- Publicly facing assets: an attacker may get initial access to your environment through publicly exposed VMs, containers, or serverless functions.
- 3rd party identities: Adversaries may attack external 3rd party entities to whom you have given privileges in your account.
- Admin or high privileged principals: A takeover of these IAM principals may lead to data access or account takeover.
- Privilege escalations: Certain combinations of privileges (e.g.
iam:PassRole
andec2:RunInstances
) may allow an attacker to subtly escalate their priveleges within your account. More details about privilege escalations can be found here.
- Publicly exposed VM instance with effective admin permissions
- Publicly exposed VM instance with effective high permissions
- Publicly exposed VM instance with potential privilege escalations
- Publicly exposed serverless function with effective admin permissions
- Publicly exposed serverless function with high permissions
- Publicly exposed serverless function with potential privilege escalations
- Private serverless function with effective admin permissions
- A 3rd party identity has admin permissions in the account
- A 3rd party identity has high permissions in the account