agent security skill risk: medium
AWS IAM Privilege Escalation Detector
The prompt provides steps to download IAM authorization details via boto3, analyze policies for dangerous permission combinations and wildcard resources, map principals, score find…
- External action: medium
SKILL 4 files · 2 folders
SKILL.md
--- name: detecting-aws-iam-privilege-escalation description: "Detect AWS IAM privilege escalation paths using boto3 and Cloudsplaining policy analysis to identify overly permissive" --- # Detecting AWS IAM Privilege Escalation ## Overview This skill uses boto3 and Cloudsplaining-style analysis to identify IAM privilege escalation paths in AWS accounts. It downloads the account authorization details, analyzes each policy for dangerous permission combinations (iam:PassRole + lambda:CreateFunction, iam:CreatePolicyVersion, sts:AssumeRole), and flags policies that violate least-privilege principles. ## When to Use - When investigating security incidents that require detecting aws iam privilege escalation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Python 3.8+ with boto3 library - AWS credentials with IAM read-only access (iam:GetAccountAuthorizationDetails) - Optional: cloudsplaining Python package for HTML report generation ## Steps 1. **Download IAM Authorization Details** — Call iam:GetAccountAuthorizationDetails to retrieve all users, groups, roles, and policies 2. **Analyze Policies for Privilege Escalation** — Check each policy for known escalation permission combinations 3. **Identify Wildcard Resource Policies** — Flag policies using Resource: "*" with dangerous actions 4. **Map Principal-to-Policy Relationships** — Build a graph of which principals can access which escalation paths 5. **Score and Prioritize Findings** — Rank findings by severity based on escalation vector type 6. **Generate Report** — Produce structured JSON report with remediation guidance ## Expected Output - JSON report of privilege escalation findings with severity scores - List of dangerous permission combinations per principal - Wildcard resource policy audit results - Remediation recommendations for each finding
REQUIRED CONTEXT
- AWS account authorization details
- IAM policies
OPTIONAL CONTEXT
- cloudsplaining Python package
TOOLS REQUIRED
- boto3
EXPECTED OUTPUT
- Format
- json
- Schema
- json_report · privilege escalation findings with severity scores, dangerous permission combinations per principal, wildcard resource policy audit results, remediation recommendations for each finding
- Constraints
- include severity scores
- list dangerous permission combinations per principal
- include wildcard resource policy audit results
- include remediation recommendations
SUCCESS CRITERIA
- Detect AWS IAM privilege escalation paths
- Identify overly permissive policies
- Flag dangerous permission combinations
- Map principal-to-policy relationships
- Score findings by severity
- Generate structured JSON report
CAVEATS
- Dependencies
- Python 3.8+ with boto3 library
- AWS credentials with IAM read-only access
- Optional: cloudsplaining Python package
- Missing context
- Exact list of dangerous permission combinations to check
- Detailed implementation logic or pseudocode for policy analysis
- Precise JSON schema or example for the expected report
- Ambiguities
- Description sentence is truncated: "identify overly permissive"
QUALITY
- OVERALL
- 0.68
- CLARITY
- 0.75
- SPECIFICITY
- 0.55
- REUSABILITY
- 0.70
- COMPLETENESS
- 0.65
IMPROVEMENT SUGGESTIONS
- Complete the truncated sentence in the description field.
- Expand the 'Analyze Policies' step with an explicit list of escalation vectors.
- Add a sample JSON output structure under Expected Output.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR AGENT
- MoltPass Client for AI Agent Identitiesagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Blue Book Policy Builderagentsecurity
- Threat Modeling Security Architecture Expertagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- SIEM Detection Rule Tuning Guideagentsecurity
- AI File Metadata Compliance Auditoragentsecurity
- Azure Storage Misconfiguration Audit Reporteragentsecurity
- Implementing PAM for Database Accessagentsecurity
- AFL++ Coverage-Guided Fuzzing Procedureagentsecurity
- Supply Chain Attack Simulation Detectoragentsecurity
- Security Audit Fix Verifieragentsecurity
- Active Directory ACL Abuse Analyzeragentsecurity
- Privileged Access Workstation Implementation Guideagentsecurity
- SSRF Vulnerability Testing and Reporting Guideagentsecurity
- Security Audit Fix Revieweragentsecurity
- SSL/TLS Security Assessment with Sslyzeagentsecurity
- GCP Penetration Testing with GCPBucketBruteagentsecurity
- AWS CloudTrail Anomaly Detection Guideagentsecurity
- Security Audit Fix Commit Revieweragentsecurity