Files
Anthropic-Cybersecurity-Skills/skills/detecting-aws-iam-privilege-escalation/SKILL.md
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

2.4 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
detecting-aws-iam-privilege-escalation Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive policies, dangerous permission combinations, and least-privilege violations cybersecurity cloud-security
aws
iam
privilege-escalation
cloudsplaining
boto3
policy-analysis
least-privilege
1.0 mahipal Apache-2.0
PR.IR-01
ID.AM-08
GV.SC-06
DE.CM-01
T1098.001
T1098.003
T1078.004
T1548.005
T1484

Detecting AWS IAM Privilege Escalation

Overview

This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.

When to Use

  • When investigating security incidents that require detecting aws iam privilege escalation
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Python 3.8+ with boto3 library
  • AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails)
  • Optional: cloudsplaining Python package for HTML report generation

Steps

  1. Download IAM Authorization Details — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies
  2. Analyze Policies for Privilege Escalation — Check each policy for known escalation permission combinations
  3. Identify Wildcard Resource Policies — Flag policies using Resource: "*" with dangerous actions
  4. Map Principal-to-Policy Relationships — Build a graph of which principals can access which escalation paths
  5. Score and Prioritize Findings — Rank findings by severity based on escalation vector type
  6. Generate Report — Produce structured JSON report with remediation guidance

Expected Output

  • JSON report of privilege escalation findings with severity scores
  • List of dangerous permission combinations per principal
  • Wildcard resource policy audit results
  • Remediation recommendations for each finding