2.6.5

Bug fixes.

• #515: The region to use for global services (ex. us-east-1) should be better identified now.
• #518: pyjq updated to version 2.3.1 and fixed a bug that was apparently hidden while under the older version.
• #519: No longer collecting deployments of apigateway as our default privs don't allow that. Also took some actions to deprecate the api_endpoints command as that hasn't been working due to the needed data for it not existing.

2.6.4

Various bug fixes.
Allows web hosting to use a relative path.

Thanks to:

• @andresriancho: Making the output of the public a single json array as opposed to individual json blobs (#504)
• @JonZeolla: Doing some of the initial work for web paths being relative (#506)
• @jshodd: Fixing a bug when reports are made (#507)

2.6.3

Adds ability to find_admins to look for arbitrary privileges. For example, to find users and roles that can list what S3 buckets exist in an account or list the contents of S3 buckets use:

python cloudmapper.py find_admins --account test --privs s3:ListAllMyBuckets,s3:ListBucket

Also adds a json output flag --json. This is not too useful now, one day I'd like to include extra info, such as which of the actions have been granted and what policies granted it.

Also adds a flag --include_restricted to include principals that have one of the privileges, but with a resource other than * or a condition set. The default is not to show principals with these restrictions. IAM policies are complicated so both techniques potentially have false positives based on your interests. For example, if iam:* is only allowed when MFA is enabled, an IAM user with this policy would not show up by default, but would if --include_restricted was passed.

2.6.2

• Adds audit override config file so you can control what audit items you care about and also ignore resources based on a regex.

2.6.1

find_unused now leverages some aspects of the network graph in order to better determine what Security Groups are actually unused. This was necessary for identifying Lambdas specifically as discussed in #486.

2.6.0

New command find_unused returns json to identify the unused security groups, elastic IPs, network interfaces, and volumes.

Also trying to view the network graph without running prepare now shows an error. Thanks @yoava333 !

2.5.9

• Updates readme with screenshots
• Updates demo report
• Check instance age to find pets
• Check for assume role from anywhere

2.5.8

• Adds more vendors to web of trust view
• Bug fixes around IAM auditing
• Adds detections for known bad IAM policies

2.5.7

Bug fixes for #307, #410, #447, #442, and #444

Ran python/black on it to set the formatting: https://github.com/python/black

2.5.6

• Moves IAM auditing into the report
• Should fix some old bugs where people had resources without Security Groups or Tags and the code did not account for that previously.
• Removes the audit check for any use of Kafka as that now has encryption in transit.
• Removes the directions from the README to add an additional privilege for lightsail loadbalancers as that privilege is now in SecurityAudit.