# Diagrams — SDD-06: Cloud Attack-Path Tooling

---

## Diagram 1 — The Graph Model (Nodes, Edges, Traversal)

```mermaid
flowchart LR
    subgraph CONFIG["Cloud Configuration"]
        IAM[IAM policies]
        ROLES[roles + trust policies]
        RES[resources: buckets, instances, functions]
        NET[network ACLs + paths]
    end
    CONFIG --> BUILDER[Graph Builder]
    BUILDER --> GRAPH[(Graph Store<br/>NetworkX or Neo4j)]
    subgraph GRAPH_NODES["Nodes + Edges"]
        P1[(Principal: low-priv role A)]
        P2[(Principal: role B)]
        P3[(Principal: admin role C)]
        R1[(Resource: bucket D)]
        P1 -->|iam:PassRole| P2
        P2 -->|sts:AssumeRole| P3
        P3 -->|s3:GetObject| R1
    end
    GRAPH --> TRAVERSE[Traversal / Query Layer<br/>shortest-path · reachability<br/>21 Rhino methods as edges]
    TRAVERSE --> PATH[Attack Path: A → B → C → D]

    style BUILDER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style TRAVERSE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style PATH fill:#1a1015,stroke:#5eead4,color:#5eead4
```

**Reading**: The foundational abstraction. Cloud configuration (IAM, roles, resources, network) is ingested into a graph. Nodes are principals and resources; edges are the permissions and relationships connecting them. The traversal layer runs graph algorithms (shortest-path, reachability) to find chains of edges — escalation paths. The escalation methods (e.g., iam:PassRole + assume) are encoded as edges, so the traversal finds them automatically. This is the BloodHound insight applied to the cloud.

---

## Diagram 2 — Correlation vs Traversal (Prowler vs Attack-Path Tools)

```mermaid
flowchart TB
    subgraph PROWLER["Prowler (SDD-04) — Correlation"]
        PF1[public bucket finding]
        PF2[over-permissioned role finding]
        PF3[network path finding]
        PF1 --> PREL[correlate related findings]
        PF2 --> PREL
        PF3 --> PREL
        PREL --> POUT[these findings are related<br/>= a path EXISTS]
    end
    subgraph GRAPH["Attack-Path Tools — Traversal"]
        GN[nodes: principals, resources]
        GE[edges: permissions, trusts]
        GN --> GQ[graph query:<br/>shortest path A → admin?]
        GE --> GQ
        GQ --> GOUT[the actual chain:<br/>A → B → C → admin<br/>= the escalation steps]
    end
    PROWLER -.depth: correlation is shallow, traversal is deep.-> GRAPH

    style PREL fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style GQ fill:#0d1b2a,stroke:#5eead4,color:#5eead4
```

**Reading**: The distinction from SDD-04. Prowler correlates related findings — it tells you a path exists because the findings co-occur. Attack-path tools traverse a graph — they give you the actual chain of edges (the escalation steps). Correlation is accessible (built into the CSPM); traversal is deeper (requires modeling but delivers the specific chain). Prowler's correlation is the starting point; these tools are the depth.

---

## Diagram 3 — The 21 Rhino Methods as Edges

```mermaid
flowchart LR
    subgraph RHINO["Rhino Security Labs: 21 AWS IAM Escalation Methods"]
        M1[1. iam:PassRole + compute service]
        M2[2. sts:AssumeRole on admin role]
        M3[3. iam:CreatePolicy to grant self]
        M4[4. iam:AttachRolePolicy]
        M5["...21 methods total"]
    end
    RHINO --> ENCODE[pmapper encodes each as a graph edge]
    ENCODE --> GRAPH[(IAM Graph)]
    GRAPH --> QUERY[query: can principal X escalate?]
    QUERY --> PATH[chain of edges:<br/>X → method → Y → method → admin]

    style RHINO fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style ENCODE fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style PATH fill:#1a1015,stroke:#5eead4,color:#5eead4
```

**Reading**: The detection logic is not re-derived by the tool — it is encoded from human research. Rhino Security Labs cataloged 21 AWS IAM escalation methods (PassRole abuse, AssumeRole chains, CreatePolicy self-grant, etc.). pmapper encodes each as a graph edge: if the permissions exist, the edge exists. The traversal then finds chains of these edges automatically. This is knowledge-as-graph — the expert's escalation playbook, automated by traversal.

---

## Diagram 4 — Agent Integration (How a Harness Consumes the Graph)

```mermaid
flowchart TB
    AGENT[Agent harness<br/>CAI (SDD-01) or RedTeamLLM (SDD-02)] --> Q[agent emits tool_use:<br/>find_escalation_paths<br/>principal: roleA]
    Q --> WRAPPER[graph-query wrapper<br/>schema-first harness tool]
    WRAPPER --> GRAPH[(Attack-Path Graph<br/>pmapper / BloodHound)]
    GRAPH --> PATHS[structured paths returned<br/>A → B → C → admin]
    PATHS --> AGENT
    AGENT --> REASON[agent reasons:<br/>I have credential for A.<br/>Path A→B→C→admin exists.<br/>Attempt the chain (with auth).]
    REASON --> VERIFY[verify exploitability live<br/>path was a hypothesis]

    style WRAPPER fill:#0d1b2a,stroke:#5eead4,color:#5eead4
    style GRAPH fill:#1a1015,stroke:#5eead4,color:#e4e4e8
    style VERIFY fill:#2a0d0d,stroke:#5eead4,color:#f08080
```

**Reading**: The harness integration. The attack-path tools are analyst-facing (CLI, Cypher); a harness needs a tool the agent calls. The agent emits `find_escalation_paths({principal})`, the wrapper queries the graph, structured paths return. The agent then reasons: "I have a credential for A, a path exists, let me attempt the chain." The critical last step (red): the path was a hypothesis; live verification (with authorization) confirms exploitability. This is the SDD-01/SDD-02 integration that turns path-finding into offensive reasoning.
