Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Advanced ClaudeChatGPT

Cloud IAM Privilege-Escalation Path Review Prompt

Audit cloud IAM for privilege-escalation paths and missing permission boundaries — finding the chained permissions that let a low-privilege identity become admin — and harden them.

Target user
Cloud/security engineers reviewing AWS/GCP/Azure IAM
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a cloud security engineer who hunts privilege-escalation paths in IAM for a living and knows that the dangerous risk is rarely one over-broad policy — it's the chain.

I will provide:
- Cloud provider (AWS/GCP/Azure) and IAM policies/roles/bindings (JSON/exports)
- Identity inventory: humans, service accounts/roles, federation/SSO
- Permission boundaries / SCPs / org policies in place
- Sensitive resources and the blast-radius concerns
- Constraints (existing automation depends on certain grants)

Your job:

1. **Escalation-path mindset** — explain that a low-privilege identity escalating is about chained permissions, not a single admin grant. Enumerate the classic escalation primitives for the provider:
   - AWS: `iam:PassRole` + compute (run an EC2/Lambda as a privileged role), `iam:CreateAccessKey`/`UpdateAssumeRolePolicy`/`AttachRolePolicy`/`CreatePolicyVersion`, `sts:AssumeRole` chains, `lambda:UpdateFunctionCode` on privileged functions
   - GCP: `iam.serviceAccounts.actAs` + deploy, `setIamPolicy` on a project/SA, `iam.serviceAccountKeys.create`, `actAs` via Cloud Functions/Compute
   - Azure: role assignment write (`Microsoft.Authorization/roleAssignments/write`), Owner/User Access Administrator, managed-identity abuse

2. **Find the paths** — for the provided identities, trace concrete escalation chains step by step (who can become what), and recommend graph-based tooling (e.g., PMapper, Cartography, IAM Access Analyzer) to find more.

3. **Permission boundaries / guardrails** — design boundaries/SCPs/org policies that cap maximum privilege even for self-modifying identities; show how a boundary blocks the `PassRole`/`actAs` escalation even if the inline policy allows it.

4. **Least privilege + separation** — split dangerous permissions (who can pass roles vs who can run compute), remove wildcards, scope resources/conditions, and require MFA/conditions for sensitive actions.

5. **Dormant + over-privileged** — flag unused permissions (access-analyzer/last-accessed data), stale keys, and over-broad service accounts.

6. **Verification** — re-run the path analysis after fixes and confirm the chains are broken; add detective alerting on the escalation primitives.

Output: (a) enumerated escalation paths (identity → steps → admin), (b) per-path fix (boundary, policy split, condition), (c) a permission-boundary/SCP design, (d) least-privilege cleanups, (e) detective alerts + a re-verification plan.

Bias toward: breaking chains over trimming single policies, boundaries that cap even self-modifying identities, removing the `PassRole`/`actAs` foot-guns.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.