fix: detect AttachRolePolicy/PutRolePolicy/UpdateAssumeRolePolicy privesc without sts:AssumeRole#581
Merged
Merged
Conversation
…vesc without sts:AssumeRole The three IAM role-policy escalation methods required sts:AssumeRole bundled in, missing policies that grant the IAM write alone. Relax to the IAM action. Closes #580
This was referenced May 29, 2026
kmcquade
added a commit
that referenced
this pull request
May 30, 2026
…new detections) (#584) * feat: link privilege-escalation findings to pathfinding.cloud + refresh report Each detected privilege-escalation method in the report now links to its pathfinding.cloud path page (e.g. CreateAccessKey -> /paths/iam-002) instead of the generic readthedocs glossary. Methods with no published path render as plain text. - cloudsplaining/output/src/util/pathfinding-paths.json + pathfinding.js: method -> pathfinding URL map (mirrors PRIVILEGE_ESCALATION_METHODS; verified against repos/pathfinding.cloud). - PrivilegeEscalationFormat.vue: render per-method pathfinding links. - constants.py PRIVILEGE_ESCALATION_PATHFINDING_PATHS (canonical) + getFindingLinks in inline_policy.py/managed_policy_detail.py now emit pathfinding links in the data, so the data and report agree. Unmapped methods fall back to the glossary. - Tests: mocha pathfinding-test.js + Python test_pathfinding_mapping.py (completeness + Python/JS parity + URL format). - Regenerated example-iam-data.json, sampleData.js, dist bundle, and the published root index.html (now the comprehensive production report, not a dev build). Covers the 20 existing Rhino-era paths. The 46 pathfinding.cloud paths cloudsplaining does not yet DETECT (apprunner, bedrock, ecs, sagemaker, codebuild, ssm, sts, newer iam/lambda/glue/cloudformation/ec2) are added in follow-on commits on this branch. * feat: detect 37 additional pathfinding.cloud privilege-escalation paths cloudsplaining previously detected only the ~22 Rhino-era privilege-escalation methods, missing 46 of pathfinding.cloud's 66 paths (entire services like apprunner, bedrock, ecs, sagemaker, codebuild). This adds detection for 37 of them to PRIVILEGE_ESCALATION_METHODS, each verified recognized by policy_sentry and mapped to its pathfinding.cloud writeup. Added (low/medium false-positive risk, precise multi-action signatures): AppRunner/Bedrock/CodeBuild/ECS(x6)/Glue(x4)/SageMaker(x5)/Lambda/CloudFormation StackSet/EC2 PassRole + several new IAM principal-access chains (CreateAndRotateAccessKey, AttachUserPolicyThenCreateAccessKey, *ThenUpdateAssumeRolePolicy, etc.). HELD (not added) - 7 high-FP single broad-action paths that would over-flag and contradict the #581 sts:assumerole fix: sts-001 (sts:AssumeRole alone), ssm-001/002 (StartSession/SendCommand), cloudformation-002 (UpdateStack), apprunner-002, codebuild-002/003. SKIPPED 2 redundant (iam-014/017 = existing AttachRolePolicy/PutRolePolicy). - constants.py: +37 methods + matching PRIVILEGE_ESCALATION_PATHFINDING_PATHS entries (no duplicate keys; Python/JS parity + completeness tests enforce sync). - test/scanning/test_privilege_escalation_methods.py: every method must self-detect from its own actions (also verifies policy_sentry recognition). - Regenerated fixtures + report: privesc-high-priv-service-policy now flags 59 distinct methods (was 22); report adds 179 findings, drops 0; report links every detected method to pathfinding.cloud. - docs/glossary/privilege-escalation.md: documents the 37 new paths. - research/pathfinding-cloud/proposed-new-methods.json: provenance for all 46 (incl. held/skipped + FP rationale).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three methods in
PRIVILEGE_ESCALATION_METHODSbundledsts:assumeroleas a required action, producing false negatives: a policy grantingiam:AttachRolePolicy(oriam:PutRolePolicy/iam:UpdateAssumeRolePolicy) on*withoutsts:AssumeRolewas not flagged — even though it can attachAdministratorAccessto any role.This relaxes the three entries to the IAM write alone. The existing
+ sts:AssumeRolecases still fire (the relaxed action set is a subset of them), so nothing previously detected is lost — only coverage is added. Aligns with DataDog/pathfinding.cloudiam-005/iam-009/iam-012and peer tools (PMapper, Prowler).Changes
cloudsplaining/shared/constants.py: dropsts:assumerolefromAttachRolePolicy,PutRolePolicy,UpdateRolePolicyToAssumeIt.iam:AttachRolePolicyalone is flagged.Testing
just unit-tests— 94 passedjust type-check— cleanjust test-js— 43 passingCloses #580