detecting-aws-iam-privilege-escalation
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-aws-iam-privilege-escalationDetects dangerous AWS IAM privilege escalation paths.
- Identifies overly permissive policies and dangerous permission combinations.
- Uses boto3 and Cloudsplaining for policy analysis.
- Flags violations of least-privilege principles in IAM configurations.
- Generates HTML reports to visualize security findings.
SKILL.md
.github/skills/detecting-aws-iam-privilege-escalationView on GitHub ↗
--- name: detecting-aws-iam-privilege-escalation description: Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations domain: cybersecurity subdomain: cloud-security tags: [aws, iam, privilege-escalation, cloudsplaining, boto3, policy-analysis, least-privilege] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting AWS IAM Privilege Escalation ## Overview This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles. ## When to Use - When investigating security incidents that require detecting aws iam privilege escalation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.8+ with boto3 library - AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails) - Optional: cloudsplaining Python package for HTML report generation ## Steps 1. **Download IAM Authorization Details** — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies 2. **Analyze Policies for Privilege Escalation** — Check each policy for known escalation permission combinations 3. **Identify Wildcard Resource Policies** — Flag policies using Resource: "*" with dangerous actions 4. **Map Principal-to-Policy Relationships** — Build a graph of which principals can access which escalation paths 5. **Score and Prioritize Findings** — Rank findings by severity based on escalation vector type 6. **Generate Report** — Produce structured JSON report with remediation guidance ## Expected Output - JSON report of privilege escalation findings with severity scores - List of dangerous permission combinations per principal - Wildcard resource policy audit results - Remediation recommendations for each finding
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.