-
Notifications
You must be signed in to change notification settings - Fork 175
Frequently Asked Questions
Note: If you have a question that doesn't show up below, please don't hesitate to drop us a new issue .
When you create a graph for an account, it may take a long time to process IAM or Lambda. The amount of time scales with the number of resources (IAM Users/Roles, Lambda functions, CloudFormation templates) in the account. You can reduce some of the time it takes to create a graph by excluding regions or even some services during the creation process, but please be aware that this can reduce PMapper's ability to identify risks.
The CLI uses a per-OS root storage directory determined using principalmapper/utils/storage.py
. It uses the value returned by Python's sys.platform
to determine the location, with the following intended behavior:
- If the
PMAPPER_STORAGE
environment variable is set, then it is used to determine where data is stored. - Otherwise, if
sys.platform
returnswin32
orcygwin
, then%APPDATA%\principalmapper
is the root storage location. - Otherwise, if
sys.platform
returnslinux
,freebsd
, oropenbsd*
, then it follows XDG conventions and checks for the$XDG_DATA_HOME
environment variable. If that is not set, it defaults to~/.local/share/principalmapper
. - Otherwise, if
sys.platform
returnsdarwin
(MacOS), then PMapper uses~/Library/Application Support/com.nccgroup.principalmapper
as the storage root.
The command line interface of PMapper, as of v1.1.3, does not offer a way to do cross-account checks. However, there are underlying library functions that support it. Once you've loaded the various Graph
objects, and any applicable SCPs, you can use the following functions:
principalmapper.graphing.cross_account_edges.get_edges_between_graphs
principalmapper.querying.query_interface.search_authorization_across_accounts