAM policies and IAM boundaries into consideration of the principals. It does not consider resource policies or SCPs. You can further scope this to a specific IAM privilege. It also takes the principal tags into consideration in IAM conditions.
This ends up not doing exactly the type of things you might want, because if you specify an S3 bucket, it identifies only those privileges that act on S3 buckets, not S3 objects. Further, if you specify an EC2, it doesn't consider the Security Groups, VPCs, etc. that are also very relevant to the question of who can impact that EC2.
The concepts around IAM conditions are also fairly incomplete, especially because it doesn't consider the resource tags or any resource specific variables.
2.8.0
Adds parliament (https://github.com/duo-labs/parliament) for linting.
Also minor updates for the following:
- Thanks to @nimrodkor for adding Cloudyn to the vendors shown in the weboftrust
- Thanks to @DanielRDias for corrections to the README
- Updated the CDK to a more recent version for the nightly auditor (I had hoped this would fix the CDK helper functions that use a soon to be EOL'd run-time, but the CDK hasn't fixed that yet. Hopefully they'll fix it soon and I'll update this project then).
2.7.2
Minor version bump to fix issue that showed essentially the same findings twice when an EC2 role had admin privileges, it was also being listed as an S3 exfiller. Also white-listed macie to avoid being listed as an s3 exfiller.
2.7.1
When an admin is identified that can be assumed by an a service, such as EC2, this is now it's own finding (High severity).
Similarly, if a principal can list the S3 buckets in the account and exfil data from them, and this is an EC2, this is now it's own finding (High severity). This could create high severity alerts more often than I think it should.
It is checking for s3:ListAllMyBuckets
and s3:GetObject
. Please let me know if it does flag things you have legit reasons for and what the situation is where this is ok.
There is also now an ability to filter findings by severity, so if you only wanted to send High severity alerts to Slack, but still have your nightly auditor generate a report with any Medium, Low, or Info level alerts, you can do that now.
2.7.0
Ability to run as a nightly auditor added in #562.
Blog post: https://duo.com/blog/continuous-auditing-with-cloudmapper
Description of how to use at https://github.com/duo-labs/cloudmapper/blob/master/auditor/README.md
2.6.6
New features
- Ability to have custom auditors and use code to mute/filter audit findings (#559)
- @DanielRDias added the ability to find unused ELBs to
find_unused
(#558) - More descriptive audit findings to get the name of the EC2 instance and associated tags for the EC2_OLD and EC2_SOURCE_DEST_CHECK_OFF findings (#555)
- Audit report now includes a table of contents at the top with the headers linked (#554)
- Vendor list now includes Rapid7 (thanks to @nimrodkor in #551) and ThreatStack (thanks to @koenrh in #548)
Bug fixes
- @divergentdave fixed exceptions from
sg_ips
command (#530) - No longer creates finding of unexpected action when
sts:AssumeRoleWithWebIdentity
is seen (#553) - Identifies the default region to hopefully work better with GovCloud or AWS China (#515)