Skip to content

Releases: WithSecureLabs/awspx

v1.3.4

25 Aug 12:49
Compare
Choose a tag to compare

Bug Fixes

  • Fixes inoperable UI redact selection
  • Fixes UI database URI generation issue with non-standard ports
  • Fixes UI search highlighting
  • Fixes profile --create creation bug
  • Fixes unhandled IllegalLocationConstraintException and UnauthorizedOperation ingestion exceptions
  • Fixes unhandled error when EC2 instance user data is unavailable (thanks @bytebutcher)
  • Fixes inability to load multiline CSV data
  • Fixes erroneous non-dependent source node attack exclusion
  • Fixes Grants and CreateAction attack definition option interoperability
  • Fixes attack computation off-by-one logic error
  • Fixes ignored action conditions in attack definition Cypher values
  • Fixes discovered attacks tally
  • Fixes inadvertent Generic Policy deletion
  • Fixes console message style overlap

Improvements

  • Upgrades Neo4j from 3.5.13 to 4.3.2
  • Adds Neo4j APOC support
  • Updates Ingestor resource model logic
  • Adds NatGateway EC2 ingestion support
  • Adds EC2 PlacementGroup Instance associations
  • Removes redundant RouteTable associations
  • Adds explicit Admin relationship to all resources
  • Adds UI search re-add and resource selection functionality
  • Adds UI tag-based resource searching
  • Adds UI PermissionsBoundary property resolution and edge stylization
  • Updates dynamic graph stylization
  • Adds AffectsGeneric attack definition option
  • Adds ordering by --only-attacks if specified
  • Adds support for list-based attack definition Descriptions
  • Standardizes CreatePolicy attack logic
  • Adds caching logic for attack definition translation
  • Removes profile notice from --verbose
  • Adds console tasklist support for function-based wait and done parameters
  • Adds UI search visibility toggling using Ctrl + s

Other Changes

  • Defaults ingestion to --verbose (graphical output replaced with --pretty)
  • Updates UI graph defaults to display unknown nodes and edges
  • Updates attack placeholder syntax from ${A}.B to ${A.B}
  • Updates attack pruning to remove patterns with outdegree 0
  • Updates UI path searching to incorporate weight (deprecates some attack pruning logic)
  • Removes Domain principal exclusion
  • Removes legacy Grants option from CreateRole attack definition
  • Removes User Depends from CreateGroup attack definition
  • Updates attack definition placeholder regex
  • Updates the ARN for Effective Admin
  • Updates the hotkey for running an advanced query to Ctrl + enter
  • Fixes spelling mistake in cli.py (thanks @dmyates)

v1.3.3

07 Apr 13:29
Compare
Choose a tag to compare

Bug Fixes

  • Fixes KeyError arising from SessionClientWrapper empty result set
  • Fixes --database ingestion input validation
  • Fixes resource-based policy principal IndexError (#41)
  • Fixes Bucket ACLs

Improvements

  • Adds resource-based policy OidcProvider Principal support
  • Adds z label to docker volume mount options (#43) (thanks @unsubtleguy)
  • Adds ExternalID support to --assume-role ingestion (thanks @dmyates)
  • Improve collection manager logic
  • Add support for ? expressions in resource-level permissions

Other Changes

  • Add support for rich v10
  • Update action and resource definitions
  • Update web action properties

v1.3.2

26 Jan 09:33
Compare
Choose a tag to compare

Bug Fixes

  • Fixes cypher autocomplete not loading
  • Fixes INSTALL $PATH check (#40)
  • Fixes mishandling of Canonical role principals (#41)
  • Fixes Principal warnings
  • Fix IllegalLocationConstraintException (thanks @bking-1992)

Other Changes

  • Updates packages
  • Updates Dockerfile
  • Updates .gitignore

v1.3.1

14 Sep 09:06
Compare
Choose a tag to compare

Bug Fixes

  • Fixes Neo4j occasionally failing to start during ingestion
  • Fixes S3 error handling (client AccessDenied exceptions no longer fatal)
  • Fixes Document modifications added during parsing
  • Fixes critical log message truncation
  • Fixes UpdateRole attack commands

Improvements

  • Updates base ingestor resource model
  • Adds awspx container checks
  • Defers node property deletion to Transitive creation

Other Changes

  • Adds preliminary support for multiple ZIPs (#34)
  • Allows new database names with awspx ingest
  • Refactors policy.py
  • Update filtered resource log messages
  • Removes list_user_mfa_devices from IAM with --quick
  • Logs Policy/action resolution details
  • Updates error, warning, and critical log styles
  • Disables console task description line wrapping

v1.3.0

01 Sep 12:02
Compare
Choose a tag to compare

New Features

  • Adds Dockerfile (#29)
  • Adds UI Database options
  • Adds IAM ingestion support for MFA devices
  • Adds MFA support for CLI (#33) - thanks @dmyates!

Bug Fixes

  • Fixes installation failure (#35)
  • Fixes misidentified group relationships
  • Fixes ARN and Resource Type filtering
  • Fixes false positive node casts
  • Fixes Ctrl event bug
  • Fixes fallback Resource image
  • Fixes redundant DescribeInstanceAttribute request
  • Fixes Principal list index out of range error

Improvements

  • Improves CLI aesthetics
  • Adds attack pruning logic: retains the shortest paths only
  • Updates attack edge creation logic: if an admin path exists in a set, don't create the others
  • Adds IngestionManager: decouples IAM ingestor
  • Rewrite base Ingestor: skips disqualified collections in advance
  • Standardizes IAM, S3, EC2, and Lambda classes
  • Improves CLI logging

Other Changes

  • Removes attacks affecting generic resources
  • Adds Profile class (moved from cli.py)
  • Converts Attacks and Neo4j from static to dynamic classes
  • Adds --verbose CLI option to db and attacks
  • Updates regions

v1.2.2

17 Jun 12:19
Compare
Choose a tag to compare

Bug Fixes

  • 2ab935f - Fix Neo4j 'Result' summary error
  • 83695a9 - Fix Neo4j connection error

v1.2.1

15 Jun 10:13
8e377f1
Compare
Choose a tag to compare

Bug Fixes

  • Fixes missing neobolt dependancy

v1.2.0

18 May 06:15
b7e9c87
Compare
Choose a tag to compare

New Features

  • Adds Advanced Search
  • Adds Graph Menu Options
  • Adds support for actions that affect undocumented resource types (i.e. CatchAll).
  • Adds $PATH check and helper function to INSTALL.
  • Adds CLI options: --update, --assume-role-duration, and --quick.
  • Adds Action Condition Keys and Dependent Actions properties.
  • Adds Wiki and updates README.md.

Bug Fixes

  • Fixes assume role duration exceeded exception (default reduced from 7200 to 3600 seconds).
  • Fixes issue with policies comprising of multiple Federated principals
  • Fixes false positives for mutable actions affecting built-in managed policies.

Improvements

  • Updates awspx CLI output, argument names and descriptions.
  • Updates ACTIONS and RESOURCES dictionaries.
  • Updates ATTACKS dictionary formatting and execution steps.
  • Updates nodejs packages.
  • Updates sample.zip dataset.
  • Updates web interface cosmetics.

Other Changes

  • Removes update_actions.py, CONTRIBUTING.md, and images directory content.