Skill

detecting-aws-iam-privilege-escalation

Detects AWS IAM privilege escalation paths using boto3 and Cloudsplaining analysis to flag overly permissive policies, dangerous permission combos, and least-privilege violations.

Python

AWS

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles.

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Detecting AWS IAM Privilege Escalation

Overview

When to Use

When investigating security incidents that require detecting aws iam privilege escalation
When building detection rules or threat hunting queries for this domain
When SOC analysts need structured procedures for this analysis type
When validating security monitoring coverage for related attack techniques

Prerequisites

Python 3.8+ with boto3 library
AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails)
Optional: cloudsplaining Python package for HTML report generation

Steps

Download IAM Authorization Details — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies
Analyze Policies for Privilege Escalation — Check each policy for known escalation permission combinations
Identify Wildcard Resource Policies — Flag policies using Resource: "*" with dangerous actions
Map Principal-to-Policy Relationships — Build a graph of which principals can access which escalation paths
Score and Prioritize Findings — Rank findings by severity based on escalation vector type
Generate Report — Produce structured JSON report with remediation guidance

Expected Output

JSON report of privilege escalation findings with severity scores
List of dangerous permission combinations per principal
Wildcard resource policy audit results
Remediation recommendations for each finding