preloader
blog-post

IAM Privilege Escalation Detection – A comparison to PMapper and other tools

22 August, 2022 | 3 Min Read

In this blog post, we dive into a comparison of CodeShield versus other existing open-source tools.

IAM vulnerable is a GitHub project consisting of 31 examples of IAM privilege escalations paths that can be deployed using Terraform. Once deployed, the project allows you to learn about all different types of IAM privilege escalations, or to benchmark different tools that detect those escalations. We definitely recommend trying it out yourself – in a sandbox account.

Using IAM vulnerable, Seth Art performed an in-depth comparison of a set of open-source tools (PMapper, AWSPX, Cloudsplaining, and Pacu) and wrote a blog post. We use Seth Art’s “Capability Summary” table and extended it with CodeShield. (See Table below). The capabilities are all IAM specific features.

Capability Summary

CapabilitiesPMapper v1.1.3AWSPX v1.3.4Cloudsplaining v0.4.5Pacu v1.1.4CodeShield v2.0.30
Reports on user privsec?YesYesYesYesYes
Reports on role privesc?YesYesYesYesYes
Principal-centric approach?YesNoNoYesYes
Handles resource constraints?YesYesNoNoYes
Considers service roles?YesYesNoNoYes
Handles transitive privesc paths?YesYesNoNoNo
Handles DENY actions in a single policy?Yes No YesYesYes
Handles DENY actions in multiple policies?YesNoNoYesYes
Handles NotAction?YesYesYesNoYes
Handles condition constraints?NoNoNoNoPartially
Handles service control policies?YesNoNoNoNo

For instance, the feature “Reports on user privsec” and the feature “Reports on role privsec” are important to understand when judging the output of the results. In the case a found privilege escalation starts at an IAM role, one must further understand whether the role is assumable and by whom. A role can be assumed by AWS SSO, by a user, but also by any other resource. For all details of the features in the table, we refer to the original blog post.

Using IAM vulnerable we also did benchmark CodeShield. We deployed IAM vulnerable to a sandbox account and scanned it using CodeShield. We did not find a single false positive, i.e., there is no noise in using CodeShield. As of today, 6 of the 31 scenarios are still missing. Those will be modeled and shipped with the next release, the same holds for other missing features, such as service control policies.

CodeShield vs. PMapper

As you see, the most related tool to CodeShield is PMapper.

Apart from modeling the policy evaluation correctly and precisely, we also made sure to keep up performance. For instance, on large AWS accounts, we realized PMapper doesn’t have the best performance – it sometimes takes about 3-12 hours to complete. This makes it extremely difficult to use as you quickly need to launch it on a dedicated cloud machine.

Yet another challenge is to keep up with all sorts of IAM privilege escalations, being continuously up to date with the most recent attack vectors on IAM, and maintaining the policy evaluation engine really is a full-time job.

Third, understanding privilege escalations and the risks they introduce is a complicated problem that needs to be visualized clearly for a user to understand the impact and the risk each escalation has attached.

Due to these three drawbacks, we decided to implement and launch our own IAM privilege escalation detection engine as part of CodeShield. We carefully designed it in a way, that it returns results quickly (typically within 30 minutes), allows us to easily model new IAM attack scenarios and ensure that with each scenario, the tool also explains the associated risk in detail.

If you want to try out CodeShield yourself, sign-up, connect an AWS account, and perform a scan. We recommend you to deploy IAM vulnerable and convince yourself.

Related posts

Want to try out CodeShield yourself?

Detect privilege escalations and see attack paths in your AWS account.

Signup for Free
cta Image