Detecting AWS IAM Privilege Escalation

Overview

This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.

When to Use

• When investigating security incidents that require detecting aws iam privilege escalation
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Python 3.8+ with boto3 library
• AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails)
• Optional: cloudsplaining Python package for HTML report generation