v1.1.3 Release

This is a minor update to Principal Mapper. All graphs generated in v1.1.0, v1.1.1, and v1.1.2 should be compatible with v1.1.3, but we recommend you recreate your graphs to take advantage of additional checks and fixes.

Improvements

• Fixed handling of NotPrincipal, and * for Principal in resource policies
• Fixed handling of tags for CodeBuild
• Fixed handling of Organizations that don't use SCPs
• Fixed handling of condition context keys (now case-insensitive)
• Fixed false negative for access via existing Lambda functions
• Updated handling of --with-resource-policy for (arg)query components with respect to IAM Role Trust Docs
• Updated messaging for various CLI outputs
• Updated Edge description output, using searchable_name method (from Node) instead of splitting ARNs
• Added Secrets Manager support for the Endgame preset query

Changes

• Updated CLI output for (arg)query by adding spaces between results

Regressions

• query_utils.pull_cached_resource_policy_by_arn now requires a Graph to be passed in the first argument instead of a list of Policy. This potentially breaking change had to be made to enable correct handling of resource policies for IAM Roles (trust docs).
• Various functions of local_policy_simulation now expect a CaseInsensitiveDict (defined in principalmapper.util.case_insensitive_dict) rather than a plain dict. This potentially breaking change had to be made to enable correct handling of condition context keys with case-insensitivity.
• The query_interface functions will now expect that you do not have duplicates of context keys in various condition_keys_to_check and related params. This is to enable correct handling of condition context keys with case-insensitivity. These functions may now throw ValueError if this is not done. All functions should have updated typing for the params to point to the expected input types. Note that the _UODict type is simply Union[dict, CaseInsensitiveDict] and indicates where both are allowed.

Thanks To

• @sethsec