From 858678b336674840a13c533aefc0c9884f058794 Mon Sep 17 00:00:00 2001 From: Kinnaird McQuade Date: Sun, 14 Jun 2026 17:27:00 -0400 Subject: [PATCH 1/3] docs: update privesc source to Pathfinding.cloud; drop restored-by-Salesforce note - README: credit Privilege Escalation detection to Pathfinding.cloud - README: remove the "this repo/project has been restored by Salesforce" banner Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index 59e96392..ffab9fb7 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,3 @@ -## NOTE: This repo/project has been restored by Salesforce. - Cloudsplaining -------------- @@ -33,7 +31,7 @@ It helps to identify IAM actions that do not leverage resource constraints. It a * Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`) * Infrastructure Modification * Resource Exposure (the ability to modify resource-based policies) -* Privilege Escalation (based on Rhino Security Labs research) +* Privilege Escalation (based on Pathfinding.cloud) Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples. From 67bbfe764fe9b04748341bc2153e9c79d2a12d86 Mon Sep 17 00:00:00 2001 From: Kinnaird McQuade Date: Sun, 14 Jun 2026 18:33:59 -0400 Subject: [PATCH 2/3] docs: modernize descriptions (harvest #558) Remove "triage worksheet" wording (no longer generated), note multi-account scanning, add Credentials Exposure to the risk list, and link each risk to its glossary page. Reconciled with this branch's Pathfinding.cloud wording. Harvested from #558; the obsolete pyproject and .readthedocs.yml uv-pin hunks are dropped (master already requires uv >=0.11.0, so pinning to 0.10 would break the docs build), and the cli.py docstring change is handled separately on the feature branch. Co-authored-by: nikhil6393 Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 13 +++++++------ docs/index.md | 4 ++-- docs/user-guide/overview.md | 13 +++++++------ 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index ffab9fb7..08d974d8 100644 --- a/README.md +++ b/README.md @@ -25,13 +25,14 @@ For full documentation, please visit the [project on ReadTheDocs](https://clouds ## Overview -Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file. +Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file. It helps to identify IAM actions that do not leverage resource constraints. It also helps prioritize the remediation process by flagging IAM policies that present the following risks to the AWS account in question without restriction: -* Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`) -* Infrastructure Modification -* Resource Exposure (the ability to modify resource-based policies) -* Privilege Escalation (based on Pathfinding.cloud) +* [Data Exfiltration](https://cloudsplaining.readthedocs.io/en/latest/glossary/data-exfiltration/) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`) +* [Infrastructure Modification](https://cloudsplaining.readthedocs.io/en/latest/glossary/infrastructure-modification/) +* [Resource Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/) (the ability to modify resource-based policies) +* [Privilege Escalation](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/) (based on Pathfinding.cloud) +* [Credentials Exposure](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/) Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service is on an instance that is directly or indirectly exposed to the internet. Flagging these roles is particularly useful to penetration testers (or attackers) under certain scenarios. For example, if an attacker obtains privileges to execute [ssm:SendCommand](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_SendCommand.html) and there are privileged EC2 instances with the SSM agent installed, they can effectively have the privileges of those EC2 instances. Remote Code Execution via AWS Systems Manager Agent was already a known escalation/exploitation path, but Cloudsplaining can make the process of identifying theses cases easier. See the [sample report](https://opensource.salesforce.com/cloudsplaining/#executive-summary) for some examples. @@ -78,7 +79,7 @@ Policy Sentry [makes it really easy to do this](https://github.com/salesforce/po That's why we wrote Cloudsplaining. -Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file. +Cloudsplaining identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file. ## Installation diff --git a/docs/index.md b/docs/index.md index 9744bd95..70a019d5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,6 +1,6 @@ # Cloudsplaining -[Cloudsplaining](https://github.com/salesforce/cloudsplaining) identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file. +[Cloudsplaining](https://github.com/salesforce/cloudsplaining) identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file. ![](_images/cloudsplaining-report.gif) @@ -8,7 +8,7 @@ * `cloudsplaining download` - Download IAM authorization details for an entire AWS account. * `cloudsplaining create-exclusions-file` - Create an exclusions file to filter out false positives specific to your context. -* `cloudsplaining scan` - Scan the IAM authorization details file; generate an HTML report and a triage worksheet. +* `cloudsplaining scan` - Scan the IAM authorization details file; generate an HTML report. * `cloudsplaining scan-policy-file` - Scan a single IAM policy file * `cloudsplaining --help` - Print help messages and exit. diff --git a/docs/user-guide/overview.md b/docs/user-guide/overview.md index 7cdd1f5b..2caad88f 100644 --- a/docs/user-guide/overview.md +++ b/docs/user-guide/overview.md @@ -1,12 +1,13 @@ # Overview -[Cloudsplaining](https://github.com/salesforce/cloudsplaining) identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report with a triage worksheet. It can scan all the policies in your AWS account or it can scan a single policy file. +[Cloudsplaining](https://github.com/salesforce/cloudsplaining) identifies violations of least privilege in AWS IAM policies and generates a pretty HTML report. It can scan all the policies in your AWS account, across multiple AWS accounts, or it can scan a single policy file. It helps to identify IAM actions that do not leverage resource constraints and thus can present the following risks to the AWS account in question without restriction: -* Data Exfiltration (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`) -* Infrastructure Modification -* Resource Exposure (the ability to modify resource-based policies) -* Privilege Escalation (based on Rhino Security Labs research) +* [Data Exfiltration](../glossary/data-exfiltration.md) (`s3:GetObject`, `ssm:GetParameter`, `secretsmanager:GetSecretValue`) +* [Infrastructure Modification](../glossary/infrastructure-modification.md) +* [Resource Exposure](../glossary/resource-exposure.md) (the ability to modify resource-based policies) +* [Privilege Escalation](../glossary/privilege-escalation.md) (based on Pathfinding.cloud) +* [Credentials Exposure](../glossary/credentials-exposure.md) You can also specify a custom exclusions file to filter out results that are False Positives for various reasons. For example, User Policies are permissive by design, whereas System roles are generally more restrictive. You might also have exclusions that are specific to your organization's multi-account strategy or AWS application architecture. @@ -18,4 +19,4 @@ You can also specify a custom exclusions file to filter out results that are Fal - `cloudsplaining create-exclusions-file --output-file exclusions.yml` * Scan the Account Authorization details - `cloudsplaining scan --input-file default-account-details.json --exclusions-file exclusions.yml` - - This generates three files: (1) The single-file HTML report, (2) The triage CSV worksheet, and (3) The raw JSON data file + - This generates two files: (1) The single-file HTML report, and (2) The raw JSON data file From 80bc603e7a68f34ae5aa742ebfecbe5fa442c3c2 Mon Sep 17 00:00:00 2001 From: Kinnaird McQuade Date: Sun, 14 Jun 2026 18:36:14 -0400 Subject: [PATCH 3/3] docs: drop "triage worksheet" from cli docstrings (harvest #558) The scan no longer generates a triage CSV worksheet. Trim the stale phrase from the module, group-callback, and main() docstrings. Harvested from #558, applied here because this branch owns cli.py (keeps it conflict-free with the docs PR). Co-authored-by: nikhil6393 Co-Authored-By: Claude Opus 4.8 (1M context) --- cloudsplaining/bin/cli.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cloudsplaining/bin/cli.py b/cloudsplaining/bin/cli.py index 210a862f..60aa26b5 100755 --- a/cloudsplaining/bin/cli.py +++ b/cloudsplaining/bin/cli.py @@ -5,7 +5,7 @@ # For full license text, see the LICENSE file in the repo root # or https://opensource.org/licenses/BSD-3-Clause """ -Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet. +Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. """ import click @@ -18,7 +18,7 @@ @click.version_option(version=__version__) def cloudsplaining() -> None: """ - Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet. + Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report. """ @@ -32,7 +32,7 @@ def cloudsplaining() -> None: def main() -> None: - """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet.""" + """Cloudsplaining is an AWS IAM Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.""" cloudsplaining()