creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/detecting-aws-iam-privilege-escalation/references/api-reference.md
T

80 lines
2.2 KiB
Markdown
Raw Blame History

# AWS IAM Privilege Escalation Detection API Reference
## boto3 IAM API
```python
import boto3
iam = boto3.client("iam")
# Download full account authorization details
paginator = iam.get_paginator("get_account_authorization_details")
for page in paginator.paginate():
users = page["UserDetailList"]
roles = page["RoleDetailList"]
policies = page["Policies"]
# Get specific policy version
policy = iam.get_policy_version(
PolicyArn="arn:aws:iam::123456789012:policy/MyPolicy",
VersionId="v2"
)
```
## Cloudsplaining CLI
```bash
# Install
pip install cloudsplaining
# Download account authorization details
cloudsplaining download --profile myprofile
# Scan authorization file for privilege escalation
cloudsplaining scan --input-file default.json --output results/
# Scan a single policy file
cloudsplaining scan-policy-file --input-file policy.json
```
## Known Privilege Escalation Vectors
| Vector | Required Permissions | Risk |
|--------|---------------------|------|
| CreatePolicyVersion | `iam:CreatePolicyVersion` | Critical |
| AttachUserPolicy | `iam:AttachUserPolicy` | Critical |
| PutUserPolicy | `iam:PutUserPolicy` | Critical |
| PassRole + Lambda | `iam:PassRole`, `lambda:CreateFunction`, `lambda:InvokeFunction` | Critical |
| PassRole + EC2 | `iam:PassRole`, `ec2:RunInstances` | Critical |
| UpdateAssumeRolePolicy | `iam:UpdateAssumeRolePolicy` | Critical |
| PassRole + CloudFormation | `iam:PassRole`, `cloudformation:CreateStack` | High |
| PassRole + SSM | `iam:PassRole`, `ssm:SendCommand` | Critical |
## AWS CLI IAM Audit Commands
```bash
# List all users with attached policies
aws iam list-users --output json
# Get user's inline policies
aws iam list-user-policies --user-name admin
# Get attached managed policies
aws iam list-attached-user-policies --user-name admin
# Simulate policy evaluation
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/admin \
--action-names iam:CreatePolicyVersion iam:AttachUserPolicy
# Get account authorization details (full dump)
aws iam get-account-authorization-details > auth-details.json
```
## Parliament (Policy Linting)
```bash
pip install parliament
parliament --file policy.json
```
Reference in New Issue View Git Blame Copy Permalink