Langgraph Agent for CSPM usecase
Its difficult to understand the relationship between Cloud IAM privilege role escalation security attacks in a Multi-Cloud Context
(CSPM usecase).
There is a need to have GENAI based interactive graphical interface to understand access relationships between AWS identities and AWS resources. It could be “Security Threat Signature Text data to Visual Graph generation based with GENAI LLM approaches”
As on today AWS IAM offers a variety of customizability, but it can be daunting to understand IAM access relationships. Basic questions like “Which IAM users can access sensitive customer PII data?” can be challenging to answer for security and devops teams.
Improperly configured AWS IAM roles, users, and policies provide a concrete way for attackers to laterally move through the cloud environment. So, from a security perspective, it is critical to have visibility into IAM relationships.
In this project, we review 2 potential use cases of Access Explorer: protecting sensitive S3 data and curbing over-permissive roles attached to publicly exposed compute.
Lateral movements using overly-permissive access policies are common in AWS CSPM based cloud attacks - just consider the infamous crypto Onus attacks. AWS customers need better answers to the question: “Who can access my most sensitive data?”
Teams may want to know who can read objects from a particular sensitive S3 bucket. We need to create a visualization about which IAM roles and users can run a s3:GetObject action by incorporating details like S3 bucket policies, IAM policies attached to roles, etc..
For example, consider the visual about the s3 bucket: s3stack-bucketencryptedbypolicy167af7b6-13wo0103igbyj315957380126
We learn that the role: cdk-hnb659fds-deploy-role-315957380126-us-west-2 can do a privilege escalation to an admin role using iam:PassRole & cloudformation:UpdateStack.
It can also read the S3 bucket directly because of the inline policy attached to it (displayed below).
The edges explain how IAM users and roles can laterally move and perform the s3:GetObject action. With such context, teams can get a better understanding of the identity visuals in their cloud environments.
Over-permissive IAM Roles Attached to Compute
In the infamous Capital One Breach, attackers gained access to an EC2 through a misconfigured firewall and an SSRF vulnerability. Once inside, the attacker was able to discover and exfiltrate sensitive data from an S3 bucket. The role attached to the EC2’s was over-permissive and gave the attacker access to substantial resources. This project's implementation provides a mechanism to show how an IAM role attached to a compute instance can move laterally to gain greater access within a cloud environment.
The diagram shows how an IAM Role attached to an EC2 can laterally privilege escalate permissions.