Project Overview

This project is part of my broader cloud-security-lab, a hands-on security lab where I intentionally design realistic AWS misconfigurations, simulate real attacker behavior, and then build production-style detection pipelines to identify and validate those threats.
The focus of this repository is the Wildcard IAM Permissions challenge, where an overly permissive IAM user (*:*) is abused to perform privilege escalation by attaching the AWS-managed AdministratorAccess policy.
Rather than building a one-off alert, the goal of this project is to implement a reusable AWS control-plane threat detection engine using:

While this implementation demonstrates IAM privilege escalation detection, the same detection engine is intentionally generic and extensible, and can be reused across other security scenarios in the lab with minimal changes.

Cloud Security Lab Context (Why This Exists)

Within cloud-security-lab, I focus on three common and realistic cloud security challenges that frequently appear in real-world incidents:

1. Excessive IAM Permissions (Implemented Here)

IAM users or roles with wildcard permissions (:*)
Abuse via AttachUserPolicy, PutUserPolicy, or PassRole
Leads to immediate privilege escalation

2. Long-Lived Access Keys (Lab Scenario)

Access keys that are never rotated
Silent credential abuse over time

🔗 cloud-security-lab/long-lived-access-key

3. IAM Role Trust Abuse (Lab Scenario)

Overly permissive or misconfigured role trust policies
Unauthorized role assumption and lateral movement

🔗 cloud-security-lab/iam-role-trust-abuse

This repository implements one challenge end-to-end, deeply and correctly, while demonstrating how the same detection engine applies to all three.

Project Overview

Cloud Security Lab Context (Why This Exists)

1. Excessive IAM Permissions (Implemented Here)

2. Long-Lived Access Keys (Lab Scenario)

3. IAM Role Trust Abuse (Lab Scenario)

Threat Scenario — Wildcard IAM Permissions