Privilege Escalations

An overview of the current capabilities of CodeShield’s IAM privilege escalation feature.

An IAM privilege escalation is a technique that attacker abuse to gain higher privileges (e.g., access to critical resources) within your account.

Proper IAM permission management is critical to avoid privilege escalations within your account. Modern cloud attacks abuse combinations of critical IAM permissions to do so-called “policy shopping”, allowing further unintended access. It is important to mention, that it is not only a single permission that is critical, but a combination of permissions. In the worst case, the attacker may gain the IAM AWS-managed policy AdministratorAccess which grants full control over the account.

Real-world and established cloud attacks have shown that an attacker who has initial access to a user (AWS identity) or compute resource (Lambda, EC2 instance) in your account can gain – given the IAM permissions for those resources are ill-configured – additional IAM policies. It’s exactly those cases that CodeShield detects as part of its attack scenario feature.

CodeShield automatically detects attacks scenarios, and

  1. showcases how an attacker can potential use existing and non-existing resources in your account to perform lateral movement, and
  2. categorizes the attack scenarios with respect to their attack goals, and
  3. computes which exact resources are impacted by a breach

Escalation Methods

An escalation methods is a lateral movement within the cloud that allows to gain additional and unintended access within your cloud infrastructure.

Attack Goals

An attack goal is a defined goal an attacker wants to gain within the AWS account. CodeShield defines more than a dozent attack goals. Example attack goals are: Gaining read or write access to databases, modifying the cloud infrastructure or gaining administrator access on the account.

Last modified September 23, 2022