TAC: Hybrid IAM Privilege Escalation Detection

TL;DR

TAC is a novel hybrid framework for AWS IAM privilege escalation detection that combines whitebox and greybox analysis, significantly improving coverage and reducing information sharing needs.

Contribution

It introduces the first combined whitebox and greybox IAM PE detection framework with a new permission flow model and a reinforcement learning-based questioning process.

Findings

TAC-WB detects all PEs missed by previous tools.

TAC-GB outperforms existing greybox methods.

TAC-Bench provides a realistic benchmark for IAM misconfigurations.

Abstract

IAM misconfigurations are a major cause of privilege escalation (PE) attacks in the cloud, leading to data breaches and major financial losses. Existing PE detectors have two main limits: they cover only some PE types, so many attacks are missed, and they require full access to cloud configurations, which customers may not want to share because of sensitive information. We present TAC, the first IAM PE detection framework that supports both whitebox and greybox analysis for Amazon Web Services (AWS). To improve coverage, we systematically study how permissions are acquired in AWS IAM and identify five PE categories. All five share one pattern: permissions spread across entities. We define this as permission flows and manually extract 219 templates from more than 14,000 AWS operations. Based on this, we build TAC-WB, a whitebox detector with broad PE coverage. We also build TAC-GB, the first greybox PE detector, which works with partial configurations. Customers can choose which entities to reveal and whether to answer questions about permissions. TAC-GB uses a dynamic query process that adapts to each response and uses reinforcement learning with graph neural networks to ask the most useful questions while reducing interaction. We also create TAC-Bench, a benchmark with 2,500 tasks reflecting real-world IAM misconfigurations. Experiments show that TAC-WB finds all PEs missed by prior tools, while TAC-GB outperforms other greybox methods and often matches whitebox methods even with limited query budgets.