Attack Chain Detection
cloud-audit correlates individual findings into exploitable attack paths. Instead of a flat list of 80 findings, you see the 3-5 attack chains that actually matter.
How It Works
Individual findings are correlated using 20 rules based on:
- MITRE ATT&CK Cloud Matrix
- Datadog pathfinding.cloud (Apache 2.0)
- AWS CIRT incident research
The engine collects resource relationships (EC2 instance roles, Lambda roles, OIDC trust policies) with lightweight API calls and matches them against known attack patterns.
Example
A public security group alone is a finding. IMDSv1 alone is a finding. But together on the same EC2 instance with an admin IAM role, they form an attack chain:
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
All 20 Rules
Tier 1: Internet Exposure + Privilege
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-01 | Internet-Exposed Admin Instance | CRITICAL | aws-vpc-002 + EC2 admin IAM role |
| AC-02 | SSRF to Credential Theft | CRITICAL | aws-vpc-002 + aws-ec2-004 (same instance) |
| AC-05 | Public Lambda with Admin Access | CRITICAL | aws-lambda-001 + Lambda admin role |
| AC-07 | CI/CD to Admin Takeover | CRITICAL | aws-iam-007 + admin policy on role |
Tier 2: Missing Controls
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-09 | Unmonitored Admin Access | CRITICAL | aws-iam-001 + aws-ct-001 |
| AC-10 | Completely Blind Admin | CRITICAL | aws-iam-001 + aws-ct-001 + aws-gd-001 |
| AC-11 | Zero Security Visibility | HIGH | aws-ct-001 + aws-gd-001 + aws-cfg-001 |
| AC-12 | Admin Without MFA | CRITICAL | aws-iam-005 + aws-iam-002 |
| AC-13 | Wide Open and Unmonitored Network | HIGH | aws-vpc-002 + aws-vpc-003 |
| AC-14 | No Network Security Layers | HIGH | aws-vpc-004 + aws-vpc-002 + aws-vpc-003 |
Tier 3: Data Protection
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-17 | Exposed Database Without Audit Trail | CRITICAL | aws-rds-001 + aws-rds-002 + aws-ct-001 |
Tier 4: Container & Secrets
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-19 | Container Breakout Path | CRITICAL | aws-ecs-001 + aws-ecs-003 |
| AC-20 | Unmonitored Container Access | HIGH | aws-ecs-002 + aws-ecs-003 |
| AC-21 | Secrets in Plaintext Across Services | HIGH | aws-ssm-002 + aws-lambda-003 |
Tier 5: CI/CD
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-23 | CI/CD Data Exfiltration | HIGH | aws-iam-007 + S3 policy on role |
| AC-24 | CI/CD Lateral Movement | HIGH | aws-iam-007 + EC2 policy on role |
Tier 6: CIS Compliance Chains
| ID | Name | Severity | Component Checks |
|---|---|---|---|
| AC-25 | Root Access Keys Without Audit Trail | CRITICAL | aws-iam-008 + aws-ct-001 |
| AC-26 | Unmonitored Admin Escalation Path | CRITICAL | aws-iam-005 + aws-iam-002 + aws-cw-001 |
| AC-27 | Default Network Access Without Logging | HIGH | aws-vpc-005 + aws-vpc-003 |
| AC-28 | External Access Without Analysis | HIGH | aws-iam-007 + aws-iam-012 |
Suppression
If AC-10 fires, AC-09 is suppressed (AC-10 is a superset). Similarly, AC-26 suppresses AC-12.
Compliance Integration
Attack chains map to CIS AWS v3.0 controls. When an attack chain is detected, the compliance report shows which controls are violated. See CIS AWS v3.0 for the full mapping.