-
Notifications
You must be signed in to change notification settings - Fork 197
Query Reference
This page details the "plain-English" inputs you can make when calling the query command from the PMapper CLI.
PMapper takes queries in three different forms:
can <Principal> do <Action> [with <Resource> [when <Condition_A> [and <Condition_B> ...]]]who can do <Action> [with <Resource> [when <ConditionA> [and <ConditionB>...]]]preset <arguments>
When entering this via Bash prompts or the like, make sure to use single-quotes to surround the query and avoid any instances of dollar-signs or asterisks (*) from being interpreted incorrectly.
The first two forms check the authorization one or more principals to make a specific AWS API call. They not only check the principal's authorization, but also look at ways that principals can pivot to other principals and whether or not those other principals are authorized.
The first two forms are nearly the same, but the first runs against a specific user or role (specified by ARN, user/<user name>, or role/<role name>). You have to supply the name of a given action such as ec2:RunInstances or lambda:CreateFunction. If there's a specific resource, you can give that ARN. Otherwise, you can drop that part of the query (defaults to wildcard, *) or specify the wildcard * to include conditions. Conditions are separated by and and are of the form <key>=<value> where the key is a condition context key like aws:MultiFactorAuthPresent and the value is the string equivalent of the expected value (true/false for that particular key).
One example looks like:
who can do s3:GetObject with * when aws:SourceIp=128.223.0.1
This looks at all principals in the account, seeing who can call s3:GetObject for the resource * (all objects), when the caller's request comes from a given IP address.