Skip to content

Latest commit

 

History

History
128 lines (101 loc) · 5.84 KB

CHANGELOG.md

File metadata and controls

128 lines (101 loc) · 5.84 KB

CHANGELOG

Unreleased

  • Docker

0.2.4 (Unreleased)

  • UI
    • Inline Explanation of findings (#115)
    • Vue Router is implemented so you can have routes to reports like http://localhost:8080/#/inline-policies (#116)
    • Better formatting for Privilege Escalation findings (#114)

0.2.3 (2020-10-12)

  • scan command now has a --minimize option, which you can use to reduce your report size. The example report size was reduced from 3.9MB (ouch!) to 212KB. (Fixes #125)
  • UI
    • Credentials Exposure as a new finding (#99)
    • Service Wildcard as a new finding (#82)
  • Backend
    • Updated tests to include updated sample data

0.2.2 (2020-10-06)

  • Excluded actions no longer show up in results (Fixes #106)
  • Fixed issue where *:* policy would break results due to how the Service Wildcard finding was implemented (Fixes #109)
  • Credentials Exposure and Service Wildcard now show up in the data file results
  • Exclusions are now applied earlier in the scan
  • Backend
    • Vue components are cleaned up - less HTML, more config and JS
    • Unit tests are down from 3.25 minutes to 60 seconds (Fixes #117)

0.2.1 (9/25/2020)

  • Fixes issue where Inline Policies were showing up as findings even when they were attached to excluded IAM principals. Fixes #104

0.2.0 (9/21/2020)

  • Major UI uplift:
    • Added Bar chart of results
    • Upgraded Principals metadata page
    • Standalone page for Inline Policies now
    • Many bug fixes that were present with the previous UI
  • Backend
    • Migration to Vue.js
    • Leveraging an updated data JSON file
  • scan-policy-file command now returns Service Wildcard (#82) and Credentials Exposure (#99). That will not be in the HTML Report for this release though.

0.1.8 (2020-08-27)

  • UI: The Exclusions configuration was not showing up in the report due to a typo
  • Changed --input flag to --input-file for all commands
  • Fixed bug in scan-policy-file command (#79)
  • Backend: Improved the JSON output a bit for the new principal policy mapping data file.
  • Comment out the principal policy mapping data file for now. Otherwise, if you have a bunch of IAM users, all within different IAM groups, the tool slows down a LOT and you run into loop hell.

0.1.7 (2020-08-09)

  • UI: Fixed an issue where the Remediation guidance was not showing up in the resulting report. Fixes #70
  • Triage Worksheet: Made the values under the Triage worksheet "Type" column more specific - i.e., AWS-Managed Policy, Customer-Managed Policy, Inline Group Policy, Inline User Policy, or Inline Role Policy. Before, it just said "group", "role", "user", or "Policy", which didn't help much.
  • Added some backend methods that do not change the functionality. This will help with the eventual UI uplift (and helps with an additional side project)

0.1.6 (2020-07-10)

UI:

  • Definitions for Risk types are now available via Popovers. Fixes #66
  • Renamed "Group", "User", "Role" as "Inline Group Policy", "Inline User Policy", and "Inline Role Policy" respectively. Addresses #63
  • Fixes links to the inline policies in case there are duplicate names. Addresses #63
  • Moves "Attached to Principal(s)" to the Finding card instead of in the finding details in case there are duplicate policy names. Fixes #63

0.1.5 (2020-07-08)

  • Made callable via script to partially fix #39
  • Move to virtualenv instead of Pipenv

0.1.4 (2020-05-26)

  • Inline policies are now clearly mapped to their roles.

0.1.3 (2020-05-16)

  • Excel/CSV export capability
  • Table row selection capability

0.1.2 (2020-05-14)

Just a few UI fixes:

  • Sort columns in Summary table by searching.
  • Reasonable size restrictions on "services affected" columns, with Scrollable cells

0.1.1 (2020-05-12)

  • Bug fix: issue where "Data Exfiltration" count was showing up in the "Resource Exposure" count column in the IAM Principals tab
  • Added "Attached to Principals" dropdown card for Customer-Managed and AWS-Managed Policies

0.1.0 (2020-05-11)

  • Granular exclusions: Fixed issue where exclusions file was including dangling policies in the results (Fixes #33)
  • Changed IAM Principals table so that the principals can be sorted according to their risks. This will really help with pentesting

0.0.14 (2020-05-07)

  • Fix issue where Data Exposure tallies were not showing up in the AWS Managed table correctly.

0.0.13 (2020=05-07)

  • Windows compatibility fixes

0.0.12 (2020-05-07)

0.0.11 (2020-05-06)

  • Fixed an issue arising from policies where "Deny" was used in effect with no resource constraints. Fixes #23.

0.0.10 (2020-05-05)

  • Removed the recursive credentials method from the download command.
  • Fixed occasional installation error occurring from outdated Policy Sentry versions.
  • Fixed instructions for the download command.

0.0.9 (2020-05-03)

  • HTML report now always shows Trust Policies for Roles, even if they do not allow assumption from a Compute Service. This can help assessors with triaging and pentesters for targeting.

0.0.8 (2020-05-03)

  • Migrated to GitHub actions with automated Homebrew releases

0.0.7 (2020-05-03)

0.0.6 (2020-05-01)

  • Fix exclude-actions in the exclusions file - it was not being respected before.
  • Add a recursive scanning option.

0.0.4 (2020-05-01)

  • Provide option to skip opening HTML report (--skip-open-report)
  • Provide report indicator on whether it is assumable by compute services
  • Dropdown menu for report

0.0.2 (2020-04-30)

  • Quick markdown bug fix

0.0.1 (2020-04-30)

  • Open sourced!