You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If i am not mistaken, Cloudsplaining takes a policy-centric approach to evaluating privesc paths. If a policy meets the logic that defines a privesc path, this policy is identified as allowing privesc. Any principal that has that policy applied is highlighted as well, which is great! However, a principal that has two or more policies that each contain part of the privesc conditions, is not highlighted, which causes detection misses for privesc paths.
Example of successful detection:
policy_privesc3: Allows ec2:RunInstances + iam:Passrole
role_test1: has policy_privesc3 attached
Results:
policy_privesc3 will be detected as a privesc path - CORRECT
role_test1 will be detected as having a privesc path - CORRECT
Example of false negative:
policy_privesc-runInstances: Allows ec2:RunInstances only
policy_privesc-passrole: Allows iam:Passrole only
role_test2: policy_privesc-runInstances & policy_privesc-passrole attached
Results:
Neither policy will be detected as a privesc path - CORRECT
role_test2 will not be detected as having a privesc path - INCORRECT
I know adding support for this is not a small task. Also, pmapper does a great job at identifying these combo cases. However, I love the Cloudsplaining UI, how straightforward it is to use, all of the supporting documentation, and really just think Cloudsplaining should catch these cases as well.
Also, it might be a good idea to list this limitation in the documentation to make sure poeple know what the tool does a great job of catching, and what the current blind spots are.
The text was updated successfully, but these errors were encountered:
This is a great point and would be super valuable. Also, I am glad you like the UI :)
If someone wants to pick this up, here are some implementation suggestions: I would suggest some kind of merge_policies function that would accept any number of PolicyDocument objects (from cloudsplaining.scan.policy_document). Then if a principal has multiple policies attached, run merge_policies, and from that result, determine if there are any new PrivEsc dict keys from PolicyDocument.allows_privilege_escalation compared to the PrivEsc dict keys from the other policies attached. If the keys are different, then it's a finding specific to that principal.
If i am not mistaken, Cloudsplaining takes a policy-centric approach to evaluating privesc paths. If a policy meets the logic that defines a privesc path, this policy is identified as allowing privesc. Any principal that has that policy applied is highlighted as well, which is great! However, a principal that has two or more policies that each contain part of the privesc conditions, is not highlighted, which causes detection misses for privesc paths.
Example of successful detection:
Results:
Example of false negative:
Results:
I know adding support for this is not a small task. Also,
pmapper
does a great job at identifying these combo cases. However, I love the Cloudsplaining UI, how straightforward it is to use, all of the supporting documentation, and really just think Cloudsplaining should catch these cases as well.Also, it might be a good idea to list this limitation in the documentation to make sure poeple know what the tool does a great job of catching, and what the current blind spots are.
The text was updated successfully, but these errors were encountered: