Audit AWS IAM policies for risky permissions with Cloudsplaining
Use Cloudsplaining when an agent needs to flag privilege-escalation paths and overbroad IAM permissions before an AWS policy change reaches production.
What it does
Audit AWS IAM policies for risky permissions with Cloudsplaining
Use Cloudsplaining when an agent needs to flag privilege-escalation paths and overbroad IAM permissions before an AWS policy change reaches production.
Prerequisites
Python 3, AWS IAM policy JSON or account data, and Cloudsplaining.
Installation
Use the upstream install or setup path that matches your environment:
- brew tap salesforce/cloudsplaining https://github.com/salesforce/cloudsplaining
- brew install cloudsplaining
Requirements and caveats from upstream:
- You must have the privileges to run iam:GetAccountAuthorizationDetails. The arn:aws:iam::aws:policy/SecurityAudit policy i...
- default-iam-results.json: This contains the raw JSON output of the report. You can use this data file for operating on the scan results for various purposes. For example, you could write a Python script that parses th...
Basic usage or getting-started notes:
-
Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service...
-
You can also specify a custom exclusions file to filter out results that are False Positives for various reasons. For example, User Policies are permissive by design, whereas System roles are generally more restrictiv...
-
Extracted from upstream docs: https://raw.githubusercontent.com/salesforce/cloudsplaining/HEAD/README.md
Documentation
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (2,002 chars)