detecting-aws-iam-privilege-escalation
Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations
Best use case
detecting-aws-iam-privilege-escalation is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations
Teams using detecting-aws-iam-privilege-escalation should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-aws-iam-privilege-escalation/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-aws-iam-privilege-escalation Compares
| Feature / Agent | detecting-aws-iam-privilege-escalation | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting AWS IAM Privilege Escalation ## Overview This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles. ## When to Use - When investigating security incidents that require detecting aws iam privilege escalation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.8+ with boto3 library - AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails) - Optional: cloudsplaining Python package for HTML report generation ## Steps 1. **Download IAM Authorization Details** — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies 2. **Analyze Policies for Privilege Escalation** — Check each policy for known escalation permission combinations 3. **Identify Wildcard Resource Policies** — Flag policies using Resource: "*" with dangerous actions 4. **Map Principal-to-Policy Relationships** — Build a graph of which principals can access which escalation paths 5. **Score and Prioritize Findings** — Rank findings by severity based on escalation vector type 6. **Generate Report** — Produce structured JSON report with remediation guidance ## Expected Output - JSON report of privilege escalation findings with severity scores - List of dangerous permission combinations per principal - Wildcard resource policy audit results - Remediation recommendations for each finding