aws-iam-enum

Enumerate AWS IAM policies, detect privilege escalation paths per Rhino Security Labs canonical 21 primitives.

Best for Security engineersWorks with GitHub

#aws #iam #security #enumeration #privilege-escalation #audit

⌘source

author: @PurpleAILAB
repo: PurpleAILAB/Decepticon
language: Python

✦overview.md

Key Features

·Enumerates attached and inline IAM policies for a user
·Detects privilege escalation paths based on Rhino Security Labs' 21 primitives
·Provides specific AWS CLI commands for identity and policy retrieval
·Lists common high-risk IAM actions like CreateAccessKey and PassRole combinations

Use Cases

→Auditing your own IAM permissions for security vulnerabilities
→Identifying potential privilege escalation risks in a compromised AWS account
→Reviewing IAM policies during security assessments or penetration tests

Best for

✓Security engineers
✓Cloud penetration testers
✓DevOps teams auditing permissions

Not ideal for

!Managing IAM policies
!Automated compliance reporting
!Real-time monitoring

FAQs

skills/cloud/aws-iam-enum/SKILL.md

name

aws-iam-enum

description

Enumerate AWS IAM policies, detect privilege escalation paths per Rhino Security Labs canonical 21 primitives.

AWS IAM Enumeration + Privesc

1. Identity check

aws sts get-caller-identity
aws iam get-account-summary

2. Attached policies

aws iam list-attached-user-policies --user-name ME --output json > /tmp/attached.json
aws iam list-user-policies          --user-name ME --output json > /tmp/inline.json
aws iam list-groups-for-user        --user-name ME --output json > /tmp/groups.json

For each attached policy ARN:

aws iam get-policy --policy-arn ARN --query 'Policy.DefaultVersionId'
aws iam get-policy-version --policy-arn ARN --version-id VID > /tmp/policy.json

Then:

iam_policy_audit(open("/tmp/policy.json").read())

3. Check each privesc primitive

Rhino Security's canonical 21 paths — any Allow on these is a chain step:

iam:CreateAccessKey (other user)
iam:CreateLoginProfile
iam:UpdateLoginProfile
iam:AttachUserPolicy / iam:AttachGroupPolicy / iam:AttachRolePolicy
iam:PutUserPolicy / iam:PutGroupPolicy / iam:PutRolePolicy
iam:CreatePolicyVersion (if SetAsDefault=true)
iam:SetDefaultPolicyVersion
iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction
iam:PassRole + ec2:RunInstances

...

$install

1-click copy

npx skills add PurpleAILAB/Decepticon --skill aws-iam-enum

Safety assessment

★

Clarity score

How clear and easy to understand the SKILL.md instructions are, rated from 1 to 5.

5/ 5

excellent

Very clear and well structured, with almost no room for misunderstanding.

◎

Actionability score

How directly an agent can act on the SKILL.md instructions, rated from 1 to 5.

5/ 5

very high

Highly actionable with clear, concrete steps that an agent can follow directly.

~community cookbook

~you might also like

view all →

gitnexus-pr-review

★28k

code-review#pull-request

[✓]from @abhigyanpatwari

[✓]

Use when the user wants to review a pull request, understand what a PR changes, assess risk of merging, or check for...

April 18, 2026

◧ Compare

triage

★2.1k

security#binary

[✓]from @PurpleAILAB

[✓]

Fast-path binary triage — identify format/arch/mitigations, grab high-signal strings and imports in under a minute.

April 18, 2026

◧ Compare

reporting

★2.1k

security#report

[✓]from @PurpleAILAB

[✓]

Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detectio...

April 18, 2026

◧ Compare

ssrf-to-rce

★2.1k

security#ssrf

[✓]from @PurpleAILAB

[✓]

Build and validate SSRF pivot chains toward metadata/infra control and final code execution impact.

⚠ danger

April 18, 2026

◧ Compare

c2-sliver

★2.1k

security#c2

[✓]from @PurpleAILAB

[✓]

Sliver C2 framework operations — server connection, listener setup, implant generation, BOF/Armory extensions, post-i...

⚠ danger

April 18, 2026

◧ Compare

reporting

★2.1k

security#report

[✓]from @PurpleAILAB

[✓]

Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.

April 18, 2026

◧ Compare

AWS IAM Enumeration + Privesc

1. Identity check

aws sts get-caller-identity aws iam get-account-summary

2. Attached policies

aws iam list-attached-user-policies --user-name ME --output json > /tmp/attached.json aws iam list-user-policies --user-name ME --output json > /tmp/inline.json aws iam list-groups-for-user --user-name ME --output json > /tmp/groups.json

For each attached policy ARN:

aws iam get-policy --policy-arn ARN --query 'Policy.DefaultVersionId' aws iam get-policy-version --policy-arn ARN --version-id VID > /tmp/policy.json

Then:

iam_policy_audit(open("/tmp/policy.json").read())

3. Check each privesc primitive

Rhino Security's canonical 21 paths — any Allow on these is a chain step:

iam:CreateAccessKey (other user)

iam:CreateLoginProfile

iam:UpdateLoginProfile

iam:AttachUserPolicy / iam:AttachGroupPolicy / iam:AttachRolePolicy

iam:PutUserPolicy / iam:PutGroupPolicy / iam:PutRolePolicy

iam:CreatePolicyVersion (if SetAsDefault=true)

iam:SetDefaultPolicyVersion

iam:PassRole + lambda:CreateFunction + lambda:InvokeFunction

iam:PassRole + ec2:RunInstances

aws-iam-enum

Key Features

Use Cases

Best for

Not ideal for

FAQs

What does this skill actually do?

Do I need special permissions to run these commands?

AWS IAM Enumeration + Privesc

1. Identity check

2. Attached policies

3. Check each privesc primitive

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

gitnexus-pr-review

triage

reporting

ssrf-to-rce

c2-sliver

reporting

AI Skill Finder

aws-iam-enum

Key Features

Use Cases

Best for

Not ideal for

FAQs

What does this skill actually do?

Do I need special permissions to run these commands?

AWS IAM Enumeration + Privesc

1. Identity check

2. Attached policies

3. Check each privesc primitive

Safety assessment

Clarity score

Actionability score

~community cookbook

~you might also like

gitnexus-pr-review

triage

reporting

ssrf-to-rce

c2-sliver

reporting