Breaking change announcement

Versions prior to v1.17.0 depend on a json file from AWS that recently changed it's format and no longer work.

Commits

• 00fe4fd: add support for Route53 Alias records in route53 command (Dominic Breuker) #97
• ab4866f: fix bug with route53 alias record processing (Dominic Breuker) #97
• b60f479: Add container name column to ecs-tasks command (edops973) #104
• ed8e0a2: Add task definition column to env-vars command (edops973) #104
• ec497fa: Support kms service for command resource-trusts (edops973) #104
• 5e0eb15: Add resource-trusts KMS unit test (edops973) #104
• 8eec1c3: Add checksum to the release packages (edops973) #104
• 67b84f0: fix kms client nil when running all-checks command (edops973) #104
• 89b3492: Fix the order of input parameters when fetching KMS policy (edops973) #104
• a94bdc1: Remove task definition column in env-vars command (edops973) #104
• f058e1c: Bump version to v1.16.0-prerelease (Seth Art) #104
• 13bd04d: Add support for building Linux Arm64 (CraHan) #102
• 831198c: Support kms service for command resource-trusts (edops973) #104
• 4e75b11: Add resource-trusts KMS unit test (edops973) #104
• cae31fb: fix kms client nil when running all-checks command (edops973) #104
• e494029: Fix the order of input parameters when fetching KMS policy (edops973) #104
• cda06ff: Add container name column to ecs-tasks command (edops973) #104
• d3c042c: Add task definition column to env-vars command (edops973) #104
• 7e64399: Remove task definition column in env-vars command (edops973) #104
• 16c0f4d: Bump version to v1.16.0-prerelease (Seth Art) #104
• 1f4f128: Add checksum to the release packages (edops973) #104
• caaf399: Add feature flag for KMS service in resource-trusts command (edops973) #104
• 7d6d16a: Merge branch 'main' into feature/add-kms-service-to-resource-trusts-command (edops973) #104
• 68d68fc: fix typo in utils.go (Seth Art) #104
• 2391bb7: merge updates (Seth Art) #104
• 6b45f54: Removed block that ran kms even without feature flag. Also edited supported serviecs line to account for feature flag use (Seth Art) #104
• 296710c: Merge conflict (edops973) #104
• a104639: Merge conflict (edops973) #104
• d8e4157: Fix resource-trusts unittest (edops973) #104
• 5d2f261: Merge conflict (edops973) #104
• 43fe99e: Merge conflict (edops973) #104
• 56e64d8: Merge conflict (edops973) #104
• e54ffe8: Merge conflict (edops973) #104
• 2806f7e: Merge conflict (edops973) #104
• 0deb568: Get open search policies (edops973) #104
• 0c858e6: Add missing method in codebuild_mocks.go (edops973) #104
• 7671e7e: Add opensearch unittest (edops973) #104
• dfed049: Ignore public apigateway in resource trusts command (edops973) #104
• 19b825c: Merge remote-tracking branch 'origin' into feature/add-vpcendpoint-to-resource-trusts-command (Seth Art) #104
• d558e1c: Update supported services banner (Seth Art) #104
• 4584774: updated arn column to print full arn (Seth Art) #104
• 00b49aa: Merge branch 'main' into feature/add-opensearch-to-resource-trusts-command (Seth Art) #104
• d0de59d: update opensearch mod (Seth Art) #104
• 2cc97f5: Update version to 1.16.0 (Seth Art) #104
• 0e7b006: Merge branch 'main' into main (Seth Art) #104
• b28ed6a: Update CODEOWNERS (Bastien Faure)
• 5115f84: Update CODEOWNERS (jbarciabf)
• 521cf7e: Reduced the number of times awsservicemap calls out to get the AWS json (Seth Art) #109
• b3a03ec: Fixed small bug with inventory where it was counting total resources incorrectly (Seth Art) #109
• 3dbb98f: Added split level logging to logrus (Seth Art) #109
• 16b3c66: Unified logging around logrus. removed standard logging lines. (Seth Art) #109
• 1bb8576: Added logging for all successfull API calls to cloudfox-info.log (Seth Art) #109
• 52c1285: fixed makefile (jbarciabf) #115

Commits

• 0a95240: added admin/pmapper logic to principals command (Seth Art) #96
• b31f367: added the the --admin-check-only flag to iam-simulator command (Seth Art) #96
• e0dc71b: updated the adminActionNames check actions to remove ssm get documents and replace with ssm get parameters (Seth Art) #96
• 6b0970e: Fix for cape in regards to permission expansion (Seth Art) #96
• 85b9b11: Bumped version to 1.43.3 (Seth Art) #96
• a88e98a: Removed AWSSSO-ACCOUNTID entries from cape table as they are redundant (Seth Art) #96
• 8e1e8d0: Fix for cape that also makes edges for cross-account explicit trusts. Also added a new flag to ignore certain edges entirely. (Seth Art) #96
• ebf9985: Fix for #92 (Seth Art) #96
• 878d7ec: Fixed bug in cape where files did not exist crash. Fixed bug that duplicated edges because of magenta. (Seth Art) #96
• 9076beb: Bumped version to 1.15.0 (Seth Art) #96
• b3c25bb: spelling fix (Seth Art) #96

Commits

• 0184e15: Fix for IMDS not working due to breaking change in aws-sdk-go-v2. (Seth Art) #93
• aed3c0a: bump version (Seth Art) #93
• 547c48a: Merge branch 'main' into imds-fix (Seth Art) #93

Bug Fixes

• close input file #87 (guangwu)

Commits

• 91f5f14: Added RDS database instances back into output. I think it's ok to have both clusters and instances in the output (Seth Art) #89
• 0b88bca: Updated tests to make sure that RDS instances without clusters are checked for (Seth Art) #89
• 5ba8b08: Update Makefile to include 386 linux binary for release action (Seth Art) #90
• 0ac24e3: Update utils.go (Seth Art) #90
• 738085d: fix typo from codespell (David) #90

Commits

• 5c40ef4: initial ideas for graph command (sethsec-bf) #84
• 4edbd33: neo4j cross-account stuff kind of working, pmapper stuff not working (sethsec-bf) #84
• c4a276e: graph/neo4j functionali working - detecting cross account attack paths (sethsec-bf) #84
• 66ffc57: go mod tidy (sethsec-bf) #84
• 1e2eaf5: merged from main (sethsec-bf) #84
• ef25d8b: Merged origin/seth-dev into graph (sethsec-bf) #84
• f5437b7: Started to add knownvendoraccounts info (sethsec-bf) #84
• 4cf58a3: Created loot file for pmapper (sethsec-bf) #84
• 009321e: Updated pmapper output files (sethsec-bf) #84
• ac1125d: added users model (sethsec-bf) #84
• 4d3c6a4: Merge remote-tracking branch 'origin/seth-dev' into graph (sethsec-bf) #84
• aeccb6d: Have global data in dom's graph format now. just need to write the table creation code (sethsec-bf) #84
• a13527a: Added MakeVertices method for type Role (sethsec-bf) #84
• e61a401: Kept first draft as the graph command. Moved second take to the caper command. (sethsec-bf) #84
• e4f3421: Added functionailty to hightlight admins in caper command (sethsec-bf) #84
• 24b7076: saving place in caper command (sethsec-bf) #84
• e4e5480: revert test (sethsec-bf) #84
• 42b0f3a: Merge branch 'main' of github.com:BishopFox/cloudfox into graph (sethsec-bf) #84
• dd6dd29: playing around with saving graph state between runs (sethsec-bf) #84
• 36c9a5b: Merged changes from neptune PR into this branch (sethsec-bf) #84
• 23409e3: remove unused code (enzowritescode) #78
• a40f0aa: More cleanup (enzowritescode) #78
• 05fd899: Fixed bug in federeated role trust poclies where multiple subjects are trusted (sethsec-bf) #84
• 2f99a76: working gcp functionality (David) #79
• f9d9ec4: Merge branch 'main' of github.com:BishopFox/cloudfox into feature/aws-neptune (sethsec-bf) #78
• ce03106: update release and fix database test (sethsec-bf) #78
• 3ff704e: merged from main (sethsec-bf) #84
• 8fac75e: merged from main (sethsec-bf) #84
• 334583d: save work whomai account stub (David) #79
• 4ef87d8: updated caper to use new version of parseFederatedRoleTrusts from the role-trusts command. Also changed the way vendors and federated identities are labled (sethsec-bf) #84
• 8436924: quick fix for context error. logging issue still there. (sethsec-bf) #79
• fca22ce: renamed to cape, added hop count logic, pulled privesc function out so i can add logic to handle cobra flags (sethsec-bf) #84
• 590a94b: changed println to printf (sethsec-bf) #84
• dee22b3: fix logging issue and improve whoami (David) #79
• de492fa: Add Directory Service support for AWS (Bastien Faure) #81
• 608f078: AWS uses a mix of clouddirectory and directoryservices for Directory services (Bastien Faure) #81
• 57832ad: Codespell fix (Bastien Faure) #81
• 3a45583: Got cape working without any aws calls, cleaned up logging messages (sethsec-bf) #84
• 356d57b: Added pmapper basepath to all relevent commands. Improved logging for cape/cape-tui. Fixed codebuld cache bug. (sethsec-bf) #84
• 23e8878: Merge branch 'main' into feature/gcp-v1 (David) #79
• 94628aa: i cant spel (David) #79
• df3fb6e: Update codeowners (moloch--) #82
• 6e52e5e: merge gcp stuff from main into this branch (sethsec-bf) #81
• 8ab4c42: Merge branch 'main' into bastien_directoryservice_aws (Seth Art) #81
• 79f3899: update go mod (sethsec-bf) #81
• 67af1bd: update gcp package with vuln (sethsec-bf) #81
• 82635fd: made aws sso like eks, where edges are not created if it's if the provider is in the same account as the role that trusts it. the edges will still show up cross account though. (sethsec-bf) #84
• 57194ef: bump to version 1.14.0, merged gcp and aws ds functionality (sethsec-bf) #84
• 77cd08b: updated gcp verbosity, updated cape command usage, switched version tracking file from main.go to internal/utils.go (sethsec-bf) #84
• abcc930: added afero fs back to output2 (needed to pass brew tests) (sethsec-bf) #84
• c3be95b: cleaned up enhanced pmapper loot file (sethsec-bf) #84
• 22417f1: spelling (sethsec-bf) #84
• c0e4301: Add GCP to readme, fix typo (sethsec-bf) #84
• a8d2bfb: Removed graph command from cobra for now (sethsec-bf) #84

Commits

• a38451c: Typo fixes, reduced copy pasta, Neptune support (enzowritescode) #74
• 8c4bcc0: Add .idea to gitignore for GoLand (enzowritescode) #74
• 29514a9: Merge in latest and fix merge conflicts (enzowritescode) #74
• ae1dac6: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• ca437d3: Filter Neptune results (enzowritescode) #74
• 59afbb3: Switched RDS database command from instances to clusters, and since it grabs Neptune and DocsDB clusters, we don't need to run those api calls. (they all return the same data). Also added back port info and added role info to the RDS clusters in -o wide mode (sethsec-bf) #74
• 80c00f3: Added test for databases command (sethsec-bf) #74
• 15e0507: Merge branch 'main' into feature/aws-neptune (Seth Art) #74
• fd01647: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #80
• 8d03932: Fix for #77 (sethsec-bf) #80
• a1903f6: Major update for role trusts parsing. Cleaner version has case statement on federated principal value and not soley on condition data (sethsec-bf) #80
• 6a21b96: Auth0 not ready yet - also this new version lists unknown federated types not instead of ignoring them (sethsec-bf) #80
• cec0d49: Fixing a bug in the new cached versions of the apigateway sdk calls (sethsec-bf) #80
• eaac503: bumped version to 1.13.4 for release with apigateway fix (sethsec-bf) #80
• 00e63b0: found a way to fix the apigateway types conflict with gob (sethsec-bf) #80

Commits

• 1ca5dbf: Fix bug in role-trusts command around new vendor lookup feature, enabled caching on apigateway commands (sethsec-bf)

Commits

• a656103: Bumped to version 1.31.1 before PR (sethsec-bf) #75
• b5908fc: Fixed bug in the role trusts command introduced in 1.13.1 where cloudfox only shows princiapls with :root trust and not ALL role trusts (sethsec-bf) #75
• 18e38bf: Fixed bug in env-vars command introduced in 1.13.1 with the new interesting version of the table written to disk. was still recording them all. now the second table only has interesting env-vars (sethsec-bf) #75
• 237b073: Bumped version to 1.13.2 (sethsec-bf) #75

Commits

• f13df07: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 525f262: Added mocks for apigw and apigwv2, and a test for the new api-gw command (sethsec-bf) #73
• 1d53b98: Used the output2 loot mechanism for api-gws, updated tests (sethsec-bf) #73
• 97e2fef: Add data from fwd:cloudsec's known_aws_accounts repo into role-trust module (sethsec-bf) #73
• ea2ee3d: Fixed bug where instances without instance profile were not showing up (sethsec-bf) #73
• 5df1ca6: Update README.md (Seth Art)
• dd6bfef: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73
• 13a03c5: Fixed panic bug that occured when user specified a profile that did not exist (sethsec-bf) #73
• 5827abb: Hopefully this is a fix for #72 (sethsec-bf) #73
• 89789a0: updated pmapper command info (sethsec-bf) #73
• 23fc346: Update README.md (Seth Art)
• ff810ba: Update README.md (Seth Art)
• 8e99347: Update README.md (Seth Art)
• e08967b: This potential fix for #72 makes a lot more sense. Rather than overrwite the profile attribute of the struct, i have an AWSProfileProvided and a AWSProfileFake so that I can just pass the orig to other modules (since each module cleans it up itself). (sethsec-bf) #73
• 6069267: Fix for sub issue found by @cyberbutler in #72 (sethsec-bf) #73
• 1d1d198: More fixes from #72. Took the suggestion from @johnkeates and fixed the prepopulated nmap commands to NOT include a profile for the cases where the user did not specify a profile for cloudfox (sethsec-bf) #73
• 997c13d: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #73

AWS

• New Commands

  • workloads - Summarize all compute workloads that have administrative access or a path to admin (EC2, Lambda, ECS for now)
  • api-gws - (Contributed by @wdahlenburg) Enumerates all of the API gateways. Grabs API keys if they exist and creates a loot file with curl commands for you to access each endpoint

• Command Updates

  • role-trusts - Added new output file for role-trusts that highlights the role that trust :root and also don't have an external ID
  • env-vars - Added new output file for env-vars that highlights interesting credentials based on the name (secret, key, password, token, etc.)
  • env-vars - Added color to screen print to highlight the interesting credentials based on the name (secret, key, password, token, etc.)
  • workloads - Added color to screen print to highlight the princpals that are assigned to workloads that also are admin or have a path to admin.
  • iam-simulator & permissions - Fixed a bug in the iam-simulator and permissions commands where they were not writing a custom filename for custom checks.
  • inventory - Supports more resources

• General AWS Updates

  • Updated default AWS output to v2 (shows table data). To suppress, use -v1 at the command line
  • Added support for roles that require MFA
  • Added ability for users to specify which columns they want displayed
  • Added a -o wide flag to all commands. Like kubectl, you get default cols without -o wide, but with it, you get a few extra columns or arns instead of names in some cases.

Commits

• 17011f3: Additional enumeration on API gateways compared to the endpoints module (Wyatt Dahlenburg) #64
• 5eff1c7: Merging with main + minor updates (Wyatt Dahlenburg) #64
• 2ce1f0f: Codespell (Wyatt Dahlenburg) #64
• b1c248b: Used SDK, added more counters (sethsec-bf) #64
• 7343852: Updated endpoints to use the newly created sdk functions (sethsec-bf) #64
• Added a new output file for role trusts that just highlights the overly permissive root trusts without external ID #67 (sethsec-bf)
• First draft of new workloads command - summarizes all workloads #67 (sethsec-bf)
• 82738db: Fixed a bug where when pmapper data was missing iam simulator was not getting IAM roles properly. Also got workloads command working (sethsec-bf) #67
• 98af839: Added intersting functionality to env-vars and workloads (sethsec-bf) #67
• a690ad3: bumped version to 1.13.0-prerelease (sethsec-bf) #67
• ae7ed9e: Merge branch 'main' of github.com:BishopFox/cloudfox into seth-dev (sethsec-bf) #67
• 6e146a5: add mfatoken param from recent update to api-gw code (sethsec-bf) #67
• cef6c9e: Fixed a bug where iam-simulator custom commands were overwriting the files for the default run. (sethsec-bf) #67
• 2b19d0a: For 1.13, switching default AWS verbosity to 2 (with the exception of all-checks which will be hardocded to a versbosity of 1) (sethsec-bf) #67
• d1af1bb: Fixed a bug where permissions custom runs were overwriting the files for the default run. (sethsec-bf) #67
• d648e5b: Added ability to supply just a princpal name, and the command will try it as a role and a user (sethsec-bf) #67
• 5c4d0fd: go get -u and fixes (sethsec-bf) #67
• cba252d: Normalize/clean up console messages. Also re-order the way the messages print in multi-profile mode (sethsec-bf) #67
• 06f8e36: bumped version to 1.13.0 (sethsec-bf) #67
• f1b6eae: codespell was tripping up on a has from go.sum (sethsec-bf) #67