Frequently Asked Questions

Note: If you have a question that doesn't show up below, please don't hesitate to drop us a new issue .

Why does the graph create process take so long?

When you create a graph for an account, it may take a long time to process IAM or Lambda. The amount of time scales with the number of resources (IAM Users/Roles, Lambda functions, CloudFormation templates) in the account. You can reduce some of the time it takes to create a graph by excluding regions or even some services during the creation process, but please be aware that this can reduce PMapper's ability to identify risks.

Where does PMapper store its data?

The CLI uses a per-OS root storage directory determined using principalmapper/utils/storage.py. It uses the value returned by Python's sys.platform to determine the location, with the following intended behavior:

• If the PMAPPER_STORAGE environment variable is set, then it is used to determine where data is stored.
• Otherwise, if sys.platform returns win32 or cygwin, then %APPDATA%\principalmapper is the root storage location.
• Otherwise, if sys.platform returns linux, freebsd, or openbsd*, then it follows XDG conventions and checks for the $XDG_DATA_HOME environment variable. If that is not set, it defaults to ~/.local/share/principalmapper.
• Otherwise, if sys.platform returns darwin (MacOS), then PMapper uses ~/Library/Application Support/com.nccgroup.principalmapper as the storage root.

How do I do cross-account authorization checks?

The command line interface of PMapper, as of v1.1.3, does not offer a way to do cross-account checks. However, there are underlying library functions that support it. Once you've loaded the various Graph objects, and any applicable SCPs, you can use the following functions:

• principalmapper.graphing.cross_account_edges.get_edges_between_graphs
• principalmapper.querying.query_interface.search_authorization_across_accounts