Cloudsplaining – AWS IAM Security Assessment Tool

Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. It can scan all the policies in your AWS account or it can scan a single policy file.

Cloudsplaining - AWS IAM Security Assessment Tool
Cloudsplaining – AWS IAM Security Assessment Tool

It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction:

  • Data Exfiltration (s3:GetObject, ssm:GetParameter, secretsmanager:GetSecretValue)
  • Infrastructure Modification
  • Resource Exposure (the ability to modify resource-based policies)
  • Privilege Escalation (based on Rhino Security Labs research)

Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles – especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet.

Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute ssm:SendCommand and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier.

You can also specify a custom exclusions file to filter out results that are False Positives for various reasons. For example, User Policies are permissive by design, whereas System roles are generally more restrictive. You might also have exclusions that are specific to your organization’s multi-account strategy or AWS application architecture.

You can read more and download this tool over here:

Notify of
Inline Feedbacks
View all comments