AWS IAM security assessment tool that finds least-privilege violations and generates a risk-prioritized HTML report
- Stars2.2k
- Forks217
- Open Issues18
BSD-3-Clause
- JavaScript
- Python
- Vue
About Cloudsplaining
Cloudsplaining is an AWS IAM security assessment tool that finds policies violating least privilege. It scans a single policy file or every policy in an AWS account, then generates a polished HTML report with a triage worksheet to help you prioritize remediation.
It flags policies that present risks including data exfiltration, infrastructure modification, resource exposure, and privilege escalation. It also identifies IAM roles assumable by AWS compute services such as EC2, ECS, EKS, and Lambda, which can present greater risk than user-defined roles. A custom exclusions file lets you filter out context-dependent false positives.
Run it from the command line to download account authorization details and scan them locally, producing both the HTML report and a raw JSON data file. A scan-multi-account command can assume a common role across many accounts and write results to an S3 bucket.
Key features
- Scans a single policy file or all policies in an AWS account
- Generates a risk-prioritized HTML report with a triage worksheet
- Flags data exfiltration, infrastructure modification, resource exposure, and privilege escalation
- Identifies IAM roles assumable by EC2, ECS, EKS, and Lambda
- Supports exclusions files for filtering false positives
Details
- First released
- 2020
- Platforms
- CLI
- Deployment
- self-hostable
- Scan scope
- Single policy file or AWS account
- Report
- HTML with triage worksheet
- Maintainer
- Salesforce