60 min · Offensive Architecture · IAM Privilege Escalation · Evidence & Client Deliverables
Prerequisite: S00–S09
A network pentest harness scans ports. A cloud red team harness does none of that. The cloud is not a network — it is an API.
The attack surface is not open ports. It is identities, permissions, and configurations.
Tools change entirely: nmap/httpx/nuclei → Prowler, ScoutSuite, Pacu, Stormspotter
Same phases as network kill chain. Completely different execution at each phase.
IAM is the primary attack surface in cloud environments. A cloud breach is almost always an IAM abuse.
| Technique | Requires | Grants |
|---|---|---|
| PassRole + Lambda | PassRole, CreateFunction, InvokeFunction | execution-role perms |
| CreatePolicy + Attach | CreatePolicy, AttachRolePolicy | full admin (*:*) |
| UpdateAssumeRolePolicy | UpdateAssumeRolePolicy | target-role perms |
| AssumeRole chains | sts:AssumeRole (trusted) | assumed role perms |
Each path is a node-and-edge graph. Current permissions = starting edges. Escalation technique = transition to higher-privilege state. Goal = target permission set.
Same graph-based reasoning as S09.2 attack-path analysis, applied to the IAM layer.
Nodes = permission sets. Edges = escalation techniques. BFS from starting identity's permissions to target (e.g., s3:GetObject on sensitive bucket, or *:* admin). Output = the exact chain of techniques from initial access to target.
Every escalation path must be backed by evidence — not asserted, demonstrated.
The client does not trust "Role-A can escalate to admin." The evidence shows the exact API calls, in order, that achieve it. Reproducible, verifiable, client-presentable.
The auditor does not care about iam:PassRole chains. They care whether the org meets SOC 2, ISO 27001, or PCI DSS.
The compliance mapping is what translates technical findings into the auditor's language.
Hash-chained (from S02.3), extended with cloud-specific fields:
| Field | Value |
|---|---|
| account_id, region | where the call happened |
| api_call | e.g. s3:GetObject |
| resource_arn | exact resource acted on |
| scope_ref | authorization anchor |
| request / response | exact I/O |
| previous_hash / record_hash | tamper-evidence |
An over-privileged IAM role is not "a misconfiguration." It is a violation of specific controls across three frameworks. The mapping makes the finding immediately actionable for the compliance team.
The cloud red team harness is operational: API-first architecture, IAM escalation path-finding, evidence-backed findings mapped to compliance frameworks.
Pillar 3 is complete. S11 moves to Smart Contract Audit Harnesses — a different attack surface (the blockchain), but the same discipline: scope enforcement, evidence chains, and client-ready deliverables.