An AWS IAM Security Tooling Reference [2024]

🕰️ Four years ago, I published An AWS IAM Security Tooling Reference. It’s time to revisit it and take a look at the current landscape.¹

Identity and Access Management (IAM) is a cornerstone of security. However, AWS IAM is not only crucially important, but also immensely complex.

This complexity and the resultant challenges it can pose for security have not gone unnoticed. In addition to efforts at education, AWS has developed Zelkova, an automated reasoning tool for AWS permissions. AWS IAM Access Analyzer uses Zelkova to “identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.” AWS IAM Access Advisor offers “last used” information on permissions, to help cull unnecessary access.

Outside of Amazon, numerous individuals and organizations have also released tools to help you reason about the usage of IAM in your AWS environment.

PMapper

developed at nccgroup, with a more recently maintained fork available

Principal Mapper (PMapper) is a script from my former NCC Group coworker Erik Steringer that answers a couple of the most pressing questions about IAM Security:

1. “Who can escalate privileges?” and
2. “Which principals can access other principals?”

Since the 1.0 launch, PMapper has added support for:

1. resource policies, permission boundaries, session policies, and service control policies
2. New serviceaccess preset query: reporting which services can access which roles
3. New wrongadmin preset query: finds admin users/roles that don’t have the AdministratorAccess (or a similar inline policy) set

The fork additionally adds support for externalaccess, a preset query to determine external access for an account.

PMapper accomplishes this by generating and traversing a graph of a given AWS account’s IAM users and roles. It also comes equipped with both a REPL and support for generating Visualizations.

Cloudsplaining

salesforce/cloudsplaining

Kinnaird McQuade of Salesforce’s Cloudsplaining is the most recent release to have made this list. Cloudsplaining identifies violations of least privilege with perhaps the most robust reporting of any tool on this list. While the primary focus is on identifying failures to take advantage of resource constraints, it has findings for:

1. Privilege Escalation,
2. Resource Exposure,
3. Infrastructure Modification, and
4. Data Exfiltration

Apeman

hotnops/apeman

Daniel Heinsen recently launched this new tool, offering a graph-based tool to model AWS IAM permissions. Check out the example query Daniel put together to show how you can use the underlying neo4j database to identify cognito vulnerable roles, as per research by Nick Frichette.

Parliament

duo-labs/parliament

Parliament, from Scott Piper (of Summit Route) and Duo Labs, is the OG AWS IAM linting library. It can identify hard to notice issues like the attempt to use a condition that is not documented as supported for the associated action, or the use of completely unknown actions. It also has rules for logical inconsistencies that might allow for privilege escalation, with the provided example “an S3 bucket where s3:Delete is not allowed, but s3:PutBucketPolicy is, which could be abused to grant anonymous object deletion.”

aws-lint-iam-policies

welldone-cloud/aws-lint-iam-policies

This tool from Michael Kirchner is a more recent AWS IAM linter. It primarily relies on the AWS IAM Access Analyzer policy validation feature, exposing it for use in CI/CD or in the CLI. It also contains a few custom checks, including coverage of trusts to other AWS accounts and wildcard principals.

IAMSpy

WithSecureLabs/IAMSpy

WithSecure’s Mohit Gupta has created an opensource variant on Zelkova, using the Z3 prover (an SMT solver) formally prove whether an action by a given IAM entity is possible against a particular resource.

Generic Tools with IAM Findings

There are generally a subset of findings in any cloud security tool that reference IAM.

• Pacu - RhinoSecurityLabs/pacu’s iam__privesc_scan module
• Prowler - prowler-cloud/prowler’s IAM checks
• Steampipe - AWS Compliance benchmark for IAM, and compatibility with Access Advisor

Unmaintained, Deprecated, or not practically recommended

• Cloudtracker - duo-labs/cloudtracker: an old tool that found unused permissions
• SkyArk - cyberark/SkyArk: an unmaintained tool which identifies so-called “shadow admins” within an AWS account
• AWSPX - WithSecureLabs/awspx: an unmaintained graph-based tool for visualizing effective access and resource relationships within AWS
• Aaia - rams3sh/Aaia: an old tool for visualizing AWS IAM and Organizations in a graph format with help of Neo4j