Detecting AWS IAM Privilege Escalation
Overview
This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.
When to Use
- When investigating security incidents that require detecting aws iam privilege escalation
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.8+ with boto3 library
- AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails)
- Optional: cloudsplaining Python package for HTML report generation
Steps
-
Download IAM Authorization Details — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies
-
Analyze Policies for Privilege Escalation — Check each policy for known escalation permission combinations
-
Identify Wildcard Resource Policies — Flag policies using Resource: "*" with dangerous actions
-
Map Principal-to-Policy Relationships — Build a graph of which principals can access which escalation paths
-
Score and Prioritize Findings — Rank findings by severity based on escalation vector type
-
Generate Report — Produce structured JSON report with remediation guidance
Expected Output
- JSON report of privilege escalation findings with severity scores
- List of dangerous permission combinations per principal
- Wildcard resource policy audit results
- Remediation recommendations for each finding
