detecting-aws-iam-privilege-escalation

# Detecting AWS IAM Privilege Escalation ## Overview This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles. ## When to Use - When investigating security incidents that require detecting aws iam privilege escalation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.8+ with boto3 library - AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails) - Optional: cloudsplaining Python package for HTML report generation ## Steps 1. **Download IAM Authorization Details** — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies 2. **Analyze Policies for Privilege Escalation** — Check each policy for known escalation permission combinations 3. **Identify Wildcard Resource Policies** — Flag policies using Resource: "*" with dangerous actions 4. **Map Principal-to-Policy Relationships** — Build a graph of which principals can access which escalation paths 5. **Score and Prioritize Findings** — Rank findings by severity based ...