Description
Hi Cloudsplaining team,
Cloudsplaining does a great job covering IAM risks across privilege escalation, data exfiltration, and more. However, I’d like to propose a new category for IAM permissions that bypass network-layer controls like Security Groups and NACLs.
Example:
Permissions like redshift:GetClusterCredentials + the Redshift Query Editor allow access to databases via AWS internal APIs, without requiring direct network access — bypassing NACLs and security groups entirely, making traditional network-layer protections ineffective in these cases.
Suggested Category:
- "Bypasses Network Controls" or "Out-of-Band Access"
This risk doesn’t cleanly fit into existing categories and deserves separate visibility.
I’ve already compiled a list of similar permissions and would love to contribute. I believe this would be even more effective as a community-driven effort to grow and maintain a list of IAM actions that bypass network controls. Happy to help push this forward!
Thanks for considering!