Skip to content

feat(attack-paths): Add 8 IAM privilege escalation detection queries#11460

Open
paramanandmallik wants to merge 1 commit into
prowler-cloud:masterfrom
paramanandmallik:add-iam-privesc-attack-paths-queries
Open

feat(attack-paths): Add 8 IAM privilege escalation detection queries#11460
paramanandmallik wants to merge 1 commit into
prowler-cloud:masterfrom
paramanandmallik:add-iam-privesc-attack-paths-queries

Conversation

@paramanandmallik
Copy link
Copy Markdown

@paramanandmallik paramanandmallik commented Jun 3, 2026

Context

Adds 8 openCypher queries that detect IAM privilege escalation patterns in AWS environments. These queries analyze Cartography-ingested graph data to identify principals with dangerous permission combinations that enable lateral movement and privilege escalation.

What's Included

# Query ID Attack Pattern
1 aws-iam-privesc-cross-account-no-external-id Cross-account role without ExternalId → confused deputy
2 aws-iam-privesc-wildcard-trust Role trust with Principal: "*" → universal access
3 aws-iam-privesc-update-trust-self-assume UpdateAssumeRolePolicy → inject self into any role trust
4 aws-iam-privesc-passrole-lambda PassRole + Lambda CreateFunction + InvokeFunction
5 aws-iam-privesc-passrole-ec2 PassRole + RunInstances → IMDS credential theft
6 aws-iam-privesc-create-policy-version-self-escalation CreatePolicyVersion with wildcard resource → instant admin
7 aws-iam-privesc-boundary-removal DeletePermissionsBoundary → unlock unconstrained access
8 aws-sso-privesc-permission-set-escalation SSO CreatePermissionSet + CreateAccountAssignment → org-wide admin

Research Source

All queries are based on documented attack paths from pathfinding.cloud PR #29. Each query's attribution field links directly to the corresponding documented path.

Compatibility

  • Queries use openCypher v9 syntax compatible with both Neo4j and Amazon Neptune
  • No CALL subqueries (Neptune limitation)
  • No mutating statements (read-only enforcement)
  • All queries use $provider_uid for account scoping and include the Prowler findings join

What Was Tested

  • All 145 structural validation tests pass (test_attack_paths_queries.py)
  • All 61 existing attack paths tests continue to pass
  • No duplicate query IDs in the registry
  • Python syntax validation passes

Checklist

  • Queries are read-only (no CREATE/MERGE/SET/DELETE)
  • Each query uses $provider_uid for account scoping
  • Each query ends with the Prowler findings UNWIND/OPTIONAL MATCH
  • Attribution links point to valid pathfinding.cloud paths
  • Query IDs are unique and follow kebab-case convention
  • Queries are registered in AWS_QUERIES list
  • Under 10,000 character limit per query
  • Tests added for structural validation of all new queries

@github-actions github-actions Bot added component/api community Opened by the Community labels Jun 3, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@paramanandmallik paramanandmallik marked this pull request as ready for review June 3, 2026 16:50
@paramanandmallik paramanandmallik requested a review from a team as a code owner June 3, 2026 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

community Opened by the Community component/api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@paramanandmallik