May 31, 2023

Launching IAM Access Explorer

Introduction to IAM Access Explorer

We are announcing the launch of the ZeusCloud Access Explorer, an interactive graphical interface to understand access relationships between AWS identities and AWS resources.

AWS IAM offers a variety of customizability, but it can be daunting to understand IAM access relationships. Basic questions like “Which IAM users can access sensitive customer PII data?” can be challenging to answer for security and devops teams.

Improperly configured AWS IAM roles, users, and policies provide a concrete way for attackers to laterally move through the cloud environment. So, from a security perspective, it is critical to have visibility into IAM relationships.

In this post, we review 2 potential use cases of Access Explorer: protecting sensitive S3 data and curbing over-permissive roles attached to publicly exposed compute.

Protecting Sensitive S3 Data

Lateral movements using over-permissive policies are common in cloud attacks - just consider the infamous crypto Onus attacks. AWS customers need better answers to the question: “Who can access my most sensitive data?” 

Teams may want to know who can read objects from a particular sensitive S3 bucket. ZeusCloud Access Explorer provides a visual about which IAM roles and users can run a s3:GetObject action by incorporating details like S3 bucket policies, IAM policies attached to roles, etc.. 

For example, consider the visual about the s3 bucket: s3stack-bucketencryptedbypolicy167af7b6-13wo0103igbyj315957380126

We learn that the role: cdk-hnb659fds-deploy-role-315957380126-us-west-2 can do a privilege escalation to an admin role using iam:PassRole & cloudformation:UpdateStack. 

It can also read the S3 bucket directly because of the inline policy attached to it (displayed below).

The edges explain how IAM users and roles can laterally move and perform the s3:GetObject action. With such context, teams can get a better understanding of the identity visuals in their cloud environments.

Over-permissive IAM Roles Attached to Compute

In the infamous Capital One Breach, attackers gained access to an EC2 through a misconfigured firewall and an SSRF vulnerability. Once inside, the attacker was able to discover and exfiltrate sensitive data from an S3 bucket. The role attached to the EC2’s was over-permissive and gave the attacker access to substantial resources. ZeusCloud provides a mechanism to show how an IAM role attached to a compute instance can move laterally to gain greater access within a cloud environment. 

The diagram shows how an IAM Role attached to an EC2 can laterally privilege escalate permissions.


ZeusCloud Access Explorer can help you understand the age-old question of “Who has access to what?” in the cloud.

Need visibility into your AWS IAM access relationships? Check out the ZeusCloud repository and join our Slack community!

Vishal Jain