
Show HN: Cloudsplaining, an AWS IAM Security Assessment Tool - kmcquade
https://github.com/salesforce/cloudsplaining
======
fred1991
Damn. The report guidance is really good. I'm going to use this in an
assessment next week :) Have to review an account that has hundreds of IAM
roles but this should help a lot,.

~~~
kmcquade
Thanks! I’m glad you like it. Let me know if you have any feedback - here, in
the Gitter channel (link in the Readme), or on Twitter (kmcquade3)

~~~
chmod-noobs
What kind of privileges do I need to run it? I don’t see any details in the
documentation. You should probably add this there.

~~~
kmcquade
You just need a single IAM action - iam:GetAccountAuthorizationDetails
([https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetA...](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html)).

I’ll definitely add that to the README. Thanks

------
chmod-noobs
Cool project. How is this different from PMapper though? I use that it some of
my assessments (underrated tool IMHO).

~~~
kmcquade
PMapper is definitely a great tool. It’s best used in Pentests for validating
some privilege escalation paths. It has the benefit of analyzing IAM trust
policies, resource based policies, viewing escalation paths in a graph based
approach. Very underrated indeed.

Cloudsplaining is faster at creating a more comprehensive report. We realize
that there is lots of damage that can be done just by being able to modify
Infrastructure, even when your privileges fall short of legit privilege
escalation.

I think the example report will illustrate this best for you. Check it out
here:
[https://opensource.salesforce.com/cloudsplaining/](https://opensource.salesforce.com/cloudsplaining/)

