Does PMapper support cross-account graphing, querying, and analysis?

[mdb-vzeddie]

Question

Does PMapper support cross-account graphing, querying, and analysis?

Wiki

https://github.com/nccgroup/PMapper/wiki does not have an answer. I suggest putting it in the FAQ section or create a new section about cross-account architecture.

---

If a role in account A can assume a role in account B, can this be caught by PMapper? What does the CLI syntax look like to analyze for such scenarios?

[ncc-erik-steringer]

Mostly!

Right now cross-account querying is not available via CLI, we need to figure out how to gracefully allow that type of query. If your accounts are all under an AWS Organization, you can use pmapper orgs update after you finish graphing the accounts, and it'll print a list of inter-account edges.

There are library functions that handle generating cross-account edges between two arbitrary graphs (no organizations link required) as well as running queries against multiple accounts:

• PMapper/principalmapper/graphing/cross_account_edges.py

  Line 29 in 722efec

  def get_edges_between_graphs(graph_a: Graph, graph_b: Graph, scps_a: Optional[List[List[dict]]] = None, scps_b: Optional[List[List[dict]]] = None) -> List[Edge]:

• PMapper/principalmapper/querying/query_interface.py

  Line 89 in 722efec

  def search_authorization_across_accounts(graph_scp_pairs: List[Tuple[Graph, Optional[List[List[Policy]]]]],

• PMapper/principalmapper/querying/query_utils.py

  Line 226 in 722efec

  def get_edges_interaccount(source_graph: Graph, inter_account_edges: List[Edge], node: Node, ignored_nodes: List[Node]) -> List[Edge]:

Good call on updating the wiki for cross-account work. I'll leave this issue open until I knock that out.

[ncc-erik-steringer]

Wiki updated: https://github.com/nccgroup/PMapper/wiki/Frequently-Asked-Questions#how-do-i-do-cross-account-authorization-checks

Thank you!