Description
If i am not mistaken, Cloudsplaining takes a policy-centric approach to evaluating privesc paths. If a policy meets the logic that defines a privesc path, this policy is identified as allowing privesc. Any principal that has that policy applied is highlighted as well, which is great! However, a principal that has two or more policies that each contain part of the privesc conditions, is not highlighted, which causes detection misses for privesc paths.
Example of successful detection:
policy_privesc3: Allows ec2:RunInstances + iam:Passrole
role_test1: has policy_privesc3 attached
Results:
policy_privesc3 will be detected as a privesc path - CORRECT
role_test1 will be detected as having a privesc path - CORRECT
Example of false negative:
policy_privesc-runInstances: Allows ec2:RunInstances only
policy_privesc-passrole: Allows iam:Passrole only
role_test2: policy_privesc-runInstances & policy_privesc-passrole attached
Results:
Neither policy will be detected as a privesc path - CORRECT
role_test2 will not be detected as having a privesc path - INCORRECT
I know adding support for this is not a small task. Also, pmapper does a great job at identifying these combo cases. However, I love the Cloudsplaining UI, how straightforward it is to use, all of the supporting documentation, and really just think Cloudsplaining should catch these cases as well.
Also, it might be a good idea to list this limitation in the documentation to make sure poeple know what the tool does a great job of catching, and what the current blind spots are.