Skip to content

gebalamariusz/cloud-audit

v2.1.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 1mo Vulnerability Scanning
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

audit aws aws-audit aws-security cis-benchmarks cli
+13 more
cloud-security compliance devops security iam iac infrastructure-security open-source-security python python-cli security-scanner terraform vulnerability-scanning

Affected surfaces

auth rbac

Summary

AI summary

Added 39 new IAM privilege escalation detection methods across three tiers, expanding coverage to all known paths.

Full changelog

Added

  • IAM Privilege Escalation - Tier 1 + Tier 2 + Tier 3: 39 new detection methods, total 64 across 9 categories (was 25/6). Coverage of all known IAM privilege escalation paths in pathfinding.cloud.

    Tier 1 (20 methods - PassRole variants + resource policy abuse + deny removal):

    • PassRole + Glue variants: glue:CreateJob, glue:UpdateJob, glue:CreateSession
    • PassRole + ECS variants: ecs:UpdateService, ecs:RegisterTaskDefinition (auto-deploy)
    • PassRole + CloudFormation: cloudformation:UpdateStack
    • PassRole + EC2 instance profile hijack: ec2:AssociateIamInstanceProfile, ec2:ReplaceIamInstanceProfileAssociation
    • PassRole + Lambda event source mapping
    • Instance profile role swap (no PassRole): iam:RemoveRoleFromInstanceProfile + iam:AddRoleToInstanceProfile
    • NEW Resource Policy Abuse category: lambda:AddPermission, lambda:AddLayerVersionPermission
    • IAM deny-removal patterns: iam:DeleteRolePolicy, iam:DeleteUserPolicy, iam:DetachRolePolicy, iam:DetachUserPolicy, iam:CreateServiceLinkedRole
    • Credential access extensions: iam:UpdateAccessKey, iam:DeactivateMFADevice, iam:DeleteVirtualMFADevice (MFA bypass paths)

    Tier 2 (12 methods - new compute primitives + SSM):

    • PassRole + new services: codebuild:CreateProject, apprunner:CreateService, sagemaker:CreateNotebookInstance, sagemaker:CreateProcessingJob, bedrock:CreateAgent, states:CreateStateMachine
    • NEW Compute Hijack category: ssm:SendCommand, ssm:StartSession (managed EC2 abuse), ec2-instance-connect:SendSSHPublicKey (60s SSH key push), codebuild:UpdateProject (hijack existing CI build), apprunner:UpdateService (replace running container)
    • Credential access extension: ssm:GetParameter (read secrets from Parameter Store)

    Tier 3 (4 methods - lateral movement via AssumeRole graph - NEW pipeline):

    • NEW Lateral AssumeRole category with new module iam_trust_graph.py parsing AssumeRolePolicyDocument and building a directed graph
    • AssumeRole:Direct - 1-hop assume from a principal to a role with admin permissions
    • AssumeRole:Chain - multi-hop assume chain (up to 4 hops) ending at admin
    • AssumeRole:WildcardTrust - any role with Principal: "*" trust policy
    • AssumeRole:CrossAccountRoot - any role trusting external account :root
    • Same-account root expansion: roles trusting arn:aws:iam::SAME:root are reachable by any principal in account with sts:AssumeRole
    • Bare 12-digit account IDs are normalized to :root ARNs
    • Trust conditions (MFA / ExternalId / SourceArn) are flagged but not semantically evaluated
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gebalamariusz/cloud-audit

Get notified when new releases ship.

Sign up free

About gebalamariusz/cloud-audit

Open-source AWS security scanner with attack chain detection, breach cost estimation, and copy-paste remediation (CLI + Terraform). 47 checks, 16 attack chain rules. First free standalone AWS security MCP server.

All releases →

Related context

Earlier breaking changes

  • v2.2.0 Category enum gains THREAT value, separating active-abuse from SECURITY misconfigurations.

Beta — feedback welcome: [email protected]