Attack Chain Detection
cloud-audit correlates individual findings into exploitable attack paths. Instead of a flat list of 94 findings, you see the 3-5 attack chains that actually matter.
How It Works
Individual findings are correlated using 31 rules based on:
The engine collects resource relationships (EC2 instance roles, Lambda roles, OIDC trust policies) with lightweight API calls and matches them against known attack patterns.
Example
A public security group alone is a finding. IMDSv1 alone is a finding. But together on the same EC2 instance with an admin IAM role, they form an attack chain:
Internet --> Public SG --> EC2 (IMDSv1) --> Admin IAM Creds --> Account Takeover
aws-vpc-002 aws-ec2-004 Detected: AC-01, AC-02
All 31 Rules
Tier 1: Internet Exposure + Privilege
| ID |
Name |
Severity |
Component Checks |
| AC-01 |
Internet-Exposed Admin Instance |
CRITICAL |
aws-vpc-002 + EC2 admin IAM role |
| AC-02 |
SSRF to Credential Theft |
CRITICAL |
aws-vpc-002 + aws-ec2-004 (same instance) |
| AC-05 |
Public Lambda with Admin Access |
CRITICAL |
aws-lambda-001 + Lambda admin role |
| AC-07 |
CI/CD to Admin Takeover |
CRITICAL |
aws-iam-007 + admin policy on role |
Tier 2: Missing Controls
| ID |
Name |
Severity |
Component Checks |
| AC-09 |
Unmonitored Admin Access |
CRITICAL |
aws-iam-001 + aws-ct-001 |
| AC-10 |
Completely Blind Admin |
CRITICAL |
aws-iam-001 + aws-ct-001 + aws-gd-001 |
| AC-11 |
Zero Security Visibility |
HIGH |
aws-ct-001 + aws-gd-001 + aws-cfg-001 |
| AC-12 |
Admin Without MFA |
CRITICAL |
aws-iam-005 + aws-iam-002 |
| AC-13 |
Wide Open and Unmonitored Network |
HIGH |
aws-vpc-002 + aws-vpc-003 |
| AC-14 |
No Network Security Layers |
HIGH |
aws-vpc-004 + aws-vpc-002 + aws-vpc-003 |
Tier 3: Data Protection
| ID |
Name |
Severity |
Component Checks |
| AC-17 |
Exposed Database Without Audit Trail |
CRITICAL |
aws-rds-001 + aws-rds-002 + aws-ct-001 |
Tier 4: Container & Secrets
| ID |
Name |
Severity |
Component Checks |
| AC-19 |
Container Breakout Path |
CRITICAL |
aws-ecs-001 + aws-ecs-003 |
| AC-20 |
Unmonitored Container Access |
HIGH |
aws-ecs-002 + aws-ecs-003 |
| AC-21 |
Secrets in Plaintext Across Services |
HIGH |
aws-ssm-002 + aws-lambda-003 |
Tier 5: CI/CD
| ID |
Name |
Severity |
Component Checks |
| AC-23 |
CI/CD Data Exfiltration |
HIGH |
aws-iam-007 + S3 policy on role |
| AC-24 |
CI/CD Lateral Movement |
HIGH |
aws-iam-007 + EC2 policy on role |
Tier 6: CIS Compliance Chains
| ID |
Name |
Severity |
Component Checks |
| AC-25 |
Root Access Keys Without Audit Trail |
CRITICAL |
aws-iam-008 + aws-ct-001 |
| AC-26 |
Unmonitored Admin Escalation Path |
CRITICAL |
aws-iam-005 + aws-iam-002 + aws-cw-001 |
| AC-27 |
Default Network Access Without Logging |
HIGH |
aws-vpc-005 + aws-vpc-003 |
| AC-28 |
External Access Without Analysis |
HIGH |
aws-iam-007 + aws-iam-012 |
Tier 7: Infrastructure Hygiene
| ID |
Name |
Severity |
Component Checks |
| AC-29 |
Unpatched Instance Exposed to Internet |
CRITICAL |
aws-ssm-003 + aws-vpc-002 |
| AC-30 |
Unpatched Without Vulnerability Scanning |
HIGH |
aws-ssm-003 + aws-inspector-001 |
| AC-31 |
Internet-Exposed Without WAF or Flow Logs |
HIGH |
aws-waf-001 + aws-vpc-002 + aws-vpc-003 |
| AC-32 |
CloudTrail Blind Spot — Alarms Non-Functional |
HIGH |
aws-ct-008 + aws-cw-001 |
| AC-33 |
All-Public VPC Without Segmentation |
HIGH |
aws-vpc-006 + aws-vpc-002 + aws-vpc-003 |
Tier 8: IAM Privilege Escalation
| ID |
Name |
Severity |
Component Checks |
| AC-34 |
PassRole Escalation to Admin |
CRITICAL |
aws-iam-018 + PassRole + admin policy on target role |
| AC-35 |
Self-Escalation via IAM Policy Modification |
CRITICAL |
aws-iam-018 + iam:PutUserPolicy or iam:AttachUserPolicy |
| AC-36 |
External Escalation via OIDC + Privilege Escalation |
CRITICAL |
aws-iam-007 + aws-iam-018 + escalation path from OIDC role |
Tier 9: AI-SPM
| ID |
Name |
Severity |
Component Checks |
| AC-37 |
AI Model Theft via SageMaker |
CRITICAL |
aws-sagemaker-001 + aws-sagemaker-002 + model access |
| AC-38 |
LLMjacking - Unauthorized Model Usage |
HIGH |
aws-bedrock-001 + missing invocation logging |
| AC-39 |
AI Data Poisoning via Unguarded Pipeline |
HIGH |
aws-sagemaker-003 + unencrypted training data |
Suppression
If AC-10 fires, AC-09 is suppressed (AC-10 is a superset). Similarly, AC-26 suppresses AC-12.
Compliance Integration
Attack chains map to all 6 compliance frameworks. When an attack chain is detected, the compliance report shows which controls are violated. See Compliance Overview for all supported frameworks.