Skills Development Detecting AWS IAM Privilege Escalation Paths

Detecting AWS IAM Privilege Escalation Paths

v20260601
detecting-aws-iam-privilege-escalation
This skill analyzes AWS IAM policies using boto3 and Cloudsplaining principles to detect potential privilege escalation paths in AWS accounts. It identifies overly permissive policies, dangerous permission combinations (such as combining role passing and resource creation), and violations of least-privilege principles. It is designed for security incident investigation, threat hunting, and validating overall cloud security posture.
Get Skill
399 downloads
Overview

Detecting AWS IAM Privilege Escalation

Overview

This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.

When to Use

  • When investigating security incidents that require detecting aws iam privilege escalation
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.8+ with boto3 library
  • AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails)
  • Optional: cloudsplaining Python package for HTML report generation

Steps

  1. Download IAM Authorization Details — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies
  2. Analyze Policies for Privilege Escalation — Check each policy for known escalation permission combinations
  3. Identify Wildcard Resource Policies — Flag policies using Resource: "*" with dangerous actions
  4. Map Principal-to-Policy Relationships — Build a graph of which principals can access which escalation paths
  5. Score and Prioritize Findings — Rank findings by severity based on escalation vector type
  6. Generate Report — Produce structured JSON report with remediation guidance

Expected Output

  • JSON report of privilege escalation findings with severity scores
  • List of dangerous permission combinations per principal
  • Wildcard resource policy audit results
  • Remediation recommendations for each finding
Info
Category Development
Name detecting-aws-iam-privilege-escalation
Version v20260601
Size 8.93KB
Updated At 2026-06-03
Language