Finding AWS IAM Privilege Escalation Paths Offline with CloudAttack

IC Governance Systems — Mon, 08 Jun 2026 19:26:25 +0000

Finding AWS IAM Privilege Escalation Paths Offline with CloudAttack

Introduction

AWS IAM is one of the most powerful security controls in AWS, but it can also become one of the most difficult to review as environments grow.

A common challenge is identifying privilege escalation paths that are not immediately obvious when reviewing policies manually.

For example:

A developer role may appear to have limited permissions.
That same role may have the ability to use iam:PassRole.
The target role may have access to higher privilege services such as Lambda, EC2, or other AWS resources.

This creates a potential escalation path that may not be visible during a simple policy review.

To explore this problem, I built CloudAttack Community Edition, a lightweight open-source tool that analyses exported IAM JSON files locally and highlights common identity risks.

Why Offline Analysis?

Many organisations operate in environments where:

Internet access is restricted
AWS credentials cannot be shared
Security reviews must be performed locally

CloudAttack was designed with those scenarios in mind.

The Community Edition:

Runs locally
Requires no AWS credentials
Requires no cloud access
Analyses exported IAM JSON files

Example IAM Risk

Consider the following scenario:

{
  "Role": "developer-role",
  "Permissions": [
    "iam:PassRole"
  ]
}

If the developer role can pass another role with elevated permissions, an attacker may be able to abuse that relationship and gain additional access.

Manually identifying these paths across multiple roles becomes increasingly difficult as environments grow.

Example CloudAttack Output

=== CloudAttack Community Edition ===

[CRITICAL] Privilege Escalation Path Detected

Role:
  developer-role

Issue:
  Can pass role lambda-role

Impact:
  This chain may allow privilege escalation across roles

Path:
  developer-role → lambda-role

----------------------------------------

[HIGH] External Account Access

Role:
  lambda-role

Issue:
  External account can assume this role

Impact:
  External AWS account may inherit permissions

----------------------------------------

Summary:
  2 issues found

Current Detection Capabilities

The current Community Edition can identify:

iam:PassRole abuse paths
External trust relationships
Overly permissive trust policies
Simple privilege escalation chains

Future Enhancements

Potential future capabilities include:

Risk scoring
Attack path visualisation
Multi-account analysis
Blast radius estimation
Advanced privilege escalation modelling

Project

CloudAttack Community Edition is available on GitHub.

Feedback, feature requests, and contributions are welcome.

Conclusion

IAM remains one of the most common sources of cloud security risk.

Even relatively small misconfigurations can create privilege escalation opportunities that are difficult to identify manually.

CloudAttack was created to provide a simple way to analyse IAM configurations locally and surface these risks quickly.

If you're working in AWS security, cloud engineering, or DevSecOps, I'd be interested to hear your feedback.

DEV Community: IC Governance Systems

Finding AWS IAM Privilege Escalation Paths Offline with CloudAttack

Finding AWS IAM Privilege Escalation Paths Offline with CloudAttack

Introduction

Why Offline Analysis?

Example IAM Risk

Example CloudAttack Output

Current Detection Capabilities

Future Enhancements

Project

Conclusion