Rules Catalog
Attack Paths
Attack paths are toxic combinations of risks in your environment. By chaining these risks together, an attacker may execute an exploit.
Some components of an attack path may include
- Publicly facing assets: an attacker may get initial access to your environment through publicly exposed VMs, containers, or serverless functions.
- 3rd party identities: Adversaries may attack external 3rd party entities to whom you have given privileges in your account.
- Admin or high privileged principals: A takeover of these IAM principals may lead to data access or account takeover.
- Privilege escalations: Certain combinations of privileges (e.g.
iam:PassRoleandec2:RunInstances) may allow an attacker to subtly escalate their priveleges within your account. More details about privilege escalations can be found here.
- Publicly exposed VM instance with effective admin permissions
- Publicly exposed VM instance with effective high permissions
- Publicly exposed VM instance with potential privilege escalations
- Publicly exposed serverless function with effective admin permissions
- Publicly exposed serverless function with high permissions
- Publicly exposed serverless function with potential privilege escalations
- Private serverless function with effective admin permissions
- A 3rd party identity has admin permissions in the account
- A 3rd party identity has high permissions in the account