IAM Privilege Escalation
A live cloud-IAM attack-path enumerator. Each scenario seeds a small directory of users, roles, groups, and service principals; the engine derives every attack edge from the permissions held, then enumerates every path from the starting principal to admin.
How this works. The engine knows 14 published techniques across AWS, Azure, and GCP and BFSes the derived edges looking for paths to the admin sentinel.
Scenarios
Setup. A developer user is granted iam:PassRole + ec2:RunInstances + ssm:StartSession 'for debugging'. There's an unrelated EC2-Admin role. The developer can launch an instance carrying that role and SSM in.
Starting principal: user/dev-alice
reference: Rhino Security Labs, AWS Privilege Escalation Methods (2018) — Method 8
Principals (editable)
Attack paths to admin (1)
path #1
user/dev-alice- iam:PassRole + ec2:RunInstances → instance with admin role →
role/EC2-AdminRun an EC2 instance with role role/EC2-Admin attached, then read IMDS. - implicit-admin →
adminrole/EC2-Admin already holds an admin-equivalent permission.
Derived attack edges (3)
| from | to | technique | detail |
|---|---|---|---|
user/dev-alice | role/EC2-Admin | aws-passrole-runinstances | Run an EC2 instance with role role/EC2-Admin attached, then read IMDS. |
user/dev-alice | role/Read-Only | aws-passrole-runinstances | Run an EC2 instance with role role/Read-Only attached, then read IMDS. |
role/EC2-Admin | admin | implicit-admin | role/EC2-Admin already holds an admin-equivalent permission. |