Add 11 IAM privilege escalation paths: cross-account trust, boundary bypass, Identity Center, deny removal#29
Open
paramanandmallik wants to merge 1 commit into
Conversation
…missions boundary bypass, Identity Center escalation, deny policy removal
paramanandmallik
requested review from
andrewkrug,
christophetd,
raesene and
sethsec
as code owners
Open
8 tasks
Collaborator
|
Thanks for this contribution @paramanandmallik. I will review! Adding the paths that encompass permissions boundary bypasses was def on my to-do list, so thanks for getting that part started! |
Author
|
Thanks for the quick response. |
Author
|
@sethsec Hi Seth, Do we have any update on this PR? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds 11 new privilege escalation paths spanning four categories that are currently unrepresented or underrepresented in the library.
The existing pathfinding.cloud collection covers same-account AssumeRole and various PassRole combinations well, but has gaps in cross-account trust abuse scenarios. This contribution adds three STS paths documenting how roles can be compromised when trust policies lack ExternalId conditions, use wildcard principals, or when an attacker can rewrite trust policies via iam:UpdateAssumeRolePolicy to inject self-trust. These are among the most common real-world misconfigurations found in multi-account AWS environments.
The library also had no coverage of permissions boundary bypass techniques. The three new IAM paths (iam-022 through iam-024) document how boundaries can be deleted or replaced with permissive policies, restoring the full unconstrained permissions of a principal whose policies were always broader than the boundary allowed. These are particularly relevant because many organizations rely on boundaries as their primary privilege containment mechanism.
Identity Center (SSO) escalation is an entirely new category for the library. The three sso-admin paths document how attackers with SSO management permissions can create new admin permission sets, attach AdministratorAccess to existing permission sets, or inject inline admin policies — gaining organizational-wide access through the SSO portal.
Finally, two paths document deny policy removal as an escalation vector. When organizations use attached deny policies as guardrails rather than SCPs, an attacker with DetachUserPolicy or DeleteUserPolicy can remove those guardrails and re-enable previously-blocked escalation paths.
All 11 files pass validate-schema.py and include full exploitation steps (awscli), attack visualizations with conditional branching, actionable remediation guidance with SCP examples, and proper discovery attribution.